Collection of family medical history

28.49 As discussed in Chapter 25, insurance companies routinely collect family medical history information and use it in underwriting. The collection and use is based on the long recognised fact that certain diseases have a hereditary component, and that information about the medical history of family members is relevant in assessing the applicant’s risk. IFSA’s current Genetic Testing Policy does not address the issue of family medical history in underwriting—it is solely focused on genetic test results, which are narrowly defined.[36]

28.50 The collection and use of family medical history raises two distinct privacy issues. The first is whether it is permissible to use personal information that the insurer has already collected about an insured, X, in assessing the insurance application of a genetic relative, Y. This conduct would be in breach of the NPPs and the Inquiry has been informed that insurers do not engage in this practice. IFSA’s Genetic Testing Policy, quoted above, provides that the results of a genetic test on X will not be used in the assessment of insurance applications from his or her relatives (ie Y).

28.51 The second issue is whether it is permissible for insurers, in assessing an insurance application from X, to collect personal information from X about X’s genetic relatives (Y, Z and so on), without the knowledge or consent of those relatives. There are grounds for thinking that this widespread practice may not be consistent with NPP 1.5 and NPP 10.

28.52 Similar issues have already been addressed by the OFPC in the context of the provision of health services (see Chapter 21). Medical practitioners regularly take a medical history from patients, which may include the collection of personal information about genetic relatives of the patient. In its submission to the Inquiry, the OFPC identified some of the problems that arise in the application of the NPPs to this common situation:

Problems may arise, however, in circumstances where, in the course of a diagnosis, treatment or care of an individual, an organisation collects a medical history from an individual which also reveals health information about a genetic relative. NPP1.5 would require the organisation to inform the relative of the matters contained in NPP1.3, relating to the circumstances of the collection. NPP10 would also require the organisation to obtain the relative’s consent to the collection of the health information about them, except in certain defined situations such as where the collection is required by law.[37]

28.53 As noted in Chapter 21, this position was remedied in relation to health service providers by a Temporary Public Interest Determination (the Temporary PID), issued by the federal Privacy Commissioner on 21 December 2001,[38] and by final Public Interest Determinations (PIDs) 9 and 9A issued on 15 October 2002.[39] The OFPC made the following comments in relation to the Temporary PID:

Since the collection of health information about relatives from an individual forms an integral part of a wide range of health services, the continuation of this practice by providers would have been in breach of NPP1 and NPP10. In order not to unduly impede the provision of health services, a Temporary Public Interest Determination under Section 80B(3) now allows the taking of family histories by health service providers without being in breach of the NPPs (OFPC, 2001e). This would include the collection by an organisation from an individual of genetic information about the individual’s relative.[40]

28.54 Unlike the Temporary PID, the final PIDs do not exempt organisations from their obligations to adhere to NPP 1.5. Organisations remain obliged to take reasonable steps to ensure third parties are informed about the collection of information. However, it may not be necessary to take such steps where the third party is already aware of the relevant matters, where there are no steps that are reasonable in the circumstances or steps could be taken but it is unreasonable to do so.[41]

Submissions and consultations

28.55 In DP 66 the Inquiry proposed that insurers should seek a PID under the Privacy Act in relation to the practice of collecting family medical history from applicants for use in underwriting insurance. The Inquiry had formed the preliminary view that this practice may not be consistent with NPP 1 and NPP 10.

28.56 In relation to NPP 1, IFSA expressed the view that, given the importance of family medical history information to the accurate assessment of an individual’s health, it would be preferable to amend the Privacy Act to allow the collection of this information rather than requiring the insurance industry to apply for a PID.

28.57 Both IFSA and the Australian Life Underwriters and Claims Association expressed the view that, in the insurance context, the collection of family medical history by insurers was not in breach of NPP 10:

IFSA acknowledges that NPP 10.1 prohibits organisations from collecting sensitive information unless the individual has consented or the collection is required by law. Sensitive information is defined in the Privacy Act to include health information. IFSA is of the view that the family medical history collected from an applicant is materially relevant to an insurer’s decision of whether to accept the risk.

Section 21 of the Insurance Contracts Act imposes a duty on a person seeking insurance to disclose relevant matters to the insurer. Thus IFSA asserts that in terms of NPP 10.1(b), the collection of family medical history is ‘required by law’. Therefore, an insurer by obtaining and requesting medical history about a family member from the prospective insured in accordance with the Insurance Contracts Act, has satisfied NPP 10 Sensitive Information because ‘consent’ is not required from the relevant family member [NPP 10.1(a)] given the collection is ‘required by law’ [NPP 10.1(b)].[42]

28.58 The Institute of Actuaries of Australia expressed support for the proposal in DP 66 but noted that it would be more efficient to extend the scope of the existing PID rather than developing a separate PID in relation to insurance.

28.59 The OFPC noted that PID 9A was expressed in wide terms and that the collection of family medical history information from applicants for insurance may be covered. The PID allows a ‘health service provider’ to collect family medical history information where the information is relevant and necessary to provide the ‘health service’. While insurance would not fall within the ordinary meaning of a health service, the OFPC noted that:

The definition of ‘health service’ in Section 6(1)(a)(i) of the Act refers to ‘an activity performed in relation to an individual that is intended (expressly or otherwise) …by the person performing it…to record …the individual’s health.’ In other words, the activity of recording the information is, in itself, the provision of a health service directly to the individual/consumer.

Inquiry’s views

28.60 In the Inquiry’s view, while it is possible that the terms of PID 9A might technically extend to the collection of family medical history information by insurers, this is far from clear. The Inquiry notes that the Explanatory Front Sheet to PID 9A states:

The types of health services covered include traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists, and allied health professionals such as counsellors, as well as complementary therapists, gyms, weight loss clinics and many more.[43]

28.61 The list is inclusive and consistent with the usual meaning of the term ‘health service’. Insurers do not fall within the usual meaning of that term and, in the Inquiry’s opinion, it would be desirable to clarify the position in relation to insurers.

28.62 In considering whether to issue a PID, the Privacy Commissioner is required to consider whether the public interest in allowing, for example, the collection of family medical history information outweighs, to a substantial degree, the public interest in adhering to the NPPs or an approved code. The public interest issues to be considered in relation to the collection of this information by insurers are not the same as those considered in the development of PID 9 and PID 9A, which focused on the health sector, as normally defined. The Inquiry is of the view that it would be appropriate to consider specific issues that arise in the insurance context as part of a separate process involving insurers and other relevant stakeholders. An application for a PID is a public process and would allow further consideration of the issues.

28.63 The Inquiry notes that PID 9 and PID 9A do not exempt the collection of family medical history by health service providers from NPP 1.5. It may be, however, that different issues arise in the insurance context and the Inquiry is of the view that these issue should be raised and considered.

28.64 The Inquiry also notes the argument put forward by IFSA and the Australian Life Underwriters and Claims Association that collection of family medical history information by insurers is ‘required by law’ and is not inconsistent with NPP 10. While an applicant for insurance is required by s 21 of the Insurance Contracts Act to disclose certain information to the insurer prior to entry into a contract of insurance, it is not clear, in the Inquiry’s view, that insurers are ‘required by law’ to collect the information, within the terms of NPP 10. It is possible to argue that, although the disclosure by an applicant is required by law, there is no requirement that the information be collected by the insurer, nor that collection be without the consent of the genetic relatives to whom the information relates. NPP 10 is intended to provide special protection for the privacy of sensitive personal information. It is likely, therefore, that the exceptions to NPP 10 will be given a strict interpretation by the courts.

28.65 The term ‘family medical history’ in this context may include genetic test results of tests undertaken by the genetic relatives of the applicant. For this reason, the recommendation below refers to ‘genetic information’ about the applicant’s genetic relatives. This is intended to include test results from family members as well as other forms of family medical history information.

28.66 The Inquiry is of the view that it would be desirable to clarify the relationship between provisions of the Insurance Contracts Act and the requirements of the Privacy Act. The PID process would provide an opportunity to have these issues considered and would provide certainty for applicants and insurers in relation to the collection of family medical history information.

Recommendation 28–3 Insurers should seek a Public Interest Determination under the Privacy Act 1988 (Cth) in relation to the practice of collecting genetic information from applicants about their genetic relatives for use in underwriting insurance policies in relation to those applicants.

[36] Investment and Financial Services Association, IFSA Standard 11.00 ‘Genetic Testing Policy’ (2002), IFSA [9.1]. See further Ch 10.

[37] Office of the Federal Privacy Commissioner, Submission G143, 22 March 2002.

[38] The date the NPPs came into force under the Privacy Amendment (Private Sector) Act 2000 (Cth).

[39]Privacy Commissioner Public Interest Determination No. 9 2002 (Cth); Privacy Commissioner Public Interest Determination No. 9A 2002 (Cth). A Public Interest Determination (PID) may be issued by the Privacy Commissioner, on the application of an interested person, where an act or practice may beach the NPPs but the public interest in doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to NPPs. See Privacy Act 1988 (Cth) Pt VI. PID 9A gives PID 9 a general application to all health service providers.

[40] Office of the Federal Privacy Commissioner, Submission G143, 22 March 2002. For further information on the PID process and, in particular, the PID in relation to the collection by health service providers of social and medical history information for the diagnosis, treatment or care of an individual, see Office of the Federal Privacy Commissioner, The Australian Privacy Commissioner’s Website, <www.privacy.
gov.au>, 19 February 2003.

[41] For a detailed discussion see Ch 21.

[42] Investment and Financial Services Association, Submission G244, 19 December 2002.

[43]Privacy Commissioner Public Interest Determination No. 9A 2002 (Cth).