Privacy of Health Information

What is privacy?

Privacy
There is no precise definition of the term ‘privacy’ at law. However, in an extensive review of the laws of privacy in Australia, the Australian Law Reform Commission stated:

“…privacy can be divided into a number of separate, but related, concepts:

Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. It is also known as ‘data protection’;

Bodily privacy, which concerns the protection of people’s physical selves against invasive procedures such as genetic tests, drug testing and cavity searches;

Privacy of communications, which covers the security and privacy of mail, telephones, e-mail and other forms of communication; and

Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks. 1

All in some way or another may be relevant in a health context. However the particular focus in this section is upon health care information.

Note, privacy as a concept, is wider than the duty of confidentiality because privacy protects, and extends further to information that may not always be viewed as confidential. Privacy also does not always depend on the existence of a relationship (for example, an anauthorised and unknown person to a patient would be breaching the patient’s privacy if they accessed that person’s medical records).

Why does privacy matter in health contexts?

Information related to a person’s health can be an area of great sensitivity, it is therefore granted a special status within privacy laws that aim to restrict or prohibit disclosure of private information.

However, note, like with confidentiality, such restrictions or prohibitions are subject to the various exemptions that enable release of information in some circumstances.  Again, the key is that privacy of health care information is highly valued, but it is not absolute.

Where are the rules of privacy found?

Privacy
Law - Confidentiality
Regulation regarding the privacy of health care information is particularly complex. Laws may be found at Commonwealth and State and Territory levels, each of which regulate differing things.

The Privacy Act 1988 (Cth) is the existing Commonwealth legislation that regulates the handling of personal information by Australian Government agencies (and the Norfolk Island Administration), and some private sector organisations.

State and Territory public hospitals and other agencies, as well as some private businesses are governed by state/territory regulation. Some states and territories have specific health privacy legislation; others have general privacy legislation that would also apply to health; and others do not have specific privacy legislation but have some other protections of privacy (and confidentiality).

Below you will find brief commentary, and important links to key legislation and agencies that oversee National and State/Territory privacy regimes respectively.

Commonwealth Legislation

The Privacy Act 1988 (Cth) is the existing Commonwealth legislation that regulates the handling of personal information by Australian Government agencies (and the Norfolk Island Administration), and some private sector organisations. (Note State and Territory public hospitals and other agencies, as well as some private businesses are governed by state/territory regulation discussed below).

Included within the Privacy Act are 13 Australian Privacy Principles (APPs) that regulate the standards, rights and obligations for the handling, holding, accessing and correction of personal information. The APPs are listed next to the map of Australia below.

Australian Privacy Principles
As health information is seen as particularly sensitive, the Privacy Act 1988 (Cth) provides special protections around handling such information. That is, it provides protection of ‘special information’, which includes health and genetic information.

Health information, pursuant to the legislation, includes

(a)  information or an opinion about:

  • the health or a disability (at any time) of an individual; or

  • an individual’s expressed wishes about the future provision of health services to him or her; or

  • a health service provided, or to be provided, to an individual;

that is also personal information; or

(b)  other personal information collected to provide, or in providing, a health service; or

(c)  other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d)  genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. 2

The definition of health services is very broad, and may include such services as:

  • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
  • complementary therapists, such as naturopaths and chiropractors
  • gyms and weight loss clinics
  • child care centres, private schools and private tertiary educational institutions. 3

A person about whom ‘sensitive information’ has been collected must consent to its use or disclosure unless it falls under a provision that allows its release (discussed further below).

The Office of the Australian Information Commissioner (OAIC) oversees the Act, investigates complaints made by individuals about alleged interferences with privacy, and can take regulatory and enforcement action to encourage and ensure compliance with privacy obligations. It also provides a wealth of resources and information concerning the privacy laws and their operation. 4

Information about health privacy published by the OAIC regarding individuals can also be found here,

and in relation to health service providers, here. The OAIC also provides resources for health service providers to help them comply with the APPs.

State and Territory Legislation and Oversight

Privacy legislation also exists in the Australian Capital Territory, New South Wales, and Victoria specifically to regulate the handling of personal health information. Each has its own set of ‘health privacy principles’. The Northern Territory, Queensland and Tasmania have general privacy legislation, which is broader in application. Each of these also have their own ‘information privacy principles’ or something to similar effect. In South Australia and Western Australia there are no privacy regimes however privacy is protected in other ways.

Some key pieces of legislation that are relevant to health care information and records are listed below, and links to oversight agencies provided.

Click on the links below to go directly to information on a specific state/territory, or scroll down to read them all.

 ACT           New South Wales           Victoria            NT            QLD            Tas            South Australia            Western Australia

Specific Health Privacy Legislation

Privacy - ACT

Australian Capital Territory

The Health Records (Privacy and Access) Act 1997 (ACT) governs issues to do with personal health information and records in the ACT. The legislation governs public sector and private health care providers.

Schedule 1 of the legislation contains a set of ‘privacy principles’ similar to the APPs described above, which provide information about collection, use and disclosure of information, as well as rights of access and an ability to correct information.

The ACT Human Rights Commission administers the legislation, and handles privacy complaints regarding health information and records.

Privacy - NSW

New South Wales

In NSW, the Health Records and Information Privacy Act 2002 (NSW) seeks to ‘promote fair and responsible handling of health information by:

(a)  protecting the privacy of an individual’s health information that is held in the public and private sectors, and

(b)  enabling individuals to gain access to their health information, and

(c)  providing an accessible framework for the resolution of complaints regarding the handling of health information. 5

The legislation applies to both public and private health care service providers. 6

Health privacy principles are outlined in Schedule 1 of the Act.

The NSW Information and Privacy Commission oversees the protection of personal and health information.

Privacy - Vic

Victoria

Health information in the Victorian public sector is covered by the Health Records Act 2001 (Vic). The Victorian legislation applies to health information in both the public and private health sectors. 7.

Health privacy principles are outlined in Schedule 1 of the Act.

Complaints about the handling of health information can be made to the Victorian Health Care Complaints Commissioner.

General Privacy Legislation

Privacy - Northern Territory

Northern Territory

In the Northern Territory, privacy provisions are set out in the Information Act (NT).

The provisions apply to privacy generally (and not specifically health care). The legislation enables individuals to access information that is held by a public sector organisation, and provides mechanisms to deal with infringements of privacy.

Information privacy principles (which are similar to the Commonwealth APPs) are contained in Schedule 2 of the Act.

The Office of the Information Commissioner for the Northern Territory is the independent statutory body responsible for overseeing the legislation, and handling complaints.

Privacy - Qld

Queensland

The Information Privacy Act 2009 (Qld)  applies to general privacy in the Queensland public sector. The legislation is therefore broader than specific Health Privacy legislation in other states. Nevertheless, special provision is made for health agencies, in that they must comply with ‘National Privacy Principles’ as contained in Schedule 4 of the Act.

The Queensland Office of the Information Commissioner oversees the legislation and right to privacy and information in Queensland, including receiving privacy complaints.

Privacy - Tasmania

Tasmania

In Tasmania, the Personal Information and Protection Act 2004 (Tas) applies to personal information (in a broad sense again) in the Tasmanian public sector including the University of Tasmania.

Schedule 1 of the Act sets out a number of ‘Person Information Protection Principles’ based on the former National Privacy Principles (Cth), which were superseded by the APPs.

The Tasmanian Ombudsman may receive and investigate complaints in relation to issues to do with privacy.

Other regulation

Privacy - South Australia

South Australia

South Australia has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles. It has also established a South Australian privacy committee to handle privacy complaints.

Privacy - Western Australia

Western Australia

The state public sector in Western Australia does not currently have a legislative privacy regime.

Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA). The Freedom of Information Act is overseen by the Office of the Information Commissioner (WA).

Are there situations in which information can be released?

Disclosure of personal health information can occur in certain circumstances. For example, it is often necessary to share information with other health professionals in the provision of services, sometimes with family members and carers, and sometimes a person’s health record may be disclosed pursuant to legislation.

The Commonwealth Privacy Act 1988 permits the use or disclosure of:

  • information for research purposes, compilation of statistics, or information relevant to public health or public safety (when it is impracticable to obtain consent); 8
  • genetic information, when the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual; 9 (See further here).
  • information in circumstances in which a person is physically or legally incapable of giving consent, or cannot communicate consent and the person’s carer is satisfied the release is necessary for the person’s treatment, or for compassionate reasons. 10 (Such disclosure must be limited to what is reasonable and necessary to meet these goals.)

The National Health and Medical Research Council have further produced guidelines (pursuant to s 95AA of the Privacy Act) that set out the requirements for disclosure of genetic information. The guidelines, amongst other things, reiterate the need for a belief by a medical practitioner that disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative (no more than 3rd degree), that attempts to gain consent have been made, and that if information is released without consent that steps should be taken to avoid (as far as possible) identifying the person about whom the information relates.

Mandatory disclosure provisions also exist in all states and territories of Australia. These include, for example, such things as making notifications regarding infectious diseases and cancer; suspected child abuse; and pursuant to a subpoena (related to a court case).

What if someone breaches privacy when an exception does not apply?

Commonwealth privacy provisions allow for compensation to be awarded in appropriate circumstances, to an individual whose privacy is breached. 11

State and territory legislation provide for penalties to be imposed upon the wrongful party, including the imposition of fines. 12

Note – Human Rights and Privacy

In Victoria 13 and the Australian Capital Territory, 14 human rights legislation also recognises a broader right to privacy, and obliges public sector organisations to act in a way that is compatible with privacy and other protected human rights.

Australia is also a signatory to international conventions that protect privacy rights. For example, Article 17 of the International Covenant for the Protection of Civil and Political Rights provides that a person should be free of arbitrary or unlawful interference with his or her privacy.

In cases of interference however, international cases have upheld that some interference, where the measure is necessary and justified (such as for the protection of societal interests), is acceptable. 15

Find out more

Notes:

  1. Australian Law Reform Commission, ALRC Discussion Paper 72, Review of Australian Privacy Law 1 Discussion Paper 72, September 2007, p 114.
  2. Privacy Act 1988 (Cth) s 6.
  3. Office of the Australian Information Commissioner, What are Health Service Providers? http://www.oaic.gov.au/privacy/privacy-topics/health-for-individuals/what-are-health-service-providers at 17 January 2015.
  4. See Office of the Australian Information Commissioner at http://www.oaic.gov.au/privacy/privacy-news.  NOTE: On 2 October 2014 the Freedom of Information Amendment (New Arrangements) Bill 2014 (the Bill) was introduced into the Australian Parliament. The OAIC has provided the following information: ‘The Bill proposes the repeal of the Australian Information Commissioner Act 2010 including abolition of the Office of the Australian Information Commissioner (OAIC) and amendment of the Freedom of Information Act 1982 (FOI Act), Privacy Act 1988 (Privacy Act) and related laws. If the Bill is passed by Parliament the functions of the Privacy Act will be undertaken by the Australian Privacy Commissioner. This includes the handling of privacy complaints, undertaking investigations and other regulatory activities, and the provision of guidance and advice on privacy to individuals, organisations and agencies. Relevant functions of the FOI Act will be undertaken by the Attorney‑General’s Department (AGD) (advice, guidelines, annual reporting), the Administrative Appeals Tribunal (AAT) (merits review) and the Commonwealth Ombudsman (Ombudsman) (complaints). For more information, see the Bill.’
  5. Health Records and Information Privacy Act 2002 s 3.
  6. As above, s 4.
  7. Health Records Act 2001 (Vic) ss 10-11.
  8. Privacy Act 1988 (Cth) s 16B(3).
  9. Privacy Act 1988 s 16B(4).
  10. Privacy Act 1988 s 16B(5).
  11. Privacy Act 1988 (Cth), s 52(1)(b)(iii).
  12. See Health Records and Information Privacy Act 2002 (NSW) ss 68, 69; Health Records Act 2000 (Vic) Part 7; Information Act (NT) s 148; Information Privacy Act 2009 (Qld) Chapter 6, Part 2; Health Records (Privacy and Access) Act 1997 (ACT), Part 5.
  13. Charter of Human Rights and Responsibilities Act 2006 (Vic).
  14. The Human Rights Act 2004 (ACT).
  15. See for example, A Health Authority v X (No 1) [2002] 2 All ER 780.