Thank you for those who provided comments on the National Cancer Screening Register Rules 2017 (the Rules) exposure draft.
The Department is currently reviewing all feedback and will provide more information on the Rules as it becomes available.
More information on the Rules and the mandatory notification requirement is available on the cancer screening website.
Update on implementation of the National Cancer Screening Register
- The implementation date for the National Cancer Screening Register has been delayed due to a number of unforeseen factors. The original publicised commencement dates were:
- 20 March 2017 for the National Bowel Cancer Screening Program; and
- 1 May 2017 National Cervical Screening Program that was to coincide with the introduction of new MBS items and a new Cervical Screening Test that will detect HPV, the cause of most cervical cancers.
- The Register is planned to support the National Cervical Screening Program from 1 December 2017.
- Health and Telstra Health remain committed to implementing a National Cancer Screening Register to support both cervical and bowel screening programs and ensuring the implementation is conducted with the safety of Australians and security of their health data, as the primary focus.
- Consultation with all stakeholders and program partners will inform the development of the revised delivery schedule, ensure the health and safety of all program participants remains paramount and that we all work together to deliver the best possible population health outcomes.
National Cancer Screening Register
The Department of Health has appointed Telstra Health to develop and operate a new National Cancer Screening Register to support the accelerated expansion of the National Bowel Cancer Screening Program and the renewed National Cervical Screening Program.
What is the National Cancer Screening Register?
The National Cancer Screening Register (the Register) will be an integral part of cancer screening service delivery providing the infrastructure for the recording, analysis and reporting of cancer screening data for participants of the National Cervical Screening Program and the National Bowel Cancer Screening Program.
The Register is being built in accordance with strict data security requirements and will comply with all legal requirements applicable to the processing of and access to Health data. The Register will also be underpinned by the National Cancer Screening Register Act 2016 which will ensure protection of invitees’ and participants’ personal information.
The Register will:
- create a single electronic record for each Australian participating in cervical and bowel cancer screening, meaning for the first time: one participant – one record;
- be capable of supporting additional population screening programs into the future;
- provide a single, cost-effective service that will record and report screening data in a nationally consistent manner and inform timely clinical decisions; and
- allow participants access to their screening records from wherever they reside.
Once established, the Register will provide eligible Australians with invitations and reminders to screen; and facilitate clinical decision-making by providing healthcare professionals with direct access to participants’ screening information via their practice management software or a web portal. The Register will also provide operational services to support screening participants, healthcare professionals and other end users.
The Register is planned to support the National Cervical Screening Program from 1 December 2017.
For more information, contact NCSRproject@health.gov.au
Privacy Impact Assessment for the Register
A Privacy Impact Assessment (PIA) was undertaken in consultation with the Office of the Australian Information Commissioner to assess the information flows and privacy concerns that might arise from establishing and operating the Register.
The PIA was finalised in December 2016 and made 28 recommendations in the context of potential privacy compliance and management issues, including measures to be undertaken as part of implementing the Register.
The Department has accepted all 28 recommendations and is currently planning the implementation of the recommendations.
Frequently asked questions
The National Cancer Screening Register (the Register) is national digital health infrastructure for the recording, analysis and reporting of cancer screening data for both the renewed National Cervical Screening Program (NCSP) and the National Bowel Cancer Screening Program (NBCSP).
The Register is an integral part of cancer screening service delivery. It will issue correspondence, including invitations and reminders to screen; distribute bowel screening test kits; and facilitate clinical decision-making for both screening programs by providing GPs and specialists with access to participants’ screening results.
Telstra was appointed as the Register provider by the Department of Health (Health) following an open competitive tender process which sought a value-for-money outcome in accordance with Commonwealth Government Procurement Rules. All organisations that tendered were assessed against their demonstrated capability to develop and operate the Register and comply with the requirements listed by Health in the tender request.
Health’s requirements for the Register were assessed as meeting the Commonwealth Government ICT Investment Approval Process, which provides assurance that the planning, consideration and consultation required for successful delivery of the project have been undertaken.
While Health has entered into a Services Agreement with Telstra, the Register will be developed and operated by Telstra Health, a standalone business unit of Telstra.
The Register will record and report cancer screening data. The Register will initially support the National Cervical Screening Program (NCSP) and the National Bowel Cancer Screening Program (NBCSP); however, once implemented, the Register will provide the platform for additional screening programs into the future.
The Register will hold data from the existing cervical screening registers for states that choose to participate; as well as data from the National Bowel Cancer Screening Register, which is currently held by the Department of Human Services.
The Register will use Medicare Enrolment data, Department of Veterans' Affairs data and certain Medical Benefits Schedule claims data for invitation purposes.
The Department of Health (the Commonwealth) is the data custodian.
No. Data may only be used for the purposes of the Register.
The Register is being implemented in partnership with state and territory governments, and will be overseen by a number of governing bodies managed by Health and with the required clinical and data expertise. Operation of the Register will be strictly informed by evidence-based program policies and protocols: developed through the screening programs’ governance structures, including the Australian Government, state and territory governments, the Australian Institute of Health and Welfare and key clinical experts.
Telstra Health will build and operate the Register in accordance with strict data security requirements. The private sector already manages sensitive personal information (e.g. private health insurance funds, banks) and the protection of personal information held in the Register is of paramount importance.
The Register will be built in accordance with Commonwealth cybersecurity guidelines for new ICT infrastructure, taking into consideration sensitivity and classification of the information it stores. The Register and Telstra must comply with all legal and legislative requirements applicable to the processing of and access to Health data. This includes:
- Privacy Act 1988 (Cth);
- Electronic Transactions Act 2011 (Cth);
- Archives Act 1983 (Cth);
- Cybercrimes Act 2001(Cth); and
- Health Insurance Act 1973 (Cth).
As custodian of the information in the Register, the Commonwealth will have control over the information in the Register especially with respect to use and disclosure of information from the Register.
The National Cancer Screening Register ACT 2016 (the ACT) provides the legislative framework to safeguard protected information in the Register by prohibiting its use and disclosure for purposes outside the requirements to operate the Register; and creating an offence arising from the unauthorised recording, use or disclosure of personal information contained in the Register. The legislation also requires notification to the Information and Privacy Commissioner if there is a data breach.
Protected information in the Register can only be recorded, used or disclosed in specific circumstances where this is authorised in the Act. These limited authorisations ensure that personal information and commercial-in-confidence information is only recorded, used or disclosed to or from the Register for specific purposes.
Yes. The requirements for the Register include that Telstra Health must comply with and adhere to the stringent controls of the Commonwealth Protective Security Policy Framework (PSPF) at all times. The PSPF provide mandatory requirements to:
- manage security risks to their people, information and assets
- provide assurance to the government and the public that official resources and information provided to the Register are safeguarded
- incorporate protective security into the culture of the Register.
In addition the Register will, at all times, comply with the Information Security Manual and the National Identity Security Strategy.
No. The Register will be operated from within Australia and all data will be stored on-shore in secure data storage facilities. The Register’s hosting environment has been certified to Zone 2 of the Australian Government Physical Security Management Protocol. This protocol certifies that data centres implement adequate physical security controls for the purposes of storing “PROTECTED” classified information.
The Register’s operational services will be based in Melbourne.
Once the Register is implemented, participants of the screening programs will be able to view and manage their contact information and screening status through the Register.
Participants will have control over what goes into the Register, and who is allowed to access it.
Only duly authorised and authenticated users may access the system. Healthcare providers and other authorised bodies (including state and territory health departments) will be able to access protected information from the Register, including personal information of individuals, in order to perform functions or duties relating to the purposes of the Register. The Register will have an extensive access control system that will ensure that access to functions and data is limited based on the role and functions performed by the user.
Once the Register is implemented, practitioners and screening participants will not be charged a fee to access their records or the system. Participants will be able to view and manage their contact information and screening status through the Register free of charge.
The Register will issue correspondence for the National Bowel Cancer Screening Program and the National Cervical Screening Program free of charge. This includes the National Bowel Cancer Screening Program kits, invitations to screen and reminders.
The Register will include a Melbourne-based call centre that will provide support for Register users in each state and territory free of charge.
What security or confidentiality obligations are placed upon Telstra Health staff operating the Register or accessing Health Data?
All Telstra Health personnel who are involved in managing or operating the Register are required to sign a confidentiality undertaking. In addition, Telstra Health personnel who have access to the Register’s data or are likely to have access to the data must possess the necessary security clearance, issued by the Australian Government Security Vetting Agency.
The Register will have extensive cyber security protections so that it is not vulnerable to malware, viruses or Trojans. It will be subject to IT Security compliance activities in accordance with government policies.
Yes. The Register will be logging all transactions and events, capturing the source, destination, action, identify and result of the action. All system logs are kept and are to be retained by Telstra.
It is intended that the Register leverage existing national digital health communication protocols and data standards. This includes the ability for healthcare providers to send information to the Register directly through their clinical information systems, using the same standards and transmission protocols already used to share information with the My Health Record system.
The intended outcome is improved capture of screening information in the Register, and a reduction of burden for healthcare providers – because they would be providing the information to the Register as a by-product of their existing clinical practices and their existing clinical information systems.
In collecting data from clinical information systems, the Register will need to comply with the Privacy Act (and Privacy principles) and patient/practitioner consent associated with particular transactions.
At the end of the contract, will the Commonwealth retain the rights to the Register system and the data?
The Commonwealth will continue to be responsible for national screening policy, processes and the information captured in the Register. The Register system and its operations will be provided as a service by Telstra Health to the Commonwealth.
The Commonwealth is the custodian of the data stored in the Register. Telstra Health owns the IP associated with the Register software required to operate the Register.
At the end of the contract, the Commonwealth will be able to continue to licence the software. This includes making it available to a new Register Operator.
Telstra Health is unable to sell or use the data in any manner not authorised by the Commonwealth - data may only be used for the purposes of the Register.