In late 2015 the Office of the Australian Information Commissioner (OAIC) conducted a public consultation on new draft health privacy guidance resources for health service providers and consumers. The following is a draft of guidance on requirements under the Privacy Act 1988 for when providers are considering using or disclosing a patient’s genetic information without consent, including to a genetic relative of the patient. 1

….
Using and Disclosing Genetic Information to Lessen or Prevent a Serious Threat to the Life, Health or Safety of Genetic Relatives

Under Australian Privacy Principle (APP) 6, an organisation covered by the Privacy Act generally can only use or disclose personal information for the primary purpose of collection, unless an exception applies. An exception exists where the use or disclosure of a patient’s ‘genetic information’ is necessary to prevent a serious threat to the life, health or safety of that patient’s genetic relatives, and certain other conditions are met. 2

Genetic information is ‘sensitive information’ under the Privacy Act, meaning that some stricter requirements apply to its handling. Genetic information that is ‘about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual’ is also covered by the definition of ‘health information’ 3 under the Privacy Act (s 6(1)).

Genetic information can reveal information about inheritable diseases that may seriously threaten not just your patient’s health, but also the health of their genetic relatives. With knowledge of their risk of a genetic condition, relatives may be able to factor this into their healthcare so they can take preventative or mitigating action.

In many cases, a patient who is made aware of the risk of a genetic condition may choose to advise relatives themselves, or they may consent to you informing relatives on their behalf. APP 6 allows you to use or disclose personal information for any purpose with a patient’s consent. The Use and disclosure of genetic information to a patient’s genetic relatives under s 95AA of the Privacy Act 1988 (Cth) – guidelines for health practitioners in the private sector (s 95AA guidelines) state that when considering using or disclosing a patient’s genetic information you must take reasonable steps to obtain the patient’s consent. 4

However, where consent cannot be obtained, the Privacy Act allows you to use or disclose a patient’s genetic information if each of the following conditions are met:

  • you collected the information in the course of providing a health service to the patient
  • you reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the patient
  • you use or disclose the information in accordance with the guidelines to the s 95AA guidelines
  • in the case of disclosure — your disclosure is to a genetic relative of the patient.

A genetic relative is an individual who is related to the patient by blood, including but not limited to a sibling, a parent or a descendant (s 6(1) of the Privacy Act). The s 95AA guidelines state this should include relatives no further removed than third-degree relatives.

Although the Privacy Act allows you to use or disclose a patient’s genetic information when the above four conditions are met, you are not compelled to do so.

Lessening or preventing a serious threat

You can only use or disclose a patient’s genetic information if you reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the patient. This means there must be a reasonable and justifiable basis for the belief; it cannot be merely a genuine or subjective belief. The use or disclosure would also not be considered necessary where it is merely helpful, desirable or convenient. For a further explanation of the terms ‘reasonably believes’ and ‘necessary’ see the APP guidelines, Chapter B: Key concepts.

A ‘serious’ threat to the life, health or safety of a genetic relative is one that poses them significant danger. It could involve harm to their physical or mental health, and could include a potentially life threatening situation or one that might reasonably result in other serious illness.

When deciding whether a threat is serious, you should consider both the likelihood of it occurring and the severity of the resulting harm if it materialises. A threat that may have dire consequences but is highly unlikely to occur would not normally be a serious threat. However, a potentially harmful threat that is likely to occur, but at an uncertain time, may be a serious threat, such as a genetic mutation that increases the risk of developing a certain cancer. Disclosing this information to genetic relatives may help the relatives take preventative or mitigating action.

Section 95AA guidelines

When using or disclosing genetic information without consent, you must do so in such a way that is consistent with the s 95AA guidelines. These legally binding guidelines are issued by the National Health and Medical Research Council and approved by the Australian Information Commissioner under s 95AA of the Privacy Act.

The guidelines outline what factors you should consider when determining if a use or disclosure of genetic information is necessary to lessen or prevent a serious threat to the life, health or safety of a patient’s genetic relatives. They also provide guidance on matters such as good ethical practice; what to do when the patient or genetic relative is a child; contacting relatives; and what information should be provided to relatives. Appendix 2 to the guidelines includes a sample privacy leaflet, consent form and letter to relatives.

Giving notice to patients

Under APP 5, you must take reasonable steps to notify a patient of certain matters when you first collect personal information. The matters for notification include why the information is being collected and who it may be disclosed to. For details see the APP guidelines, Chapter 5: APP 5 — Notification of the collection of personal information.

You should advise patients in your privacy collection notices of the possible use or disclosure of their genetic information without consent. The s 95AA guidelines provide a sample privacy notification leaflet at Appendix 2. 5

Ensuring the accuracy of the genetic information

APP 10 requires you to take reasonable steps to ensure that the personal information you use or disclose is accurate, up-to-date, complete and relevant, having regard to the purpose of the use or disclosure. What are reasonable steps will depend on the circumstances, including the possible impact of using or disclosing inaccurate, out-of-date, incomplete or irrelevant information could have. Generally more rigorous steps are required when handling sensitive information, especially when there is the potential for adverse consequences for an individual.

Before using or disclosing genetic information, you should take reasonable steps to ensure the information is accurate, up-to-date, complete and relevant. In some circumstances it will be reasonable to take no steps, for example if you have good reason to believe that the source of the information is reliable. The s 95AA guidelines contain more information about ‘reasonable steps’.

Example: Genetic testing

A patient orders a ‘direct-to-consumer’ genetic test and brings the test results to you during a consultation. The report indicates that the patient may have haemochromatosis, a hereditary iron overload disorder, which is a potentially serious health condition. Relatives should be tested for the condition so that preventative measures can be taken. While the patient will inform their children, they do not consent to you disclosing this information to their siblings.

You have doubts about the quality of the test and do not want to unnecessarily alarm relatives. However, if the test is accurate, this would pose a serious risk to the patient’s genetic relatives. To ensure the accuracy of the results, you could refer the patient to a clinical genetics service for a retest before considering notifying relatives. 6

Collecting and using the contact details of a patient’s genetic relatives

If you are disclosing a patient’s genetic information to their genetic relatives with or without the patient’s consent, you may need to seek contact details for those relatives either from the patient, your own records, or from publicly available records.

The contact details of a genetic relative are ‘health information’ in these circumstances.  This is because the clinician would generally record the contact details in the patient’s record and together with information in the patient’s record, it would be possible to infer that:

  • the person whose contact details are recorded is related to a person with a genetic condition, and
  • there is a possibility or statistical probability that the person whose contact details are recorded may also have a genetic condition.

While you can generally only collect health information with the individual’s consent, the genetic relative’s contact details can be collected in this circumstance using the exception that it is unreasonable or impracticable to obtain consent, and you reasonably believe the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual (see APP 3.4(b) and s 16A item 1). 7 Once collected, the Privacy Act also allows you to use the contact details to contact that genetic relative as this is the primary purpose for which the information was collected (APP 6.1).

Alternatively, you may already hold a genetic relative’s contact details in your records, for example if they were collected as a ‘next of kin’ emergency contact. You can use their contact details for the secondary purpose of informing them that they may be at risk of inheriting a genetic condition where you are satisfied that it is unreasonable or impracticable to obtain their consent, and you reasonably believe the use is necessary to lessen or prevent a serious threat to the genetic relative’s life or health. 8

You may wish to collect the contact details for a genetic relative from the patient or from publicly available sources. Alternatively, if you collect the contact details from other sources, you must make sure the collection is by lawful and fair means (APP 3.5). For example, in some situations it could be appropriate to collect the contact details from a public hospital database, but this will depend on the laws and rules governing the hospital’s database.

Ensuring the accuracy of the contact details

APP 10 requires you to take reasonable steps to ensure that the contact details you collect and use are accurate, up–to–date, complete and relevant.

This is particularly important where you use public sources of information such as a phone directory to find contact details.

Using contact details that are inaccurate, incomplete or out-of-date could have serious consequences for individuals. The patient’s genetic relative may remain unaware that they may be at risk from an inheritable condition or, if the information about genetic risk is sent to the wrong person, that person may be unnecessarily distressed.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

https://creativecommons.org/licenses/by/3.0/au/deed.en

Notes:

  1. The information is reproduced from the OAIC website pursuant to a creative commons attribution 3.0 license.
  2. This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(4) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.
  3. The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.
  4. See guideline 3.2.3.
  5. See Use and disclosure of genetic information to a patient’s genetic relatives under s 95AA of the Privacy Act 1988 (Cth) – guidelines for health practitioners in the private sector p. 68-9.
  6. For further information on APP 10, see the APP guidelines, Chapter 10: APP 10 — Quality of personal information.
  7. This exception is known as a ‘permitted general situation’ and is contained in APP 3.4(b) and s 16A of the Privacy Act. More information on this exception is contained in the APP Guidelines, Chapter C: Permitted general situations.
  8. This exception allowing use for a secondary purpose is known as a ‘permitted general situation’ and is contained in APP 6.2(c) and s 16A of the Privacy Act. More information is contained in the APP Guidelines, Chapter C: Permitted general situations.