23.07.2010
7.99 Under the small business exemption, some small business operators are excluded from the definition of ‘organisation’ and are therefore entirely exempt from the operation of the Privacy Act.[109] Organisations cannot qualify for this exemption if, for example, they:
- provide a health service to another individual and hold any health information except in an employee record; or
- disclose personal information about another individual to anyone else for a benefit, service or advantage; or
- provide a benefit, service or advantage to collect personal information about another individual from anyone else.
7.100 Dr Tim Smyth has observed:
While health service providers who hold health information are subject to the Act, irrespective of their turnover, a small business that is not a health service provider can remain exempt from the Act even though it might hold health information. A business that simply stores genetic samples or acts as a data repository, providing no health service, may not be subject to the Commonwealth Act.[111]
7.101 It has also been suggested that research undertaken by a genomics company may fall outside the definition of a health service[112] although such an organisation might still be caught by the provisions relating to collecting or disclosing personal information for a benefit, service or advantage.[113]
7.102 In DP 66, the Inquiry noted that the acts and practices of small business operators that hold genetic information pose a potential risk to the privacy of both the individual concerned and his or her genetic relatives. The Inquiry expressed the view that small business operators that hold genetic information should be subject to the provisions of the Privacy Act, whether or not they provide a health service.[114]
7.103 This proposal was generally supported by submissions,[115] although the Commonwealth Attorney-General’s Department questioned whether, in practice, there would be any genetic information held by small businesses that is not governed by the Privacy Act.[116]The Commonwealth Department of Health and Ageing agreed that small business operators holding genetic information should be subject to the Privacy Act and noted that this would be consistent with the AHMAC Draft National Health Privacy Code, which does not exempt small business operators.[117]
7.104 The Inquiry has concluded that there is sufficient doubt about the coverage of Privacy Act to justify amending the Act to make it clear that all small business operators that hold genetic information[118] are subject to its provisions.
Recommendation 7–7 The Commonwealth should amend the Privacy Act to ensure that all small business operators that hold genetic information are subject to the provisions of the Act. (See also Recommendation 8–2 in relation to genetic samples.)
[109] In summary, to qualify for the small business operator exemption, an entity (i) must have an annual turnover of $3 million or less; (ii) cannot be related to a business with an annual turnover of greater than $3 million; (iii) must not provide a health service and hold health records; (iv) must not disclose personal information about an individual for a benefit, service or advantage; (v) must not provide a benefit, service or advantage to collect personal information; (vi) cannot be a contracted service provider for a Commonwealth contract (even if the entity is not a party to the contract). See Privacy Act 1988 (Cth) s 6C–6E.
[110] See Ibid s 6D(4)(b)–(d).
[111] T Smyth, ‘Protecting Human Genetic Information and Its Use’ (2002) 10(6) Health Law Bulletin 64, 66.
[112] Centre for Law and Genetics, Submission G048, 14 January 2002.
[113] These provisions of the Privacy Act commenced on 21 December 2002.
[114] Australian Law Reform Commission and Australian Health Ethics Committee, Protection of Human Genetic Information, DP 66 (2002), ALRC, Sydney [7.126].
[115] Cancer Council Victoria Cancer Genetics Advisory Committee, Submission G195, 27 November 2002; Haemophilia Foundation Victoria, Submission G201, 25 November 2002; Office of the Victorian Privacy Commissioner, Submission G266, 20 December 2002; Human Genetics Society of Australasia, Submission G267, 20 December 2002; Department of Health Western Australia, Submission G271, 23 December 2002; Australian Biospecimen Network, Submission G238, 19 December 2002; Association of Genetic Support of Australasia, Submission G284, 25 December 2002; Centre for Law and Genetics, Submission G048, 14 January 2002; Office of the Privacy Commissioner (NSW), Submission G257, 20 December 2002; Department of Human Services South Australia, Submission G288, 23 December 2002; Commonwealth Department of Health and Ageing, Submission G313, 6 February 2003. The OFPC submitted that, insofar as they apply to all forms of health information, the exemptions from coverage under the Act presently afforded to employee records and to small business operators should be repealed. However, the OFPC expressed concern that limiting the reform to ‘genetic information’ would introduce ‘unnecessary complexity into the regulatory framework applying to small businesses’: Office of the Federal Privacy Commissioner, Submission G143, 22 March 2002; Office of the Federal Privacy Commissioner, Submission G294, 6 January 2003; Androgen Insensitivity Syndrome Support Group Australia, Submission G290, 5 January 2003; Australian Privacy Charter Council, Submission G304, 21 January 2003; Office of the Health Services Commissioner Victoria, Submission G307, 17 January 2003. See also Ch 34.
[116] That is, given the effect of Privacy Act 1988 (Cth) s 6D(4)(b)–(d): Commonwealth Attorney-General’s Department, Submission G228, 12 December 2002.
[117] Commonwealth Department of Health and Ageing, Submission G313, 6 February 2003.
[118] Or bodily samples from individuals whose identity is apparent or reasonably can be ascertained from the sample. See Ch 8.