23.07.2010
7.39 While the Privacy Act creates a framework for national regulation of health information in the private sector, as well as protecting privacy in the Commonwealth public sector, there is no comprehensive framework for consistent national regulation of health information across public and private sectors, state and federal. Instead, regulation of information and health privacy is provided by complex, fragmented and overlapping federal, state and territory legislation. Health information is subject to different protection depending on whether it is held by a Commonwealth agency, state or territory agency or private sector organisation.
7.40 The situation is complicated by the fact that many different organisations may be responsible for delivery of health services to any one individual. Therefore, different legal regimes and privacy protection, with different privacy standards, may apply to different parts of the health information relating to a single individual.
7.41 Problems that arise from the lack of uniformity are discussed in specific contexts elsewhere in this Report[35] and were highlighted in submissions.[36] For example, the Centre for Law and Genetics noted that:
The privacy legislation within the various States and Territories is incomplete and lacking in uniformity. In Tasmania, for example, there is no privacy legislation. Where privacy legislation does exist, it is not necessarily compatible with either the public sector or private sector provisions in the federal Act.[37]
7.42 The Commonwealth Attorney-General’s Department observed that, as with most other areas of regulation, practical difficulties arise when organisations are required to comply with a number of related but conflicting laws:
It leads to greater expense when they have to seek professional advice regarding their legal obligations and implement different procedures for compliance. Where relevant it can also lead to forum shopping by consumers in relation to complaint-handling. This is an unsatisfactory situation and should be avoided by having national standards where possible.[38]
7.43 Particular complexity arises where States and Territories have health privacy legislation purporting to cover the private sector, as is the case in New South Wales, Victoria and the ACT.[39] Various aspects of this state and territory legislation may be inconsistent with the Privacy Act and may create confusion and uncertainty for those organisations and individuals needing to comply with both sets of regulation.[40]
7.44 For example, the NPPs in the federal Privacy Act permit personal information to be used or disclosed ‘where the use or disclosure is required or authorised by or under law’.[41] This provision would appear to allow disclosure permitted under state laws. State legislation, therefore, may effectively extend the circumstances under which the disclosure of health information is otherwise permitted by the NPPs.[42] On the other hand, disclosure permitted under the NPPs but not under state law may nevertheless be lawful under s 109 of the Constitution, which gives paramount operation to federal law where it is inconsistent with state law.[43]
7.45 Differing submissions were made to the Inquiry regarding the relationship between federal privacy laws on the one hand, and state and territory privacy laws on the other. The Privacy Act provides that it is not to affect the operation of a law of a State or Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information capable of operating concurrently with the Act.[44]
7.46 The Commonwealth Attorney-General’s Department stated that this provision is not intended to enable state and territory law to regulate the same types of personal information and organisations that are regulated by the Privacy Act.[45] In contrast, Privacy NSW submitted that the States should be free to ‘enhance the Commonwealth’s minimum standards in state legislation that provides for more stringent genetic privacy protection’. It was said that this might require a savings clause in the Privacy Act similar to those in other federal human rights legislation.[46]
7.47 The proposition that there should be uniformity or greater harmonisation of federal, state and territory laws concerning the privacy protection of human genetic information met with widespread approval.[47] Privacy NSW summarised the desirability of a uniform approach in the following terms:
A uniform approach to genetic information privacy is essential to ensure that all persons have equal protection regardless of where they live and who handles their genetic information. Widely differing standards of protection not only undermine human rights, they also undermine public confidence in the way that institutions handle their personal information, especially in an increasingly networked information environment. Lack of uniformity can also add to confusion for those responsible for handling personal information, as well as obstruct cross-border flows of information.[48]
7.48 The Commonwealth Attorney-General’s Department stated that:
The Commonwealth is concerned about the difficulties caused by the existence of different health information privacy laws across Australia. It is in the interests of both consumers and health service providers that clear and consistent health information privacy laws apply across Australia. The Commonwealth will discuss this issue with State and Territory Governments in the context of the development of the National Health Privacy Code and its implementation.[49]
7.49 The means by which uniformity or greater harmonisation of health privacy law, as it applies to genetic information, should be pursued is problematic. Possible approaches to harmonisation include the development of a National Health Privacy Code, new federal, state and territory health privacy legislation, or the development of a regulatory framework specifically for genetic information.
A National Health Privacy Code
7.50 The Australian Health Ministers’ Advisory Council (AHMAC) has formed a joint Commonwealth, State and Territory National Health Privacy Working Group to work towards the establishment of a nationally consistent regime for the protection of health information in both the public and private sectors.
7.51 The first step in this process is the development of a National Health Privacy Code, a draft of which was circulated for public comment in December 2002.[50] The Consultation Paper[51] on the Code highlights the need for uniform rules regarding the handling of health information and the fact that this need has become ‘even more pressing with the emerging developments in the management of electronic health records’.[52]
7.52 The Code is intended to comprise a nationally integrated framework for the protection of personal health information. The framework aims to:
- achieve national consistency between the public and private sectors;
- safeguard the privacy and dignity of all individuals (whether they are health care consumers or health care providers); and
- take into account initiatives proposed under the national health information network, HealthConnect.
7.53 The mechanism for implementing the Code is still under consideration and will be discussed by the AHMAC Working Group in more detail once the content of the Code has been agreed.[54]
7.54 One option is for the National Health Privacy Code to operate as a code under Part IIIAA of the Privacy Act.[55] Part IIIAA provides for a process by which organisations may agree to be bound by a privacy code approved by the Privacy Commissioner,[56] which includes levels of privacy protection at least equivalent to the NPPs.[57] For the purposes of the Privacy Act, the term ‘organisation’ covers only private sector organisations. However, on the request of the government of a State or Territory, regulations may prescribe an instrumentality of a State or Territory as an organisation for the purposes of the Act.[58] This provides a mechanism by which the operation of an approved code might be extended to state and territory public sector health service providers.
7.55 The AHMAC process is the first attempt to develop a comprehensive approach to harmonisation of health privacy law. In DP 66, the Inquiry stated that it was unlikely that the AHMAC process would lead to uniformity or greater harmonisation of health privacy law in the short term.[59] From one perspective, recently enacted state and territory health privacy legislation might be seen as running counter to the proposal to develop a National Health Privacy Code to provide consistency across all jurisdictions.[60] However, implementation of these new state and territory laws could equally be seen as recognition of the need for a consistent national health privacy regime.[61]
Federal health privacy legislation
7.56 Other means of pursuing uniformity or greater harmonisation of health privacy law might include enacting new federal health privacy legislation to regulate the handling of health information in both the Commonwealth public sector and private sector,[62] and to serve as a model for similar state and territory legislation.
7.57 Differing views have been expressed about whether federal health privacy legislation is desirable. The OFPC opposed the idea and submitted that:
[a]dditional legislation of that nature will create problems of compatibility with the existing privacy framework. It would prejudice attempts to realise a consistent national standard for the protection of health information privacy. The introduction of a separate scheme to protect health information privacy, or even genetic information privacy, intended to co-exist with existing forms of regulation, would be likely to encourage forum-shopping or ‘regulatory arbitrage’. In the interests of achieving a single uniform scheme of privacy regulation for health information, it would be preferable to concentrate on improving existing legislation within the current regulatory framework. Any special legislative protections for health information generally or genetic information in particular should be effected within this framework.[63]
7.58 Other submissions suggested that there should be federal health privacy legislation, separate from the Privacy Act.[64] For example, the Centre for Law and Genetics considered that deficiencies identified in the privacy protection of genetic information should be addressed through new health privacy legislation:
Within the framework of privacy legislation specific to health, provisions could be included giving special recognition to the protection of genetic information to address perceived deficiencies in this area, as indeed could be done for other areas of health where there may be a need for particular protection. After all, genetic information is clearly health information and is best dealt with within this context, with the addition of specific provisions as appropriate. This would ensure a coherent approach is taken to the issue, in a manner consistent within a general health privacy framework.[65]
7.59 While the House of Representatives Standing Committee on Legal and Constitutional Affairs ultimately recommended that health information be included in the Privacy Amendment (Private Sector) Bill 2000 (Cth),[66] the Centre for Law and Genetics observed that
the only reason that the committee ultimately decided to recommend that health information should remain part of the Bill, was because it thought it unlikely that a consensus could be achieved in the near future that would lead to the development of a separate legislative or regulatory code governing health services. Its recommendations were, instead, directed towards achieving such reforms in the future and therefore retaining the legislation’s coverage of health information, at least on an interim basis, to ensure an acceptable level of privacy and access rights throughout Australia.[67]
7.60 Other submissions suggested that existing privacy legislation is adequate to protect human genetic information[68] or that the reform priority should be on selective changes to the existing regulatory framework.[69] For example, Privacy NSW favoured an approach that
identifies the weaknesses in the way existing privacy rules are expressed and which expands their scope to make them more responsive to the challenge proposed by genetic privacy issues.[70]
Genetic privacy legislation
7.61 A third approach to harmonisation would involve the development of a regulatory framework specifically for genetic information. At the federal level, such an approach was taken in the Genetic Privacy and Non-discrimination Bill 1998 (Cth), introduced by Democrats Senator Natasha Stott Despoja.[71] The Bill, which was last debated on 5 October 2000 in the Senate, was restored to the Notice Paper for the Senate on 14 May 2002. The Bill addressed genetic information and deals with information privacy, consent and genetic discrimination.[72]
7.62 There was little support in consultations or submissions to this Inquiry for new legislation dealing specifically with genetic privacy. Most submissions that considered the issue opposed such an approach.[73] However, the Department of Human Services South Australia submitted that:
Given the past difficulties in establishing uniform privacy legislation, it may be more efficient and effective to develop specific legislation dealing with genetic information. This legislation could also establish the HGCA and provide for a separate entity to license and regulate genetic testing laboratories. Recent precedents of positive uniform national legislation include food regulation and genetically modified organisms. This would also ensure that current “gaps” arising from the limited application of the Commonwealth Privacy Act (non-coverage of “employee records” and exempt small businesses etc) and the differences in the various states’ legislation could be filled without the need to amend ad hoc pieces of existing legislation.[74]
Inquiry’s views
7.63 Given the plethora of existing regulation relating to the privacy protection of genetic information, it seems more appropriate to amend existing legislation to ensure that issues of genetic privacy are adequately covered rather than to add another layer of complexity by enacting genetic privacy legislation.
7.64 In particular, there would be considerable practical difficulty in defining the respective coverage of genetic privacy legislation and other information and health privacy legislation. Genetic information already forms part of ordinary clinical health information. It can be expected that genetic information will become increasingly important in the prevention, diagnosis and treatment of disease. As this occurs it will become increasingly difficult, if not meaningless, to distinguish between genetic information and other health information located, for example, in medical records held by health service providers.[75]
7.65 While genetic information has some special characteristics that distinguish it from most other forms of personal information,[76] the Inquiry has concluded that genetic privacy issues and reform options are often similar to those applicable to information privacy generally and, in particular, to the privacy of medical records and other health information.
7.66 The Terms of Reference ask the Inquiry, in reporting on the regulatory framework required to protect the privacy of human genetic samples and information, to have regard to existing or proposed Commonwealth legislation and legislation in other jurisdictions.
7.67 Deficiencies in the existing regulatory framework for information and health privacy are a focus of the Inquiry only to the extent that they concern the protection of genetic samples and information specifically. The Terms of Reference do not anticipate that the Inquiry will review the adequacy of health information privacy laws more generally. Nor do they demand that the Inquiry reach a concluded view about whether privacy protection is best provided within the framework of the Privacy Act or in new information or health privacy legislation.
7.68 Consultations and submissions have emphasised the importance of greater harmonisation in information and health privacy law, both within the federal sphere and between federal, state and territory laws. For example, the New South Wales Health Department observed that
due to the shared nature of genetic information, the current situation creates differing management of privacy issues for family members residing in different states or accessing services in the public or private sector.[77]
7.69 Effective protection of genetic information requires that efforts continue to be made to achieve a harmonised approach. While the Inquiry expresses no view on the exact mechanism by which such harmonisation should be pursued, it considers that Commonwealth, state and territory governments should give priority to this policy aim. In this context, the AHMAC process is an obvious starting point for harmonisation initiatives.
Recommendation 7 –1 As a matter of high priority, the Commonwealth, States and Territories should pursue the harmonisation of information and health privacy legislation as it relates to human genetic information. This would be achieved most effectively by developing nationally consistent rules for handling all health information. (See also Recommendation 8–1 in relation to genetic samples.)
Recommendation 7–2 States and Territories and privacy regulators should consider harmonising their privacy regimes, as applicable, in a manner consistent with the Recommendations in this Report. (See also Recommendations 7–4 to 7–7, 8–1 to 8–4, 21–1 to 21–3, and 22–1.)
Recommendation 7–3 The Commonwealth, States and Territories should take into account the Recommendations in this Report in developing the proposed National Health Privacy Code. (See also Recommendations 7–4 to 7–7, 8–1 to 8–4, 21–1 to 21–3, and 22–1.)
[35] See eg in relation to the coverage of genetic samples (Ch 8); regulation of human genetic research databases (Ch 18); genetic registers (Ch 22).
[36] Centre for Law and Genetics, Submission G048, 14 January 2002; Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002.
[37] Centre for Law and Genetics, Submission G048, 14 January 2002.
[38] Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002.
[39]Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Health Records (Privacy and Access) Act 1997 (ACT).
[40] Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002.
[41]Privacy Act 1988 (Cth) NPP 2.1(g).
[42] See R Magnusson and C Clarke, ‘Data Registers in Respiratory Medicine: A Pilot Evaluating Compliance with Privacy Laws and the National Statement on Ethical Conduct in Research Involving Humans’ (2002) 10 Journal of Law and Medicine 69, 73–74.
[43] See Ibid, 74.
[44] Privacy Act 1988 (Cth) s 3.
[45] Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002.
[46] Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002.
[47] See Ibid; Centre for Law and Genetics, Submission G048, 14 January 2002; Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002; Commonwealth Department of Health and Ageing, Submission G150, 15 April 2002; Human Genetics Society of Australasia, Submission G050, 14 January 2002; New South Wales Nurses’ Association, Submission G090, 21 January 2002; Australian Huntington’s Disease Association (NSW), Submission G054, 14 January 2002; Sydney IVF Limited, Submission G062, 14 January 2002; Australian Medical Association, Submission G091, 29 January 2002; Queensland University of Technology, Submission G109, 14 March 2002; Disability Discrimination Legal Service, Submission G146, 28 March 2002; Australian Academy of Science, Submission G097, 21 January 2002; Australian Privacy Charter Council, Submission G120, 18 March 2002; Neurofibromatosis Association of Australia Inc, Submission G121, 18 March 2002; New South Wales Genetics Service Advisory Committee, Submission G094, 25 January 2002; Cancer Council Victoria Cancer Genetics Advisory Committee, Submission G195, 27 November 2002; Children’s Cancer Institute Australia, Submission G221, 29 November 2002; Genetic Support Council WA, Submission G243, 19 December 2002; Anglican Diocese of Sydney, Submission G256, 20 December 2002; J Fleming, Submission G241, 20 December 2002; Office of the Victorian Privacy Commissioner, Submission G266, 20 December 2002; Human Genetics Society of Australasia, Submission G267, 20 December 2002; Department of Health Western Australia, Submission G271, 23 December 2002; Australian Biospecimen Network, Submission G238, 19 December 2002; Centre for Law and Genetics, Submission G255, 21 December 2002; Office of the Federal Privacy Commissioner, Submission G294, 6 January 2003; Australian Privacy Charter Council, Submission G304, 21 January 2003; Office of the Health Services Commissioner Victoria, Submission G307, 17 January 2003; Commonwealth Department of Health and Ageing, Submission G313, 6 February 2003.
[48] Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002.
[49] Commonwealth Attorney-General’s Department, Submission G228, 12 December 2002.
[50] Australian Health Ministers’ Advisory Council National Health Privacy Working Group, Draft National Health Privacy Code (2002), AHMAC, Canberra.
[51] Australian Health Ministers’ Advisory Council National Health Privacy Working Group, National Health Privacy Code (draft) Consultation Paper (2002), AHMAC, Canberra.
[52] Ibid, 9. These developments include the proposed national health information network (HealthConnect) and the Better Medication Management System (BMMS).
[53] Ibid, 11.
[54] Ibid, 15.
[55] Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002.
[56] As at January 2003, two codes had been approved by the Privacy Commissioner: Office of the Federal Privacy Commissioner, Register of Approved Business Codes, Office of the Federal Privacy Commissioner, <www.privacy.gov.au/business/codes/index.html#1>, 29 January 2003.
[57]Privacy Act 1988 (Cth) s 18BB.
[58] Ibid s 6C.
[59] Australian Law Reform Commission and Australian Health Ethics Committee, Protection of Human Genetic Information, DP 66 (2002), ALRC, Sydney [7.33].
[60] Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002.
[61] Department of Human Services Victoria – Metropolitan Health & Aged Care Services Division, Submission G289, 24 December 2002.
[62] At present, the handling of personal information (including health information) in the Commonwealth public sector is governed by the IPPs and in the private sector by the NPPs.
[63] Office of the Federal Privacy Commissioner, Submission G143, 22 March 2002.
[64] Centre for Law and Genetics, Submission G048, 14 January 2002; Centre for Law and Genetics, Submission G255, 21 December 2002; Australian Medical Association, Submission G091, 29 January 2002. The Australian Medical Association suggested that, because the Privacy Act is not health-specific, it does not deal adequately with the privacy of electronic health records or genetic privacy issues.
[65] Centre for Law and Genetics, Submission G048, 14 January 2002.
[66] Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), House of Representatives, Parliament of the Commonwealth of Australia, Canberra, Ch 6–7, rec 14–15.
[67] Centre for Law and Genetics, Submission G048, 14 January 2002.
[68] Life Sciences Network, Submission G129, 19 March 2002.
[69] Human Genetics Society of Australasia, Submission G050, 14 January 2002; Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002; Commonwealth Attorney-General’s Department, Submission G158, 7 May 2002; Law Society of New South Wales, Submission G285, 18 December 2002; Australian Defence Force, Submission G291, 23 December 2002.
[70] Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002.
[71] The Genetic Privacy and Non-discrimination Bill 1998 (Cth) pre-dated the enactment of the Privacy Amendment (Private Sector) Act 2000 (Cth). Senator Stott Despoja noted that there would have been no need for the former to deal with privacy if an effective legislated scheme for privacy protection had already been implemented. Senate Legal and Constitutional Legislation Committee, Provisions of the Genetic Privacy and Non-discrimination Bill 1998, The Parliament of Australia, <www.aph.gov.au/
senate/committee/legcon_ctte/genetic/index.htm>, 21 August 2002, additional comments by Senator Natasha Stott Despoja, 34.
[72] See Australian Law Reform Commission and Australian Health Ethics Committee, Protection of Human Genetic Information, IP 26 (2001), ALRC, Sydney [4.124]–[4.131].
[73] Commonwealth Department of Health and Ageing, Submission G150, 15 April 2002; K Liddell, Submission G141, 23 March 2002; R Magnusson, Submission G039, 10 January 2002; Centre for Law and Genetics, Submission G048, 14 January 2002; N Saunders and P Komesaroff, Submission G084, 9 January 2002; Australian Medical Association, Submission G091, 29 January 2002; Queensland University of Technology, Submission G109, 14 March 2002; Office of the Privacy Commissioner (NSW), Submission G118, 18 March 2002; Office of the Federal Privacy Commissioner, Submission G143, 22 March 2002; Australian Society for Medical Research, Submission G124, 18 March 2002. The NSW Nurses’ Association and the Genetic Support Council Western Australia suggested that specific genetic privacy legislation might be desirable: New South Wales Nurses’ Association, Submission G090, 21 January 2002; Genetic Support Council WA, Submission G112, 13 March 2002; Commonwealth Department of Health and Ageing, Submission G313, 6 February 2003.
[74] Department of Human Services South Australia, Submission G288, 23 December 2002.
[75] R Magnusson, Submission G039, 10 January 2002. Australian Society for Medical Research, Submission G124, 18 March 2002. The Society stated that ‘specific, all-encompassing genetic legislation would provide considerable burden and limited benefits’.
[76] Australian Law Reform Commission and Australian Health Ethics Committee, Protection of Human Genetic Information, IP 26 (2001), ALRC, Sydney [4.10]–[4.14].
[77] NSW Health Department, Submission G303, 13 January 2003.