ALRC submission to the Privacy Commissioner—Review of the private sector provisions of the Privacy Act ( 21 December 2004 )
1. The Australian Law Reform Commission (ALRC) makes the following submission to the Office of the Privacy Commissioner in response to the Issues Paper Review of the Private Sector Provisions of the Commonwealth Privacy Act 1988 which was released in October 2004.
The Essentially Yours report
2. In 2003, the ALRC and the Australian Health Ethics Committee (AHEC) of the National Health and Medical Research Council (NHMRC) completed the report Essentially Yours: Protection of Human Genetic Information in Australia (ALRC 96).[1] One of the core purposes of the Inquiry, as specified in the Terms of Reference, was to report on whether a regulatory framework is needed to protect the privacy of human genetic samples and information in a number of contexts. The Inquiry therefore examined the operation of the Privacy Act 1988 (Cth), including the private sector provisions, with a particular focus on its application to human genetic samples and information.
3. While genetic information has some special characteristics that distinguish it from most other forms of personal information, genetic privacy issues are usually similar to those applicable to information privacy generally and, in particular, to the privacy of medical records and other health information. The ALRC-AHEC Inquiry concluded that, while some weaknesses in the existing legislative privacy framework can be identified, they are best remedied through changes to general information and health privacy laws (in particular the Privacy Act) rather than through developing a new regulatory framework for the protection of genetic information specifically.
4. The Inquiry made a number of recommendations for amendments to the Privacy Act aimed at improving the protection of human genetic samples and information. These included:
-
amendment of the definitions of ‘health information’ and ‘sensitive information’ to include human genetic information about an individual (Recs 7–4, 7–5);
-
extension of the definition of ‘health information’ to include information about an individual who has been dead for 30 years or less (Rec 7–6);
-
amendment to ensure that all small business operators that hold genetic information are subject to the Privacy Act (Rec 7–7);
-
extension of the Privacy Act to cover identifiable genetic samples (Recs 8–1, 8–2);
-
inclusion of a right of an individual to access his or her own body samples for the purpose of medical testing, diagnosis or treatment (8–3);
-
inclusion of a right of an individual to access genetic information or body samples of his or her first-degree genetic relatives, where access is necessary to lessen or prevent a serious threat to his or her life, health or safety (Recs 8–4, 21–3);
-
statutory permission for a health professional to disclose genetic information about his or her patient to a genetic relative where the disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety (Rec 21–1); and
-
amendment of the Privacy Act to ensure that employee records are subject to the protections of the Act (Recs 34–1, 34–2).
5. The following sets out some of the background to these recommendations, but the ALRC urges the Office of the Privacy Commissioner to read the relevant chapters of the Essentially Yours report in order to gain a full understanding of the ALRC and AHEC recommendations.
Definitions of ‘health information’ and ‘sensitive information’
6. The Inquiry was of the view that genetic information should receive the special protection afforded to health and other sensitive information under the Privacy Act, but that the existing definitions of health information and sensitive information do not provide the desired level of protection for all genetic information. There are circumstances in which genetic information may not be health information, either because the information is not about health, disability or the provision of a health service (as in the case of parentage or forensic testing, where the focus is on identification) or because it is not about the health or disability of an existing individual (as sometimes may be the case with genetic carrier testing, where the information is primarily about the health of future children). There is also a range of non-health genetic information that falls outside of the definitions of sensitive information, in particular parentage testing done by commercial laboratories. Submissions to the ALRC-AHEC Inquiry generally supported amending the Privacy Act to ensure that all genetic information is treated as health information or other sensitive information under the Act.
7. After considering definitions of health information in other health information privacy legislation, the Inquiry’s recommendation was to amend the definition of ‘health information’ to include ‘genetic information about an individual in a form which is or could be predictive of the health of the individual or any of his or her genetic relatives’ whether or not it collected in relation to the health of, or the provision of a health service to, the individual or a genetic relative.[2]
8. The word ‘predictive’ was not intended to bear the technical meaning used in some clinical contexts, but was chosen for the purpose of consistency with existing Australian legislative definitions. The term ‘genetic relative’ was considered more appropriate than the term ‘descendants’ used in some other formulations in order to encompass genetic information about an individual’s siblings.
9. It was also considered necessary to amend the definition of ‘sensitive information’ to include human genetic test information, in order to cover genetic information derived from parentage or other identification testing that is not predictive of health.[3]
Application to dead individuals
10. The Privacy Act does not cover genetic information about deceased persons. This may be contrasted with the position under Victorian and New South Wales health privacy legislation and the Australian Health Minister’s Advisory Council (AHMAC) Draft National Health Privacy Code which extend to personal information about individuals who have been dead for not more than 30 years. The Inquiry considered it desirable to amend the Privacy Act to cover genetic information about deceased individuals because of the implications that the collection, use or disclosure of this information may have for living genetic relatives, and adopted the 30 year period to ensure consistent coverage with Victoria and New South Wales .[4]
11. Privacy NSW submitted that the Privacy Act also should include provisions for decision making, either by a next-of-kin or an authorised person, regarding health information of deceased individuals. The Inquiry agreed with this submission and recommended that such amendments be made.
Covering all small business operators
12. Under the small business exemption, some small business operators are excluded from the definition of ‘organisation’ and are therefore entirely exempt from the operation of the Privacy Act. The exceptions to the exemption include an organisation providing a health service holding health information. However, it has been noted that a small business that is not a health service provider can remain exempt from the Act even though it might hold health information.[5] Such businesses might include those storing genetic samples or acting as a data repository but not providing a health service.
13. The Inquiry had concerns that the acts and practices of small business operators that hold genetic information pose a potential risk to the privacy of both the individual concerned and his or her genetic relatives. The Inquiry recommended that all small business operators that hold genetic information should be subject to the provisions of the Privacy Act, whether or not they provide a health service.[6]
14. This proposal was generally supported by submissions. In its submission the Office of the Federal Privacy Commissioner supported the removal of the exemption for small businesses holding health information, but was concerned that limiting the reform to ‘genetic information’ would introduce ‘unnecessary complexity into the regulatory framework applying to small businesses’. The Inquiry was limited in the breadth of its recommendation by the Terms of Reference. However, if the definition of ‘health information’ was amended specifically to include genetic information (as outlined above), the ALRC considers that expanding the exception to cover small businesses holding health information would achieve the aims of the recommendation.
Access to genetic information of first-degree genetic relatives
15. Genetic information may allow inferences to be drawn about persons other than the individual to whom the information most directly relates—most importantly about genetic relatives. In some circumstances, the disclosure of genetic information can prevent serious health consequences for genetic relatives by allowing the early detection and treatment of inherited genetic disorders. While it is desirable that disclosure to genetic relatives be made by, or with the consent of, the patient, the Inquiry was informed of a range of circumstances in which this does not, or cannot, occur.
16. The Inquiry concluded there was a need to amend the Privacy Act to broaden the circumstances in which health professionals may use or disclose genetic information to prevent threats to life, health or safety. It was considered that the existing ‘serious or imminent threat’ test included in NPP 2.1(e)(i) is too restrictive in the context of genetic information. The Inquiry recommended that the Privacy Act be amended so that use or disclosure of genetic information by a health professional be permitted where the health professional believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety, even where the threat is not imminent. The amendment could be achieved either by:
-
amending NPP 2.1(e)(i) to change the ‘serious and imminent threat’ test to a more permissive formulation; or
-
enacting a new NPP 2.1(e)(iii) to permit organisations to exercise a discretion, subject to guidelines issued by the NHMRC and approved by the federal Privacy Commissioner, to disclose an individual’s genetic information to a genetic relative where such disclosure is reasonably believed to be necessary to lessen or prevent serious harm to any individual.[7]
17. Although the simpler method, there were some concerns that Option 1 (amendment of NPP 2.1(e)(i)) would have implications beyond the context of genetic information, by permitting disclosure of any personal information in the regulated circumstances. The Inquiry did not specify which option was the most appropriate, considering that further consultation should be conducted in relation to the possible implications of implementing Option 1.
18. Consistently with this position, the Inquiry recommended that genetic relatives should have limited right of access on their own initiative.[8] The right of access should be exercisable only in relation to familial genetic information about the siblings, parents or children of the individual (first-degree genetic relatives). Access should be provided by making the information available to the requester’s nominated medical practitioner or genetic counsellor, who can explain the clinical relevance of the information obtained for the individual seeking it. Where an organisation receives a request for access to genetic information about an individual’s genetic relatives, it should be obliged to seek the consent, where practicable, before determining whether to provide access. Access would be able to be refused if providing access would have an unreasonable impact upon the privacy of the individual. To assist with implementation of this recommendation, the Inquiry recommended that the NHMRC should develop guidelines for health professional in dealing with such requests.[9]
Genetic samples
19. The Terms of Reference for the Inquiry specifically referred to the privacy of ‘human genetic samples and information’. A distinction is made between the genetic ‘sample’ (the biological sample) and genetic information may be derived from it by DNA analysis.
20. The Inquiry concluded that the Privacy Act does not currently cover genetic samples, even where they are identifiable to an individual (eg, having a name or identifier attached). With the exception of New South Wales , no other Australian jurisdiction applies information privacy principles explicitly to body samples. However, a number of overseas jurisdictions are looking at this issue. There was broad support in submissions to, and consultations held by, the Inquiry for extension of the Privacy Act to cover identifiable genetic samples.
21. The Inquiry considered there were a number of reasons why protection for genetic samples should be covered by privacy legislation:
-
genetic samples are closely analogous to other sources of personal information that are covered by the Privacy Act and should be protected by rules that are consistent with those applying to the genetic information derived from samples;
-
there are gaps in the existing framework for protecting the privacy of individuals from whom genetic samples are taken or derived;
-
these gaps might be usefully remedied if the National Privacy Principles (NPPs) or a set of similar privacy principles were to apply to genetic samples; and
-
no circumstances have been identified in which applying the Privacy Act to genetic samples would lead to adverse consequences for existing practices involving the collection and handling of genetic samples.[10]
22. The Inquiry made a number of recommendations in relation to extending coverage of the Privacy Act to provide enforceable privacy standards for handling genetic samples:
-
amend the definition of ‘personal information’ and ‘health information’ to include bodily samples from an individual whose identity is apparent or can reasonably be ascertained from the sample;[11]
-
amend the definition of ‘record’ to include a bodily sample;[12]
-
make provision for an individual’s right to access his or her own bodily samples, through a nominated practitioner, for the purpose of medical testing, diagnosis or treatment;[13] and
-
make provision for an individual’s right to access bodily samples of his or her first-degree relatives, through a nominated practitioner, where access is necessary to lessen or prevent serious threat to his or her life, health or safety, even where the threat is not imminent.[14]
23. Chapter 8 of Essentially Yours covers in detail all of the arguments for and against the inclusion of genetic samples in the Privacy Act. The ALRC notes that the Office for the Privacy Commissioner had expressed some preliminary concerns about the proposal in submissions made during the Inquiry, but urges consideration of the issue based upon the completed research and consultation as set out in the Essentially Yours report.
Employee Records
24. The Inquiry looked at the protection of human genetic samples and information in the employment context, and found there is very little protection of personal information, including health information, held in private sector employee records. The Inquiry recommended that it was appropriate to extend the Privacy Act to cover employee records.[15] Due to the Terms of Reference for the Inquiry, the recommendation applies only in relation to genetic information contained in employee records. However, the Inquiry found a number of concerns about other forms of personal health and medical information contained in employee records and made another recommendation urging that this issue be given further consideration in a broader context.[16]
25. In April 2004, the ALRC made a submission to the review of employee records privacy that was commenced by the Attorney-General’s Department and the Department of Employment and Workplace Relations. A copy of that submission, which sets out a full background to the Inquiry’s findings on this issue, is attached.
[2] Essentially Yours report, Rec 7–4 and [7.82].
[3] Essentially Yours report, Rec 7–5
[4] Essentially Yours report, Rec 7–6, [7.84]–[7.91].
[5] T Smyth, ‘Protecting Human Genetic Information and Its Use’ (2002) 10(6) Health Law Bulletin 64, 66.
[6] Essentially Yours report, Rec 7–7, [7.99]–[7.104].
[7] Essentially Yours report, Rec 21–1, [21.88].
[8] Essentially Yours report, Rec 21–3.
[9] Essentially Yours report, Rec 21–4.
[10] Essentially Yours report, [8.3].
[11] Essentially Yours report, Rec 8–2.
[12] Essentially Yours report, Rec 8–2.
[13] Essentially Yours report, Rec 8–3.
[14] Essentially Yours report, Rec 8–4.
[15] Essentially Yours report, Rec 34–1.
[16] Essentially Yours report, Rec 34–2.