Regulation regarding the privacy of health care information is particularly complex. Laws may be found at Commonwealth and State and Territory levels, each of which regulate differing things.
The Privacy Act 1988 (Cth) is the existing Commonwealth legislation that regulates the handling of personal information by Australian Government agencies (and the Norfolk Island Administration), and some private sector organisations.
State and Territory public hospitals and other agencies, as well as some private businesses are governed by state/territory regulation. Some states and territories have specific health privacy legislation; others have general privacy legislation that would also apply to health; and others do not have specific privacy legislation but have some other protections of privacy (and confidentiality).
Below you will find brief commentary, and important links to key legislation and agencies that oversee National and State/Territory privacy regimes respectively.
The Privacy Act 1988 (Cth) is the existing Commonwealth legislation that regulates the handling of personal information by Australian Government agencies (and the Norfolk Island Administration), and some private sector organisations. (Note State and Territory public hospitals and other agencies, as well as some private businesses are governed by state/territory regulation discussed below).
Included within the Privacy Act are 13 Australian Privacy Principles (APPs) that regulate the standards, rights and obligations for the handling, holding, accessing and correction of personal information. The APPs are listed next to the map of Australia below.
As health information is seen as particularly sensitive, the Privacy Act 1988 (Cth) provides special protections around handling such information. That is, it provides protection of ‘special information’, which includes health and genetic information.
Health information, pursuant to the legislation, includes
(a) information or an opinion about:
the health or a disability (at any time) of an individual; or
an individual’s expressed wishes about the future provision of health services to him or her; or
a health service provided, or to be provided, to an individual;
(b) other personal information collected to provide, or in providing, a health service; or
(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
The definition of health services is very broad, and may include such services as:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
- complementary therapists, such as naturopaths and chiropractors
- gyms and weight loss clinics
- child care centres, private schools and private tertiary educational institutions.
A person about whom ‘sensitive information’ has been collected must consent to its use or disclosure unless it falls under a provision that allows its release (discussed further below).
The Office of the Australian Information Commissioner (OAIC) oversees the Act, investigates complaints made by individuals about alleged interferences with privacy, and can take regulatory and enforcement action to encourage and ensure compliance with privacy obligations. It also provides a wealth of resources and information concerning the privacy laws and their operation.
Privacy legislation also exists in the Australian Capital Territory, New South Wales, and Victoria specifically to regulate the handling of personal health information. Each has its own set of ‘health privacy principles’. The Northern Territory, Queensland and Tasmania have general privacy legislation, which is broader in application. Each of these also have their own ‘information privacy principles’ or something to similar effect. In South Australia and Western Australia there are no privacy regimes however privacy is protected in other ways.
Some key pieces of legislation that are relevant to health care information and records are listed below, and links to oversight agencies provided.
Click on the links below to go directly to information on a specific state/territory, or scroll down to read them all.
Disclosure of personal health information can occur in certain circumstances. For example, it is often necessary to share information with other health professionals in the provision of services, sometimes with family members and carers, and sometimes a person’s health record may be disclosed pursuant to legislation.
The Commonwealth Privacy Act 1988 permits the use or disclosure of:
- information for research purposes, compilation of statistics, or information relevant to public health or public safety (when it is impracticable to obtain consent);
- genetic information, when the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual; (See further here).
- information in circumstances in which a person is physically or legally incapable of giving consent, or cannot communicate consent and the person’s carer is satisfied the release is necessary for the person’s treatment, or for compassionate reasons. (Such disclosure must be limited to what is reasonable and necessary to meet these goals.)
Mandatory disclosure provisions also exist in all states and territories of Australia. These include, for example, such things as making notifications regarding infectious diseases and cancer; suspected child abuse; and pursuant to a subpoena (related to a court case).
Commonwealth privacy provisions allow for compensation to be awarded in appropriate circumstances, to an individual whose privacy is breached.
State and territory legislation provide for penalties to be imposed upon the wrongful party, including the imposition of fines.
In Victoria and the Australian Capital Territory, human rights legislation also recognises a broader right to privacy, and obliges public sector organisations to act in a way that is compatible with privacy and other protected human rights.
Australia is also a signatory to international conventions that protect privacy rights. For example, Article 17 of the International Covenant for the Protection of Civil and Political Rights provides that a person should be free of arbitrary or unlawful interference with his or her privacy.
In cases of interference however, international cases have upheld that some interference, where the measure is necessary and justified (such as for the protection of societal interests), is acceptable.
References [ + ]
|1.||↑||Australian Law Reform Commission, ALRC Discussion Paper 72, Review of Australian Privacy Law 1 Discussion Paper 72, September 2007, p 114.|
|2.||↑||Privacy Act 1988 (Cth) s 6.|
|3.||↑||Health Records and Information Privacy Act 2002 s 3.|
|4.||↑||As above, s 4.|
|5.||↑||Health Records Act 2001 (Vic) ss 10-11.|
|6.||↑||Privacy Act 1988 (Cth) s 16B(3).|
|7.||↑||Privacy Act 1988 s 16B(4).|
|8.||↑||Privacy Act 1988 s 16B(5).|
|9.||↑||Privacy Act 1988 (Cth), s 52(1)(b)(iii).|
|10.||↑||See Health Records and Information Privacy Act 2002 (NSW) ss 68, 69; Health Records Act 2000 (Vic) Part 7; Information Act (NT) s 148; Information Privacy Act 2009 (Qld) Chapter 6, Part 2; Health Records (Privacy and Access) Act 1997 (ACT), Part 5.|
|11.||↑||Charter of Human Rights and Responsibilities Act 2006 (Vic).|
|12.||↑||The Human Rights Act 2004 (ACT).|
|13.||↑||See for example, A Health Authority v X (No 1)  2 All ER 780.|