Telecommunications, Media And Technology (TMT) Law Update – Volume 35
Preliminary skirmish between Australian Information Commissioner and Facebook in Cambridge Analytica case.
On 14 September 2020, the Federal Court of Australia rejected an application by Facebook Inc to set aside an earlier ruling granting the Information Commissioner leave to serve documents on Facebook Inc in the United States: Australian Information Commissioner v Facebook Inc  FCA 1307. The interlocutory proceedings related to an action commenced by the Commissioner in March 2020 in the wake of the Cambridge Analytica controversy. Facebook services in Australia are principally provided by Facebook Ireland, and the interlocutory issue was whether Facebook Inc satisfied the extra-territorial requirements in section 5B(3) of the Privacy Act 1988, specifically whether it “carries on business in Australia” and whether it collects or holds personal information in Australia. Thawley J considered that by virtue of the fact that Facebook Inc provided services, including processing activities, to Facebook Ireland in Australia, it was carrying on business in Australia, even in the absence of evidence that any employee of Facebook Inc was physically located in Australia. Furthermore, it was sufficiently arguable that data uploaded by an Australian user is received instantaneously by Facebook Inc directly from the user. The Information Commissioner said she welcomed the decision and that her office would “continue to move forward with the case”.
Optus advertisements found not to be misleading
On 25 September 2020, the Federal Court of Australia ruled that a claim by Optus to “cover more of Australia than ever before” did not amount to misleading or deceptive advertising in contravention of ss 18, 29(1)(b) and (g) and 34 of the Australian Consumer Law: Telstra Corporation Limited v Singtel Optus Pty Ltd  FCA 1372. It had been Telstra’s contention that the wording conveyed the impression that the Optus mobile network covered more Australian territory than any other network (not just Optus) had ever covered before. Justice Jagot did not accept that the advertisements contained a comparison, and noted that the main debate between the parties concerned the correct legal test to be applied. Telstra contended that the representations were plainly open and not extreme or fanciful, but Her Honour considered this was not the correct test, preferred the test applied by the Full Court of the Federal Court in ACCC v TPG Internet Pty Ltd  FCAFC 130 to the effect that “[t]he central question is whether the impugned conduct, viewed as a whole, has a sufficient tendency to lead a person exposed to the conduct into error (that is, to form an erroneous assumption or conclusion about some fact or matter)”. For our report on the TPG Case, click here. Applying this test, the court concluded that “the transient or perfunctory attention that viewers are likely to give to the advertisements supports Optus’s case that the ordinary and reasonable members of the class of viewers will understand the advertisements to be solely concerned with Optus’s mobile network coverage” and that Telstra’s claimed contraventions were therefore unsustainable.
Google Ads found not to be misleading
On 1 October 2020, the Federal Court of Australia found that the use of keywords and design of Google Ads by a workplace relations consultancy did not amount to misleading or deceptive conduct: Australian Competition and Consumer Commission v Employsure Pty Ltd  FCA 1409. The ACCC’s claim centred on the fact that the respondent had used terms in its Google Ads knowing that these reflected the search terms used by consumers in accessing online the Fair Work Ombudsman (FWO) and Fair Work Commission (FWC) websites, and that it had designed its Google Ads in a fashion whereby the headline repeated or incorporated those keywords, sometimes being the names of government organisations, such as FWO, together with a URL, such as “fairworkhelp.com.au”. Justice Griffiths took the view that the Google Ads in question were not misleading or deceptive, taking into account “both internal and external contextual features”, when viewed “through the prism of a reasonable member of the relevant class”. His Honour also dismissed related complaints by the ACCC that the respondent had engaged in unconscionable conduct contrary to section 21 of the Australian Consumer Law in its dealings with three small businesses, and that its standard form contract contained unfair terms which would otherwise be void under s 23 of the Australian Consumer Law.
Online ticket seller penalised for misleading practices
On 2 October 2020, the Federal Court of Australia imposed a penalty of $7m on ticket reseller Viagogo in respect of false or misleading representations made in connection with the sale of tickets for live events: Australian Competition Commission v Viagogo AG (No 3)  FCA 1423. The court had previously found that Viagogo made false or misleading representations to consumers that it was the “official” seller of tickets to particular events and that certain tickets were scarce, in contravention of sections 18, 29 and 34 of the Australian Consumer Law (ACL), and that it also failed to disclose that a significant booking fee was incorporated within the price, in contravention of section 48 of the ACL: Australian Competition Commission v Viagogo AG  FCA 544. The pecuniary penalties ordered by Justice Burley pursuant to section 224(a)(ii) of the ACL were quantified on the basis of $2.5m for breaching ss 29(1)(h) and 34 of the ACL, $2.5m for breaching s 34, $1.5m for breaching s 29(1)(i) and $500,000 for breaching s 48. His Honour also issued a 5 year injunction restraining repeat behaviour, and ordered the respondent to undergo an Australian Consumer Law Compliance Program. The judge commented that penalties need to serve as a deterrent “where there is a potential distortion of competition in the market on the part of the contravener, who gains an unfair advantage over competitors who complied with the law”, adding that “the sheer number of clicks [on the Viagogo website] and the sheer number of transactions entered, suggests a strong case for ensuring the ends of both specific and general deterrence by the imposition of a large penalty”.
QCAT rejects costs for successful privacy claimant
On 7 August 2020, the Queensland Civil and Administrative Tribunal dismissed an application for the recovery of counsel’s fees by an applicant who had successfully established a claim for breach of privacy under the Queensland Civil and Administrative Tribunal Act 2009 (Qld): CH v Queensland Police Service  QCAT 309. Section 100 of the Queensland Civil and Administrative Tribunal Act 2009 provides that each party to a proceeding must bear their own costs, save that a discretion is conferred under s.102 if it can be shown that it is in the “interests of justice” to make a costs order against a party. The applicant contended that he was justified in briefing counsel to appear on his behalf at the hearing because the matter involved complex interpretation and application of Commonwealth legislation, State legislation, and the Operational Procedural Manuals of the Queensland Police Service. The Tribunal accepted that the case did involve complex questions of law, and although “the applicant … made a convincing argument for costs”, the Tribunal concluded without elaboration that the claim did not satisfy the threshold adopted in Ralacom Pty Ltd v Body Corporate for Paradise Island Apartments (No 2)  QCAT 412, namely, that the circumstances “point so compellingly to a costs award that they overcome the strong contra-indication against costs orders in s 100”.
Verbal expression of an unwritten opinion is not a privacy breach
On 24 August 2020, the New South Wales Civil and Administrative Tribunal found that an opinion concerning a former employee expressed by a school principal to a software vendor did not amount to a disclosure of personal information in breach of ss 17 or 18 of the Privacy and Personal Information Protection Act 1998 (NSW): BWY v Secretary, Department of Education  NSWCATAD 208. The principal suggested to the vendor that the applicant, who was now employed by the vendor, should not be involved in demonstrations of the software at the school because “many staff and students have been negatively affected by her”. The Tribunal noted that to establish a claim under ss 17 or 18 of the Act, the applicant would have to establish that the information was in the “possession or control” of the respondent. Relying upon the decision of the Court of Appeal in Vice-Chancellor Macquarie University v FM  NSWCA 192, the Tribunal observed that the oral disclosure of an opinion held in the mind of an employee does not breach the Act, unless the opinion itself is recorded in a document or other record. In the present case, the principal had expressed opinions which she held in her own mind. There was no evidence that she was expressing an opinion reduced to writing, or which was otherwise held in the records or databases of the respondent. Accordingly, the information was not “held” by the respondent, and does not attract the operation of sections 17(1) or 18(1).
An opinion expressed in an email is not necessarily “personal information”
On 7 September 2020, the New South Wales Civil and Administrative Tribunal ruled that opinions expressed by an individual in an email do not necessarily constitute “personal information” for the purposes of s 4 of the Privacy and Personal Information Protection Act 1998 (NSW). The applicant raised a complaint regarding misuse of personal information after the respondent published details of a submission she had made under the Environmental Planning & Assessment Act 1979 in respect of a proposed development. Citing the decision of the Full Federal Court in Privacy Commissioner v Telstra Corporation Limited  FCAFC 4 and the decision of the New South Wales Court of Appeal in Turnbull v Strange  NSWCA 157, the Tribunal concluded that not all information contained in an email is “personal information”. To the extent that the email comprised an expression of an opinion, it was an opinion about the development application and not about the individual. The fact that information was sent from the objector’s email addresses did not make the information personal information.
ACCC releases exposure draft of digital platform news code
On 31 July 2020, the Australian Competition and Consumer Commission (ACCC) released an exposure draft of legislation which would introduce a mandatory code governing negotiations between Australian news businesses and major digital platforms over payment for the inclusion of news on their services. Submissions on the draft Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2020 were due by 28 August 2020. The draft code would initially apply only to Google and Facebook, but other digital platforms could be added if they attain “a bargaining power imbalance” similar to the imbalance which the ACCC currently perceives with Google and Facebook. The code emanates from recommendations contained in the ACCC’s Digital Platforms Inquiry final report which was published in July 2019 and referred to in Volume 28 of this Update. In April 2020, the ACCC advised the government that discussions between stakeholders for a voluntary code had proved unfruitful, leading to an announcement by the government on 20 April 2020 that the ACCC had been asked to develop a mandatory code. The draft mandatory code contemplates a 3-month negotiation process between a news business and Google or Facebook to reach agreement on payment, failing which an independent arbitrator would choose which of the two parties’ respective final offers was most reasonable. The code would also address minimum standards in other areas, such as a requirement for the digital platforms to give notice of certain algorithm changes, the provision of information relating to news consumption, and the right of a news media business to prevent its news content being included on any individual digital platform service.
Australia and Singapore sign Digital Economy Agreement
On 6 August 2020, Australia and Singapore signed a Digital Economy Agreement (“DEA”) with the objective of enhancing digital trade opportunities between the two countries. The DEA upgrades the Singapore-Australia Free Trade Agreement through the inclusion of a new Digital Economy chapter. As we have previously reported, the agreement includes new rules aimed at facilitating the transfer of data across borders, clarifying the obligation to transfer source code and addressing the ownership of intellectual property rights in software. A fundamental concept is the meaning of “digital product” which is defined as “a computer program, text, video, image, sound recording or other product that is digitally encoded, produced for commercial sale or distribution, and that can be transmitted electronically”. The agreement will now undergo Australian treaty-making processes, including tabling in Parliament and consideration by the Joint Standing Committee on Treaties, prior to entering into force.
Commonwealth government releases exposure draft of data sharing legislation
On 14 September 2020, the Commonwealth government released an exposure draft of the Data Availability and Transparency Bill 2020. The objective of the Bill is to facilitate the exchange of data, including personal information, across government agencies by establishing appropriate privacy and security safeguards. The Bill has its origins in a 2017 report of the Productivity Commission entitled Data Availability and Use which recommended the introduction of a new Data Sharing and Release Act and the creation of a new agency, to be known as the National Data Custodian, operating in parallel with the Privacy Act 1988 (Cth). Subsequently, the Office of the National Data Commissioner was established within the Department of the Prime Minister and Cabinet in 2018, and in September 2019, the government released a discussion paper proposing the introduction of legislation to empower it to share public sector data for specified purposes, subject to oversight from the National Data Commissioner. Data Sharing Principles, originally developed by the Office of the National Data Commissioner and the Australian Bureau of Statistics, would be established under the Bill in relation to the handling of shared information. Existing legal obligations and policies relating to the handling of government data would continue to apply, including the Australian Privacy Principles in the Privacy Act, records management requirements under the Archives Act 1983, and the Protective Security Policy Framework.
Corporations can continue to sign documents electronically
On 21 September 2020, the Commonwealth government made a determination extending the changes to electronic signatures under the Corporations Act until March 2021: Corporations (Coronavirus Economic Response) Determination (No. 3) 2020. The normal position is that the Corporations Act is exempt from the Electronic Transactions Act 1999 (Cth) (ETA), which sets out the circumstances in which an electronic signature will be effective. While corporations can still execute documents electronically, they must normally rely upon the common law for determining the validity of these signatures, rather than the ETA. In response to the COVID-19 pandemic, the Federal government made a determination on 5 May 2020 providing that a company can execute a document using electronic signatures where the normal requirements of the ETA (identity of the signatory, reliability of the method of signing, and consent to the use of electronic signatures) are met. This determination was originally due to expire after six months on 5 November 2020 but, under the new determination, will now extend until at least 21 March 2021.
Clarification of Consumer Data Right proposed
On 1 October 2020, the Commonwealth government released for public comment an exposure draft of the Treasury Laws Amendment (Measures for a later sitting) Bill 2020. The draft legislation contains amendments to Part IVD of the Competition and Consumer Act 2010 in relation to the operation of the Consumer Data Right (CDR) scheme. The CDR is a data portability mechanism for enabling individual and business consumers to access information about themselves and their service providers’ products, and to direct their existing service provider to share that information with other service providers. As we have previously reported, the CDR commenced in respect of the banking sector on 1 July 2020 and an extension into the energy sector is planned. We have also previously reported on the launch of the Competition and Consumer (Consumer Data) Rules 2020 and the Privacy Safeguards. The amendments contained in the exposure draft seek to clarify the scope of information that may be subject to the CDR regime. At a more technical level, the legislation seeks to clarify the circumstances in which data access may be chargeable, the interaction between the Rules and the Privacy Safeguards, and the permitted types of data flows in relation to Gateways.
Outsourcing responsibilities relating to Consumer Data Right clarified
On 1 October 2020, the Australian Competition and Consumer Commission made the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020 under s 56BA of the Competition and Consumer Act 2010. We have previously reported on the launch of the Competition and Consumer (Consumer Data) Rules 2020 which are an essential part of the Consumer Data Right (CDR) regime. The primary purpose of the Amending Instrument is to permit the use of accredited intermediaries to collect CDR data, through an expansion of the rules relating to CDR outsourcing arrangements. The rules presently permit CDR outsourcing arrangements to cover disclosure of CDR data by the principal to the provider, and the use or disclosure of CDR data by the provider on behalf of the principal. The amendment clarifies that certain obligations in relation to making consumer data requests, collecting consumer data, obtaining consents, providing consumer dashboards and using or disclosing CDR data do not apply to the provider, even if the provider is accredited – these are the obligations of the principal. In addition, the Amending Instrument includes two new minimum information security controls, dealing with encryption and data segregation, in clause 2.2 of Schedule 2 to the rules.
Information Commissioner releases Notifiable Data Breach statistics
On 31 July 2020, the Office of the Australian Information Commissioner released its Notifiable Data Breaches Report for the period January to June 2020. The report’s key findings were summarised in the report as follows:
- 518 breaches were notified under the scheme. This figure is down 3% from 532 in the previous six months, but up 16% on the 447 notifications received during the period January to June 2019. The number of notifications per month varied widely across the reporting period, ranging from 63 in January to 124 in May — the highest number of data breaches reported in a month since the NDB scheme began in February 2018;
- malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 61% of all notifications;
- data breaches resulting from human error account for 34% of all breaches;
- the health sector is again the highest reporting sector, notifying 22% of all breaches;
- finance is the second highest reporting sector, notifying 14% of all breaches;
- most data breaches affected less than 100 individuals, in line with previous reporting periods;
- contact information remains the most common type of personal information involved in a data breach.
The Commissioner noted that whilst the number of notifications per month varied widely across the reporting period, ranging from 63 in January, to 124 in May, and whilst the increase in May 2020 coincided with widespread changes in working arrangements due to the COVID-19 outbreak, there was no evidence to suggest that this increase was the result of changed business practices.
Australian Institute of Criminology releases identity crime statistics
On 4 August 2020, the Australian Institute of Criminology published statistics on identity crime in Australia: AIC Statistical Report 29, Identity Crime and Misuse in Australia 2019. Key findings included:
- the estimated direct and indirect cost of identity crime in Australia in 2018–19 was $3.1b;
- identity crime continues to affect a large number of Australians, as well as businesses and government agencies;
- on average, identity crime victims experience relatively low out-of-pocket losses as a result of identity crime, with a median loss of $300, the most common consequence being refusal of credit; and
- behavioural changes in victims are common, with 46 percent of respondents admitting they are decidedly more careful when using or sharing personal information, and many now consulting with personal identity protection services, willingly paying monthly fees to organisations contracted to help them protect their information.
ATO updates online terms for tax agents
Committee recommends better protection for public interest journalism
On 26 August 2020, the Parliamentary Joint Committee on Intelligence and Security published its recommendations arising from the Inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press. The inquiry, which was referred on 4 July 2019 by the Attorney-General, recommended that the government consider whether the relevant legislation adequately protects public interest journalism. Specific recommendations included:
- the Australian Federal Police and other Commonwealth law enforcement agencies with investigatory powers amend their operating procedures or practices to advise journalists or media organisations when they are no longer persons of interest in an investigation in circumstances where doing so would not jeopardise the future of the investigation;
- the current role of the Public Interest Advocate, as provided for under the Telecommunications (Interception and Access) Act 1979, be expanded in relation to Journalist Information Warrants, with consequent amendments to the TIA Act, the Crimes Act 1914, the Surveillance Devices Act 2004 and the Australian Security Intelligence Organisation Act 1979;
- the Telecommunications (Interception and Access) Act 1979 be amended to include additional record-keeping and reporting requirements in respect of the role of the Public Interest Advocate in relation to journalist information warrants; and
- mandatory reporting of aggregated statistics, related to numbers and timeframes of all Public Interest Disclosures, to be made to the Parliament every six months by the Attorney-General.
Draft guidance for tax agents on handling TFNs
On 1 September 2020, the Tax Practitioners Board issued an exposure draft practice note: TPB(PN) D42/2020: Use and disclosure of a client’s TFN and TFN information in email communications. The practice note, if adopted, will provide practical guidance and assistance to registered tax agents, BAS agents and tax (financial) advisers in understanding the TPB’s position in relation to the use and disclosure of tax file numbers in email communications. The draft practice note emphasises that TFNs are protected under the Privacy Act 1988, particularly APP 11 (security), and are subject to the Notifiable Data Breaches scheme contained in Part IIIC of the Act. The handling of TFNs is also subject to specific provisions in the Taxation Administration Act 1953 (Cth) and Privacy (Tax File Number) Rule 2015 (the TFN Rule). With respect to email communications, the practice note strongly recommends that registered tax practitioners seek prior specific written authority for any proposed disclosure, referencing the entity that will receive the information and the proposed use of email to disclose the information, whilst at the same time cautioning that even a client’s permission does not override the broader privacy and security obligations of registered tax practitioners under the TFN Rule and APP 11. The practice note sets out a non-exhaustive list of what the TPB considers to be reasonable steps to protect the security of electronically held TFNs and TFN information of clients, and reasonable steps to ensure compliance with the relevant legislation, particularly the Privacy Act and TFN Rule.
Parliamentary committee reports on FinTech and RegTech issues
On 3 September 2020, the Senate Select Committee on Financial Technology and Regulatory Technology published its interim report on competition and productivity issues confronting Australian FinTech and RegTech businesses. The Committee assessed the issues from the perspective of tax, regulation, access to capital, skills and talent, and culture, with special attention paid to the challenges posed by the impact of COVID-19. Useful and permanent innovations which the Committee identified as emerging from the pandemic included enabling electronic company meetings and communications; allowing for electronic signing and witnessing of legal documents; the extended rollout of telehealth services; and the utilisation of electronic prescriptions. The Committee was supportive of the Consumer Data Right which introduced open banking on 1 July 2020, although further refinement was required with respect to governance arrangements. The report also addressed intermediary access; the role of digital data capture practices; education and awareness; and expansion of the Consumer Data Right into other financial services. The interim report included 32 recommendations, with “longer term structural issues” to be dealt with in the final report which is due in April 2021.
Draft IoT code released for comment
On 3 September 2020, the Commonwealth government released a voluntary code entitled Code of Practice: Securing the Internet of Things for Consumers. The code is designed to improve the security of the Internet of Things (IoT) in Australia – including everyday devices such as smart fridges, smart televisions, baby monitors and security cameras. The code, which was initially released in draft form for public comment on 19 November 2019, contains 13 principles which entities are invited to adopt. The principles comprise (1) No duplicated default or weak passwords; (2) Implement a vulnerability disclosure policy; (3) Keep software securely updated; (4) Securely store credentials; (5) Ensure that personal data is protected; (6) Minimise exposed attack surfaces; (7) Ensure communication security; (8) Ensure software integrity; (9) Make systems resilient to outages; (10) Monitor system telemetry data; (11) Make it easy for consumers to delete personal data; (12) Make installation and maintenance of devices easy; and (13) Validate input data.
Statistical study of spam fraud
On 23 September 2020, the Australian Institute of Criminology released the results of a study into the connection between spam emails and various forms of fraud: Malware in spam email: Risks and trends in the Australian Spam Intelligence Database. A sample taken from 26 million emails provided by the Australian Communication and Media Authority’s Spam Intelligence database found that nearly 10% were malware, nearly 32% were phishing, nearly 41% were trojan-compromised and 1% involved dedicated malicious websites. With respect to attachments, 31% were found to be compromised with some form of malware, the most common forms being Trojans and ransomware. The report recommended further analysis and research with a view to identifying new malware variants and social engineering scripts.
Information Commissioner releases results of privacy survey
On 25 September 2020, the Office of the Australian Information Commissioner released the results of a survey into people’s attitudes towards privacy: Australian Community Attitudes to Privacy Survey 2020. Amongst other things, the survey revealed widespread concern about the link between privacy and social media. Privacy was the leading consideration when choosing an app or program to download, ahead of quality, convenience and price, with 84% of those surveyed nominating privacy as being extremely or very important when choosing a digital service, and 82% expressing the view that whilst children should be empowered to use online services, their data privacy must be protected. Digital services, including social media sites, were considered by 58% to be a major privacy risk and, overall, “levels of comfort with the data practices of online businesses including social media sites and other digital platforms are low”. Significantly, young Australians (aged 18-24) were more likely than older counterparts to know how to protect their personal information by adjusting their settings, but were less likely to understand why they should do so.
Productivity Commission reports on regtech issues
On 9 October 2020, the Productivity Commission published a report on the use and potential of regulatory technology (“regtech”) in Australia: Information Paper: Regulatory Technology (Productivity Commission, October 2020). The paper noted that “used well, regtech can support the improved targeting of regulation and reduce the costs of administration and compliance”. The paper cautioned, however, that regtech was not a substitute for regulatory reform but, rather, “as regtech is intended to make the task of regulating easier, advances in technology heighten the onus on policy makers to ensure the need for, and design of, regulation are soundly-based”. According to the paper, extensive use of regtech was relatively uncommon in Australia other than in the case of financial system applications, and there was immediate potential in expanding low-tech solutions in the nature of digitised data, forms, registers and transactions which in turn would reduce compliance costs for individuals and businesses, improve the efficiency of regulator practices, and generate flow-on benefits for the community. Significant benefits existed in the potential adoption of leading-edge regtech, involving the use of data for predictive analytics and real time monitoring, but this would require more specialised resources and longer development times.
Online health marketplace penalised for misleading conduct
On 20 August 2020, the Federal Court of Australia ordered an online health marketplace to pay $2.9m in penalties for engaging in misleading conduct in relation to the sharing of patient personal information to private health insurance brokers and publishing misleading patient reviews and ratings: Australian Competition and Consumer Commission v HealthEngine Pty Ltd  FCA 1203. The respondent, which conducted business mainly through its website and mobile phone app, maintained a booking directory which allowed patients to search for and book appointments with medical practitioners. It was established that over a period of 4 years, the respondent gave non-clinical personal information, such as names, dates of birth, phone numbers, email addresses, of over 135,000 patients to third party private health insurance brokers without adequately disclosing this to consumers. Although the case raised obvious privacy issues, the proceedings were brought by the Australian Competition and Consumer Commission on the basis that the respondent had breached sections 18, 29(1)(b), 29(1)(e) and 34 of the Australian Consumer Law. In addition to imposing a penalty pursuant to s 224 of the Australian Consumer Law, the court ordered the respondent to engage in an independent annual review of its existing compliance program for a period of three years and to contact all patients whose personal information had been disclosed to an insurance broker.
Healthcare Identifiers Regulations replaced
On 26 August 2020, the Healthcare Identifiers Regulations 2020 (the HI Regulations) repealed and replaced the expiring Healthcare Identifiers Regulations 2010 (the old Regulations). Under the Healthcare Identifiers Act 2010, the Healthcare Identifiers Service assigns healthcare identifiers to individuals, individual healthcare providers and healthcare provider organisations for the purpose of ensuring that health information is correctly matched to an individual or entity. Healthcare identifiers are an important foundation of the My Health Record system, which is regulated by the My Health Records Act 2012. The purpose of the HI Regulations is to provide additional guidance regarding how the provisions of the Healthcare Identifiers Act are applied. Unauthorised use of a Healthcare Identifier is an infringement of both the Healthcare Identifiers Act and the Privacy Act 1988. The new Regulations make no changes of substance to the old Regulations, and essentially serve to clarify what constitutes “identifying information” of individuals, healthcare provider organisations and healthcare recipients, and clarifies the rights and responsibilities of healthcare providers when seeking access to, and handling, healthcare identifiers.