Australian Privacy Laws and Health Information
Australian Privacy Laws and Health Information

Australia privacy rights are regulated by Commonwealth and State legislation and the laws protecting confidential information under the common law.

Australian privacy laws govern the collection, use and disclosure of “personal information”.  Further, individuals are provided with a right of access and correction of their own personal information.  There are also data security, data quality and cross-border transborder data flow requirements.

Under Australian privacy laws:

“personal information” means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

In Australia, health information (such as medical records) are a subset of personal information and attract additional protection and rules.  These include:

  • Use and disclosure is permitted if there is a serious and imminent threat to the health and safety of an individual or the public.
  • Use and disclosure for health and medical research if certain conditions are met.
  • Disclosures to carers for compassionate reasons.
  • Restrictions on access if providing direct access would pose a serious threat to the life or health of any individual.
  • Use and disclosure of genetic information to lessen or prevent a serious threat to a genetic relative.

“health information” means:

  1. information or an opinion about:
    1. the health or a disability (at any time) of an individual; or
    2. an individual’s expressed wishes about the future provision of health services to him or her; or
    3. a health service provided, or to be provided, to an individual; that is also personal information; or
  2. other personal information collected to provide, or in providing, a health service; or
  3. other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
  4. genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

“health service” means:

  1. an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
    1. to assess, record, maintain or improve the individual’s health; or
    2. to diagnose the individual’s illness or disability; or
    3. to treat the individual’s illness or disability or suspected illness or disability; or
  2. the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

The Privacy Act 1988 (Commonwealth) ('Privacy Act'), which applies to Australian Commonwealth government agencies and private sector organisations, has been recently amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) ('Privacy Amendment Act').  The Privacy Amendment Act was passed by Parliament on 29 November 2012, received the Royal Assent on 12 December 2012 and comes into force on 12 March 2014.

The amendments aim to:

  • Create a single set of Australian Privacy Principles applying to both Australian Government agencies and the private sector. These principles will replace the existing Information Privacy Principles and National Privacy Principles.
  • Introduce more comprehensive credit reporting, improved privacy protections and more logical, consistent and simple language.
  • Strengthen the functions and powers of the Australian Information Commissioner to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance- penalties of up to 2000 penalty units $340K for individuals – x5 for body corporates AUD$1.7 million.
  • Create new provisions on privacy codes and the credit reporting code, including codes that will be binding on specified agencies and organisations.
Australian Privacy Principles

The Privacy Amendment Act introduces a unified set of Australian Privacy Principles which apply to both Commonwealth agencies and the Australian private sector, replacing separate public and private sector principles.

Permitted health situations

The Privacy Amendment Act introduces the concept of “permitted health situation” in a new section 16B.

Collection – provision of a health service

A “permitted health situation” exists in relation to the collection by an organization of health information about an individual if:

  1. the information is necessary to provide a health service to the individual;  and
  2. either:
    1. the collection is required or authorised by or under an Australian law (other than the Privacy Act);  or
    2. the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
Collection – research etc.

A “permitted health situation” exists in relation to the collection by an organisation of health information about an individual if:

  1. the collection is necessary for any of the following purposes:
    1. research relevant to public health or public safety;
    2. the compilation or analysis of statistics relevant to public health or public safety;
    3. the management, funding or monitoring of a health service;  and
  2. that purpose cannot be served by the collection of information about the individual that is de-identified information;  and
  3. it is impracticable for the organisation to obtain the individual’s consent to the collection;  and
  4. any of the following apply:
    1. the collection is required by or under an Australian law (other than the Privacy Act);
    2. the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation;
    3. the information is collected in accordance with guidelines approved under section 95A of the purposes of this subparagraph.
Use or disclosure – research, etc.

A “permitted health situation” exists in relation to the use or disclosure by an organisation of health information about an individual if:

  1. the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety;  and
  2. it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure;  and
  3. the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes this paragraph;  and
  4. in the case of disclosure – the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
Use of disclosure – genetic information

A “permitted health situation” exists in relation to the use or disclosure by an organisation of genetic information about an individual (the first individual) if:

  1. the organisation has obtained the information in the course of providing a health service to the first individual; and
  2. the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual; and
  3. the use or disclosure is conducted in accordance with guidelines approved under section 95AA; and
  4. in the case of disclosure – the recipient of the information is a genetic relative of the first individual.
Disclosure – responsible person for an individual

A “permitted health situation” exists in relation to the disclosure by an organisation of health information about an individual if:

  1. the organisation provides a health service to the individual; and
  2. the recipient of the information is a responsible person for the individual; and
  3. the individual:
    1. is physically or legally incapable of giving consent to the disclosure; or
    2. physically cannot communicate consent to the disclosure; and
  4. another individual (the carer) providing the health service for the organisation is satisfied that either:
    1. the disclosure is necessary to provide appropriate care or treatment to the individual; or
    2. the disclosure is made for compassionate reasons;  and
  5. the disclosure is not contrary to any wish:
    1. expressed by the individual before the individual became unable to give or communicate consent; and
    2. of which the care is aware, or of which the carer could reasonably be expected to be aware;  and
  6. the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d).

This article is provided for general information purposes only and should not be relied upon as legal advice.


Recent Posts