Australian Privacy Law & Practice – Key Recommendations for Health Information Privacy Reform

Speech by Professor Rosalind Croucher* at the Managing Patient Confidentiality & Information Governance Forum, 22 August 2011, Melbourne.

1.  Introduction

To help focus my presentation today I thought it would be useful to reflect on an ‘information timeline’ to provide a backdrop for a consideration of the Australian Law Reform Commission’s work on privacy.

Information timeline

1982    Freedom of Information Act (Cth)

1983    Archives Act

1983    ALRC’s report, Privacy (ALRC 22)

1988    Privacy Act (Cth)—

• Information Privacy Principles—based on OECD guidelines—providing safeguards for personal information handled by Cth and ACT government agencies
• Privacy Commissioner established

2000    Privacy Amendment (Private Sector) Act (Cth)

• Approved privacy codes
• National Privacy Principles—based on voluntary guidelines for the private sector

2004    Attorney-General asked the Privacy Commissioner to review the operation of the private sector provisions of the Privacy Act—a trigger for the ALRC comprehensive review

2005    Senate Legal and Constitutional Affairs Committee inquiry into the Privacy Act—a further trigger for the ALRC review

2006    amendments to Privacy Act regarding ‘health information’ and ‘sensitive information’ expressly to include genetic information, to ensure that the collection, use and disclosure of genetic information would be given the additional protections of the Privacy Act. Better information exchange between federal agencies, state and territory authorities, private sector organisations, non-government organisations and others in an emergency or disaster situation.

2006    January, referral to ALRC (due date March 2008, extended to May)

2006    COAG agrees to a national approach

2008    For Your Information (ALRC 108)—295 recommendations for reform

2009    October, the Government provided a first stage response, including commitment to:

• harmonise Privacy Principles—untangle red tape, introduce the first step to national consistency
• improve health sector information flows and give individuals new rights to control their health records (contributing to better health service delivery)
• strengthen the Privacy Commissioner’s powers

2009    December, COAG signed national partnership agreement for e-health

2010    1 November, the Office of the Privacy Commissioner (OPC) was integrated into the Office of the Australian Information Commissioner (OAIC).

2010–11          Department of Prime Minister and Cabinet conducted further consultations.

The ALRC Privacy Report

The report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108, 2008) was the result of a 28 month inquiry into the effectiveness of the Privacy Act 1988 (Cth) and related laws. It was a mammoth undertaking, resulting in the three volume Report, containing 74 chapters and 295recommendations for reform.

The Terms of Reference asked the ALRC to review the effectiveness of privacy laws in Australia given:

• rapid advances in information, communication, storage, surveillance and other technology
• possible changing community perceptions around privacy
• expansion of state and territory activity in this area

And to have regard to:

• the need of individuals for privacy protection in an evolving technological environment
• the desirability of minimising the regulatory burden on business in this area

Competing tensions

The Terms of Reference, against the backdrop of the information timeline, reveal competing tensions: between the idea, and role, of autonomy—the personal space—and the idea of public interests. The public interests include advancing public health outcomes and a fair distribution of Australia’s health budget. Although privacy is a recognised human right under international conventions—including the International Covenant on Civil and Political Rights (ICCPR)[1]—there is general community appreciation for the need to strike a common sense balance between privacy interests and practical concerns in a range of areas. For example, while personal health information is regarded as ‘sensitive’ and deserving of the highest level of protections, individuals understand that a premium may be placed on prompt access to, and disclosure of, such information in the case of a medical emergency.

Key messages heard during the inquiry were that: the Privacy Act has worked well, but needs to be brought up to date. Plus strong concerns were expressed about the complexity of law and the confusion about overlapping privacy laws at the federal, state and territory levels.

Personal information spectrum

Privacy, moreover, does not sit as an isolated concern, but is juxtaposed with a range of other information management issues. The management of information can be conceived overall as a spectrum, with openness of information and protection of information as opposite ends of that spectrum. Personal information has prompted specific responses, at times overlaid with secrecy obligations of those who handle the information. But personal information also requires responses that cover matters such as access, transfer and use of information. Personal information is protected, and regulated, across this spectrum.

Personal health information was traditionally protected by the ethical and legal duties of confidentiality. Such duties are owed by health service providers—such as doctors, dentists, nurses, physiotherapists and pharmacists. The duties prevent the use of personal health information for a purpose that is inconsistent with the purpose for which the information was provided.

On the privacy end of the information spectrum there are specific statutory obligations under the federal Privacy Act 1988 and the Privacy Amendment (Private Sector) Act 2000 (Cth). Other federal legislation also regulates the handling of personal information. For example, the Freedom of Information Act 1982 (Cth) (FOI Act) both gives access to documents and also protects documents, including those that contain personal information.[2]

2    The federal interest in privacy

The Constitution

Any discussion about privacy law and practice in Australia has to begin with a consideration of how privacy is—or is not—a federal issue. The Australian Constitution establishes a federal system of government in which powers are distributed between the Commonwealth and the six states. The list of subjects about which the Australian Parliament may make laws makes no express mention of privacy, but this does not mean that the Australian Parliament has no power in relation to privacy. There are two principal federal laws concerning privacy: the Privacy Act 1988 and the Privacy Amendment (Private Sector) Act 2000. Further amendments in 2000 established the Office of the Privacy Commissioner as a statutory authority independent of HREOC (now the AHRC).

The Privacy Act was enacted on the basis of the Australian Parliament’s express power to make laws with respect to ‘external affairs’.[3] The external affairs power enables the Australian Parliament to make laws with respect to matters physically external to Australia;[4] and matters relating to Australia’s obligations under bona fide international treaties or agreements, or customary international law.[5] The external affairs power is not confined to meeting international obligations, but also extends to ‘matters of international concern’.[6]

The Preamble to the Privacy Act makes clear that the legislation was intended to implement, at least in part, Australia’s obligations relating to privacy under the ICCPR[7] and the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines).[8] The Second Reading Speech to the Privacy Bill also referred to the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, though this instrument does not, of course, bind Australia.[9] Section 3 of the Privacy Amendment (Private Sector) Act makes clear that the private sector amendments were also intended to meet Australia’s international obligations relating to privacy.

In addition to the ‘external affairs’ power, the Commonwealth may rely on other constitutional heads of power as a basis for legislating on privacy, including: s 51(v)— postal, telegraphic, telephonic, and other like services; s 51(i)—trade and commerce with other countries, and among the States; ss 51(xiii) and (xiv)—banking and insurance, but not state banking or state insurance unless it extends beyond the limits of the state; and s 51(xx)—foreign corporations, and trading or financial corporations formed within the limits of the Commonwealth.

And where the Commonwealth can make laws and such laws are inconsistent with state laws, the Commonwealth ones overreach the states, to the extent of any inconsistency.[10] Commonwealth law may directly invalidate state law, where it is impossible to obey both the state law and the federal law,[11] or overreach it where the Australian Parliament’s legislative intent is to ‘cover the field’ in relation to a particular matter.[12]

Covering the field?

The federal Privacy Act of 1988 made it clear that it was not intended to ‘cover the field’, as is evident from s 3, which states that:

It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.

In some ways it would have been easier if it had sought to do so. Indeed, it has been observed that inconsistency in the regulation of personal information stems largely from the failure of federal law to ‘cover the field’.[13] But then the second stage of the federal laws, in 2000, sent a different message. Section 3(a) of the Privacy Amendment (Private Sector) Act 2000 (Cth), which states that one of the objects of the Act is

to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations.

It is not surprising to find, therefore, that, in reviewing the private sector provisions of the Privacy Act (OPC Review), the Office of the Privacy Commissioner recommended that the Australian Government should consider amending s 3 of the Privacy Act to remove any ambiguity as to the regulatory intent of the private sector provisions.[14]

Coverage

As amended, the Privacy Act regulates the handling of personal information by the Australian Government, the ACT Government and the private sector. The Act contains a set of 11 Information Privacy Principles (IPPs) that apply to Australian Government and ACT Government agencies, and 10 National Privacy Principles (NPPs), introduced in the 2000 Act, that apply to the private sector. The IPPs apply to agencies; the NPPs to organisations.

State laws

Each Australian state and territory regulates the management of personal information. In some states and territories, personal information is regulated by legislative schemes, in others by administrative regimes. In addition to the federal laws relating to privacy, a number of the states and territories have enacted privacy legislation regulating the handling of personal information in the state and territory public sectors. These regimes are sometimes inconsistent with the Privacy Act and with each other. Further, New South Wales, Victoria and the ACT all have legislation that regulates the handling of personal health information in the public and private sectors. This means that health service providers and others in the private sector in those jurisdictions are required to comply with both federal and state or territory legislation.[15]

Although the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs) and privacy principles under state and territory privacy legislation are similar, they are not identical. The privacy regimes in some jurisdictions include privacy principles that are similar to the IPPs, while other jurisdictions have modelled their principles on the NPPs.[16]

New South Wales (NSW), Victoria and the ACT all have legislation that regulates the handling of personal health information in the private sector. This means that health service providers and others in the private sector in those jurisdictions are required to comply with both federal and state or territory legislation in relation to personal health information.[17]

The ALRC’s recommendations

The ALRC’s recommendations included the following:

• re-draft the Privacy Act and privacy principles to achieve greater consistency, clarity and simplicity
• unify privacy principles for public and private sector into one set of principles
• structure privacy regulation to follow a three-tiered approach:
  • high level principles of general application;
  • regulation and industry codes detailing the handling of personal information in certain specified contexts;
  • guidance by the Privacy Commissioner dealing with operational matters and providing explanations
• promotion of national consistency in relation to health information
• a bunch of other stuff, including the recommendation of a statutory cause of action for a serious breach of privacy—recently in the news.

The Government’s first stage response included 197 of the 295 recommendations:

• accepted 141, in full or in principle
• accepted 34, with qualification
• did not accept 20
• noted two
• then … consider the rest ….

3 Privacy and health

Privacy is a fundamental principle underpinning quality health care. Without an assurance that personal health information will remain private, people may not seek the health care they need which may in turn increase the risks to their own health and the health of others. Indeed consumers regard health information as different to other types of information and consider it to be deeply personal.[18]

Privacy is a fundamental principle in health care. It is expressed in a range of ways, from duties of confidentiality through to legislative regimes. There are ethical and legal duties of confidentiality owed by health service providers—such as doctors, dentists, nurses, physiotherapists and pharmacists—that prevent the use of personal health information for a purpose that is inconsistent with the purpose for which the information was provided. A legal duty of confidentiality may arise in equity, at common law, or under contract. In addition, health service providers are often subject to confidentiality provisions in professional codes of conduct[19] and, if they are employed in the public sector, may be subject to legislative secrecy provisions, that impose penalties—often criminal—if information is disclosed.[20]

Duties of confidentiality recognise the dignity and autonomy of the individual,[21] as well as the public interest in fostering a relationship of trust between health service providers and health consumers to ensure both individual and public health outcomes.[22] Such duties are not absolute and there are circumstances in which the law permits, and sometimes requires, the disclosure of confidential personal health information.[23]

More recently, privacy legislation has been introduced in a number of Australian jurisdictions specifically to regulate the handling of personal health information.[24]

Health information

There is a strong view in the community—reflected in the Privacy Act—that personal health information requires a high level of protection. A very significant concern in this area is the complexity, fragmentation and inconsistency of legislation and regulation relating to health privacy. Complexity is a serious concern across the whole field of privacy protection, but is perhaps most compelling in the regulation of health information.

Chapter 62 of For Your Information examined the definitions in the Privacy Act relating to the handling of health information—the definitions of ‘health information’ and ‘health service’. The ALRC identified the differences in coverage in the IPPs and the NPPs. The IPPs do not distinguish between ‘personal information’, ‘sensitive information’ and ‘health information’; and public sector agencies are required to deal with all personal information, including health information, in the same way. The NPPs, however, provide a separate regime for ‘sensitive information’, including ‘health information’, and make specific provision for the handling of health information in some circumstances. The NPP regime applies to private sector organisations, including all organisations that hold health information and provide a health service that might otherwise be exempt from the provisions of the Privacy Act under the small business exemption.

The NPPs require ‘sensitive information’ to be given a higher level of protection than other personal information. For example, sensitive information must be collected with consent, except in a range of specified circumstances. It may be used or disclosed only for the purpose for which it was collected or a directly related secondary purpose—and only so long as the individual would reasonably expect the information to be used in this way. There is also special provision for the disclosure of health information in particular circumstances.[25] 

The ALRC proposed that the definition of ‘health information’ in the Privacy Act be amended to make express reference to information or opinion about the physical, mental or psychological health or disability of an individual.[26] This was strongly supported by stakeholders. The ALRC was concerned that the term ‘health’ is sometimes interpreted to mean ‘physical health’. Including the terms ‘physical, mental or psychological’ will not narrow the definition of health information, but make it clear that ‘health information’ is not intended to be restricted to personal information about an individual’s physical health. Further, although there is overlap between the terms ‘mental’ and ‘psychological’ health, there are also distinctions drawn between them.

The ALRC also suggested that the definition of ‘health service’ should be amended to overcome differences of definition and establish clear limits. It is important to ensure that the definition is appropriately limited to the provision of services intended, for example to assess or improve the individual’s health and does not extend to activities such as providing health insurance.  The ALRC recommended that ‘recording’ an individual’s health should be removed from the definition as it could lead to undesirable outcomes, such as in the health insurance context.

Government response

The recommendation to amend the definition of ‘health information’ in the Privacy Act was accepted by the Government. The Government also agreed that the definition of ‘health service’ should be amended, along the lines suggested by the ALRC.

The definition of ‘health service’ should also expressly exclude activities performed for reasons other than care or treatment, such as life, health or other forms of insurance.

The Privacy Act should also be amended to provide that the Governor-General may make regulations consistent with the Act, to exclude, whether specifically or by class, organisations or agencies from the definition of providing a ‘health service’, where it is not appropriate for those entities to be included in the definition.

These amendments will give further effect to the policy intent of the ‘health service’ definition proposed by the ALRC.[27]

Complexity and confusion

Businesses—not surprisingly—were concerned mainly with the overly complex and confusing web of privacy laws in Australia, citing the overlapping federal, state and territory laws; the separate privacy principles for government agencies (the Information Privacy Principles (IPPs)) and private sector organisations (the National Privacy Principles (NPPs)), and other relevant laws, including those covering the privacy of health information. This makes it very difficult—and expensive—for even the best-intentioned business to comply.

There are a number of significant exemptions from the Privacy Act that mean that some agencies and organisations holding health information may not be subject to the Act in relation to that information.[28] Perhaps the most significant is the exemption for small business operators. Section 6D of the Privacy Act defines a small business as one that has an annual turnover of $3 million or less in the previous financial year. Some small businesses are caught by the NPPs if, among other things, they:

• provide a health service and hold health information, except where the information is held in an employee record;
• disclose personal information for a benefit, service or advantage; or
• provide a benefit, service or advantage to collect personal information.[PA s 6D(4)]

These concerns were expressed consistently and strongly in submissions and consultations throughout the Inquiry—making it clear to the ALRC that simplification and harmonisation of the law had to be one of the principal aims and outcomes of this Inquiry.

The ALRC recommended the removal of the small business exemption.[29] This is to be covered in the second tranche of the Government responses. The focus of the first stage response is ‘to establish the foundations for an enhanced privacy framework’. Some of this concerns health services and research.

National consistency problems

Both the federal Privacy Act and state or territory legislation regulate the handling of health information in the private sector in a number of jurisdictions. For example, the NSW Health Records and Information Privacy Act and the Victorian Health Records Act contain a set of Health Privacy Principles (HPPs). Private sector health service providers in these jurisdictions are therefore required to comply with two sets of principles: the NPPs in the Privacy Act and the relevant set of HPPs. There are also differences between them, so that information passing from one jurisdiction to the other may become subject to a different set of rules. This causes particular difficulty for health service providers and researchers operating across jurisdictional borders or nationally.

The review of private sector provisions of the Privacy Act conducted by the OPC concluded that the co-existence of provisions caused:

• increased compliance costs
• confusion about which regime regulates particular businesses
• forum shopping
• uncertainty.[30]

The ALRC concluded that national consistency should be one of the goals of privacy regulation in Australia and that personal information should attract similar protection, whether that personal information is being handled by an Australian Government agency, a state or territory government agency or a private sector organisation.

4 Achieving national consistency

National legislation

The problems associated with overlapping and inconsistent federal, state and territory laws that regulate the handling of personal information are documented throughout the Report. These problems include unjustified compliance burden and cost, impediments to information sharing and national initiatives and confusion about who to approach to make a privacy complaint.

The ALRC considered that the most appropriate way to respond to these problems is through:

• the enactment of federal legislation to regulate the handling of personal information, to the exclusion of state and territory privacy laws operating in the private sector; and
• an intergovernmental agreement that establishes an intergovernmental cooperative scheme. The scheme would provide that the states and territories should enact legislation to regulate the handling of personal information in the state and territory public sectors, applying key uniform elements such as a set of uniform privacy principles, any relevant regulations that modify the application of the principles, and relevant definitions.

Although there are a number of advantages to having a single, national privacy law administered by a single regulator, the ALRC considered that there was merit in the arguments put forward by state governments and others that the states and territories should be left to regulate the handling of personal information in their public sectors. In particular, the ALRC notes concerns relating to the need for state and territory privacy legislation to respond to local conditions, and to interact with existing state and territory information laws such as freedom of information and public records legislation. Further, the ALRC acknowledges the advantages of having state and territory privacy regulators deal with complaints, provide advice, and perform educational functions.[31]

While a single national privacy law could accommodate many of these concerns, the ALRC’s view is that, for the time being, the Australian Parliament should exercise its legislative power only in relation to the handling of personal information by the private sector and the Australian Government public sector. The ALRC recommends below an intergovernmental cooperative scheme in relation to state and territory public sectors.

Many stakeholders focused on inconsistency in the regulation of personal information in the private sector. In particular, it was suggested in submissions that various problems arise because the handling of health information in the private sector is regulated by the Privacy Act and state and territory legislation in NSW, Victoria and the ACT.

These issues would be dealt with effectively if organisations were required to comply with a single set of principles, and any relevant regulations that modify the application of those principles, in relation to the handling of health information. This view is consistent with the Report, Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), where the ALRC and the Australian Health Ethics Committee recommended that:

As a matter of high priority, the Commonwealth, States and Territories should pursue the harmonisation of information and health privacy legislation as it relates to human genetic information. This would be achieved most effectively by developing nationally consistent rules for handling all health information.[32]

The ALRC recommended that the Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by the private sector. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations: Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); and the Health Records (Privacy and Access) Act 1997 (ACT).[33]

While some stakeholders argued that state and territory laws—that apply key elements of the Privacy Act—should continue to regulate the handling of health information in the private sector, many private sector organisations that handle personal information and health information operate across more than one jurisdiction. These organisations should be subject to a single set of privacy principles. Greater national consistency will be achieved if the Privacy Act alone regulates the handling of health information in the private sector.

Other state and territory laws may be introduced that seek to regulate the handling of personal information in the private sector.[34] The Privacy Act should operate to exclude the operation of such laws. The ALRC therefore recommended that regulations made under the Privacy Act should operate to exclude future state and territory laws that purport to regulate the handling of personal information by organisations.[35] The ALRC also recommended that states and territories with information privacy legislation that purports to apply to organisations should amend that legislation so that it no longer applies to organisations.[36]

Government response

Both recommendations were accepted in principle. With respect to the amendment of the Privacy Act to operate to the exclusion of the states and territories, the Government recognised that there are clear benefits of nationally consistent privacy regulation in the private sector, including the health sector. The Government committed to work with state and territory counterparts to progress this matter through further discussions in appropriate forums. With respect to the amendment of state and territory laws, the Government said that this was a matter for state and territory governments, but that it would be the subject of further discussions with those governments at the appropriate time.

Australian Privacy Principles

The ALRC recommended that the Privacy Act be redrafted and restructured to achieve significantly greater consistency, clarity and simplicity.[37] A key element of this reform would be a rationalisation of the privacy principles, which address the handling of personal information by agencies and organisations covered by the Privacy Act. The ALRC recommended ‘Uniform Privacy Principles’ (UPPs).

Government response

The Government agreed that the Privacy Act should be redrafted to achieve greater logical consistency, simplicity and clarity and proposed the Australian Privacy Principles (rather than ‘UPPs’).

In June 2010 the Government released an exposure draft of the new Australian Privacy Principles which will be a key part of amendments to the Privacy Act. It has also published a companion guide. The Exposure Draft is one of four parts of the first stage response to the ALRC’s report. The new principles were referred to the Senate Finance and Public Administration Committee for consultation. The reporting date was 21 September 2010. The ALRC made a submission.

The new set of principles will replace the two existing sets of principles (one for government and for private organisations) governing dealings with personal information.

Health-specific reforms to the Privacy Principles 

Apart from the general recommendations made to promote national consistency, the ALRC recommended that the UPPs should be supplemented by power to make regulations to impose different or more specific requirements on agencies and organisations—such as in the area of health information. The ALRC recommended that new Privacy (Health Information) Regulations be drafted, containing those requirements that are different, or more specific, than provided for in the model UPPs—in Recommendation 5–1. Further, an intergovernmental agreement should be developed to ensure that the privacy regulation of health information (including relevant definitions) is harmonised across all Australian jurisdictions.[38]

The ALRC recommended those elements of the privacy principles that deal specifically with the handling of health information should be set out in new health specific privacy regulations. This was rejected in the Government response. However the Government supported in principle the need for greater clarity and consistency across the field. So while not accepting the recommendation for the regulations, the ideas were accepted in the main to be included in the primary legislation, ‘to ensure that Parliament has an express role in determining whether changes are made to fundamental privacy protections’. It was thought that this approach ‘would reduce any complexity and confusion that could result from having multi-layered regulation of privacy’—as the ALRC recommendation might entail.

The Government response with respect to Recommendation 5–1 had a consequential impact on Recommendation 60–1, concerning health privacy. The ALRC recommended that there should be Privacy (Health Information) Regulations, supplementing an amended Privacy Act. The proposal was that these regulations should be drafted to contain only those requirements that are different from or more specific than provided for in the model UPPs.

Given the Government’s response to Recommendation 5–1, the Government did not accept this recommendation, although the overall idea was accepted:

Where an ALRC recommendation refers to the Privacy (Health Information) Regulations and the Government accepts the recommendation’s intent, the Government will implement that recommendation in the primary legislation (the Privacy Act) unless otherwise stated.

The Government did accept in principle that the Office of the Privacy Commissioner should have a key role in developing and publishing guidelines on the handing of health information, in consultation with relevant stakeholders.[39]

The Government encourages the development and publication of appropriate guidance by the Office of the Privacy Commissioner, nothing that the decision to provide guidance is a matter for the Privacy Commissioner. …[S]uch guidance would be on the application of the Privacy Act and Privacy Principles to health information, rather than on the health privacy regulations (as proposed by the ALRC.[40]

Chapter 63 included detailed consideration of the various matters to be covered and these are picked up in principle through agreement to amend the principles in the Privacy Act. In particular, amendments are considered in relation to the ‘Collection’ principle, the ‘Use and Disclosure’ principle, the ‘Access and Correction’ principle.

Collection

NPP 10.1 provides that an organisation must not collect sensitive information without consent. In Oct 2002 the Privacy Commissioner made two public interest determinations (PIDs) in relation to health service providers. This included when health service providers could collect information about third parties without their consent. In addition, National Health Privacy Principle 1 (NHPP 1) of the draft National Health Privacy Code covers similar territory in relation to collection of a family medical history.

The ALRC proposed amendments to give effect to such principles on the basis that the collection of health information about family members and others is routine practice and essential to provide appropriate health care to individuals.

The Government agreed that amendment was needed so that the Privacy Commissioner did not need to continue to make PIDs. ‘Given the likelihood that there will remain a strong public interest in such collections being permitted, it is appropriate that a permanent authority be established for this practice’. What the ALRC had proposed in regs will be picked up in the Act, that:

A health service may collect health information from an individual, or a person responsible for the individual, about third parties, when:

(a)  the collection of the third party’s information is necessary to enable the health service provider to provide a health service directly to the individual; and

(b)  the third party’s information is relevant to the family, social or medical history of that individual.[41]

A further recommendation was accepted, that an agency or organisation that is a health service provider may collect health information about an individual if the information is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information for that purpose.[42]

The kinds of situations in mind were where the sharing of information among a team of health service providers treating the individual is done on the basis of express or implied consent. The recommended provision was not unlimited, as it is restricted to the collection of health information in the health services context and is linked to the reasonable expectations of the individual. As explained in the report, the provision ‘is intended to ensure that health service providers are confident to collect information where necessary to provide a health service to the individual, in circumstances in which the individual would expect them to do so’.[43]

Use and disclosure principle

The problem at the moment is uncertainty about the extent of obligations under the Privacy Act. IPPs 10 and 11 and NPP 2 regulate the use and disclosure of personal information. IPP 10 applies to health information and provides that information may be used for the purpose it was collected or a directly related purpose.  Beyond such purposes, consent is required. NPP 2 allows use or disclosure for the primary purpose of collection or a secondary purpose which is directly related to the primary purpose and the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose. There are exceptions including, for example, where the organisation reasonably believes that use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.

Access and correction principle

Health consumers do not have a right under general law principles to have access to their medical records.[44] Hence health consumers must rely on legislation, including the Privacy Act, IPP 6, to give them a right of access to the health information held in medical records. Other rights of access and correction are contained in the Freedom of Information Act 1982 (Cth). And rights to refuse access. In the course of the OPC review, it was noted that access issues can cause a breakdown in the therapeutic relationship.[45]

In this Inquiry, the ALRC wanted to know whether the refusal of access provision was appropriate. Potential damage to the therapeutic relationship was not considered a solid basis on which to refuse access. The recommended approach was based on responding within a reasonable time and providing access to the information unless:

• in the case of an agency, the agency is required or authorised to refuse by law (eg under the FOI Act)
• in the case of an organisation, providing access would be reasonably likely to pose a serious threat to the life or health of any individual.[46]

The ALRC also considered the matter of refusal of access and who should adjudicate disputes. Complaints to the Privacy Commissioner are included in s 36. The FOI Act includes a procedure for refusing a request for information and to providing information to a nominee instead to receive health information.  The ALRC proposed that the ‘Access and Correction’ principle should provide stronger provisions on the use of intermediaries than the existing NPP 6.3.

The Government agreed with the gist of this recommendation, and that it be included in the Privacy Act. The nominated health service provider should be ‘suitably qualified and appropriate’. This was intended to avoid conflicts of interest where an intermediary is qualified, but not appropriate. The Government noted that the ALRC’s recommendations used the different terminology of the Privacy Act and FOI Act and indicated that ‘where practicable and appropriate the Government will emphasise ongoing consistency of phrasing’ in the two Acts.

Data security principle

The ALRC considered the complications with respect to data security when a health service is sold, transferred or closed. The ALRC proposed that in such circumstances a number of steps should follow, including making individual users of the health service aware and informing them about proposed arrangements for the transfer or storage of their information. The ALRC made a recommendation based on existing precedents using a ‘reasonable steps’ test.[47]

The ALRC also considered what happens when a health consumer changes health service provider, noting the difficulties that can arise in relation to the transfer of health information from provider to another. The ALRC considered that health consumers should have the right to have their health information transferred in these circumstances in a manner that ensures community of care.[48] Consequently, the ALRC recommended that an agency or organisation must respond within a reasonable time to transfer the information.

The Government considers that these obligations should also apply to health services where a partnership dissolves, or a practice otherwise de-merges or disaggregates, and that this recommendation would be implemented in the Privacy Act.[49] With respect to the moving of a health consumer, the Government accepted the recommendation.

5      Electronic health information systems

The Inquiry coincided with a number of major initiatives to develop an electronic record-keeping schemes by doctors and hospitals, aimed at providing better quality and safer health care—including the creation of a national shared electronic health information system, in which a summary of personal information is stored on a central database that can be accessed by a range of health service providers. For example, under this scheme, where an individual normally resident in Victoria falls seriously ill or is involved in an accident in New South Wales and is unable to communicate, local health authorities would be able to determine quickly whether the person suffered from any chronic medical conditions or allergies, and what medicines he or she had been prescribed.

Although there was widespread recognition of the obvious benefits of such a scheme, concerns were expressed about the architecture, security and privacy safeguards built into the system. In Chapter 61 of For Your Information, the ALRC made a number of recommendations about the structure of any prospective unique health identifier scheme (‘UHI scheme’). The chief ALRC recommendation was that any UHI scheme be established under specific enabling legislation, for the sake of clarity and appropriate public scrutiny. However, Recommendation 61–1 further advised that such enabling legislation should address, among other things:

(a)    the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;

(b)   the eligibility criteria, rights and obligations for participation in the scheme by health consumers and health service providers, including consent requirements;

(c)    permitted and prohibited uses and linkages of personal information held in the systems;

(d)   permitted and prohibited uses of UHIs and sanctions for misuse

(e)    safeguards in relation to the use of UHIs, including the provision that a UHI is not necessary in order to access healthcare.

Government response

The Government accepted Rec 61–1 in principle. The Australian Health Ministers agreed in March 2009 that all Australian residents would be allocated an Individual Healthcare Identifier (IHI). A key commitment of the ministers is ‘to continuing consultations on privacy protections that will be necessary to underpin this important health initiative’.

The Government agrees with the necessity of privacy protections for any national Unique Healthcare Identifiers (UHIs) or national Shared Electronic Health Records (SEHR) scheme. The substance of these protections and details of matters to be addressed in legislation, such as those matters outlined by the ALRC … should be subject to specific future consultation as any UHI or SEHR scheme goes forward.[50]

The UHI scheme

The Government introduced the Healthcare Identifiers Act 2010 (Cth), the express purpose of which, as set out in s 3, is ‘to provide a way of ensuring that an entity that provides, or an individual who receives, healthcare is correctly matched to health information that is created when healthcare is provided’, to be achieved ‘by assigning a unique identifying number to each healthcare provider and healthcare recipient’. The Act commenced on 29 June 2010.

How does the Act follow ALRC recommendations?

The Act nominates the Chief Executive Officer of Medicare Australia as the ‘service operator’ of the scheme: s 5 (definition of ‘service operator’). Under s 9(2), ‘national registration authorities’ are empowered to issue UHIs to healthcare providers. Regulation 4 of the Healthcare Identifier Regulations 2010 establishes the National Health Practitioner Boards and the Australian Health Practitioner Regulation Agency, established under the ‘Health Practitioner Regulation National Law’, annexed as a schedule to the Health Practitioner Regulation National Law Act 2009 (Qld), which has been adopted as law by the states and territories.

The eligibility of healthcare recipients to be issued a UHI is self-explanatory: s 5 (definition of ‘healthcare recipient) of the Act. Sections 9 and 9A outline the eligibility of individual healthcare providers and healthcare organisations to be issued a UHI. Sections 7 and 9B and reg 5 set out what information must be given before a UHI is issued by the service operator.

Importantly, s 9(4) expressly states that consent of the healthcare recipient is not required for a UHI to be assigned.

Use and linkages of personal information held under the scheme

Part 3 Div 1 of the Act states the permitted and prohibited uses and linkages of personal information (styled ‘identifying information’) held under the UHI scheme:

• healthcare operators are allowed to disclose identifying information to the service operator for the purpose of issuing a UHI;
• Medicare and the Defence and Veterans departments are allowed to disclose identifying information to the service operator for the purpose of issuing a UHI;
• national registration authorities are allowed to disclose UHIs and related information to the service operator for the purpose of maintaining the service operator’s record, as mandated by s 10 of the Act.

Section 15 provides for sanctions for breaches of this aspect of the Act.

Uses and linkages of UHIs and sanctions for misuse

Disclosure of UHIs by service operator is provided for in Part 3 Div 2(B). The service operator may disclose a UHI to:

• a participating healthcare provider (and its authorised employees and contractors) for ‘the purpose of communicating or managing health information, as part of the provision of healthcare to a healthcare recipient … or for certain other purposes’: s 17;
• a healthcare recipient or person responsible for them—the service operator is obliged to provide the UHI and any related information and information held on the operator’s record on the request of the healthcare recipient: s 18;
• a registration authority—the service operator may disclose a healthcare provider’s UHI to a registration authority for the purpose of registering that provider: s 19;
• to an ‘entity’, defined in s 5 as including a person, partnership, unincorporated association or body, trust or part of another entity. The service operator may disclose a healthcare provider’s UHI to the entity in order to authenticate the provider’s identity in electronic transmissions: s 20.

Disclosure of UHIs by healthcare providers is provided for in Part 3 Div 3. A healthcare provider may disclose a UHI to:

• the relevant healthcare recipient or the person responsible for them: s 23.
• an entity (see above). The healthcare provider may disclose a UHI to an entity for the purpose of communicating or managing health information as part of the provision of healthcare to the recipient; the management, funding, monitoring or evaluation of healthcare; the provision of indemnity cover for a provider; or the conduct of approved research: s 24(1)(a); or where the provider reasonably believes the disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety or a serious threat to public health or public safety: s 24(1)(b)

Sanctions for misuse

If a person uses or discloses a UHI otherwise than in accordance with the Act, an offence is committed. Max penalty is 2 yrs imprisonment or 120 penalty units or both (600 units for corporate persons): s 26—which is on par with the general approach to secrecy offences.

Safeguards

Although the information provided by Medicare to the public on its website indicates that a UHI is not required to access medical services, there is no provision in the Act to this effect.

Section 27 obliges ‘entities’ to take reasonable steps to protect UHIs in their possession from misuse, loss, unauthorised access, modification or disclosure. The Regs also provide rules and machinery provisions for the various allowable disclosures, and sanctions for breach of these provisions. 

6     Greater facilitation of research

Chapter 65 focused on research. The Privacy Act allows researchers to obtain and use personal information for health or medical research, without the consent of the individuals concerned, where approved by a Human Research Ethics Committee.

The ALRC heard many concerns, however, from researchers in the health and medical field—as well as social scientists, criminologists and others—that an overly cautious approach to the application of the Privacy Act was inhibiting the conduct of research, even where the threat to individual privacy was limited or non-existent and the potential value of the research was very high. For example, epidemiological research can play a very valuable role in planning and promoting public health campaigns and in allocating scarce resources. In such cases, researchers are not concerned with the identity or information of individuals within the sample, but rather are seeking to identify broad trends and patterns in the population.

The ALRC also recognised that there are other forms of research that provide benefits to the community that require access to personal information in situations where it is difficult to obtain consent—such as research on child protection or factors associated with criminal behaviour.

The ALRC recommended that the research exception to the ‘Collection’ and ‘Use and Disclosure’ principles in the model UPPs allow information to be collected, used and disclosed for research purposes—including in areas other than health and medical research—where a number of conditions are met, including approval by a Human Research Ethics Committee.[51]

Government response

The Government agreed that one set of research rules should be issues by the NHMRC in conjunction with other appropriate bodies, such as the ARC and Universities Australia, rather than by the Privacy Commissioner. The Government also agreed that the Privacy Act should permit the collection, use and disclosure of personal information without consent for the purpose of important human research in certain circumstances.

The Government’s response supports two central proposals to facilitate research in the public interest, simplify regulation, and protection community expectations of privacy:

• harmonised set of rules for Government and private sector researchers will replace the two sets of binding guidelines on non-consensual handling of personal information; and
• the research provisions will be expanded to allow such handling for any research in the public interest, not just for health and medical research.

Two important parameters of the current regime will also be maintained:

• the public interest in research must ‘substantially outweigh’ the protection of privacy—requiring a clear choice in favour of the research; and
• the National Health & Medical Research Council and the Privacy Commissioner will retain primary responsibility for issuing and approving the research rules.[52]

7      What next

The government indicated that it would respond in two tranches.[53] The first stage response addressed 197 of the recommendations. Most of these (141) were accepted in full or in principle; 34 were accepted ‘with qualification’. Many of these will require amendments to the Privacy Act. The focus of the first stage response is ‘to establish the foundations for an enhanced privacy framework’. Some of this concerns health services and research, as discussed in this paper.

The new set of privacy principles will replace the two existing sets of principles (one for government and for private organisations) governing dealings with personal information. Further reforms to the Privacy Act will be released for public consultation in stages, including provisions relating to:

• more comprehensive credit reporting to improve individual credit assessments, alongside privacy protections and responsible lending practices;

• the protection of health information, in particular improving health sector information flows; and
• strengthening the Privacy Commissioner powers to conduct investigations, resolve complaints and promote compliance with the Privacy Act and integrating the Privacy Commissioner into the newly-created Office of the Australian Information Commissioner.

The ALRC will contribute to discussions on these developments as they arise.