National consistency

Issues and problems

Overlapping and inconsistent legislation

60.9 Chapter 2 provides an overview of privacy regulation in Australia. The position is particularly complex in the area of health information for a number of reasons. In general terms, the Privacy Act regulates the handling of health information in the Australian Government and ACT public sectors and in the private sector. A number of the states and territories have passed legislation that regulates the handling of health information in the state or territory public sector and the private sector.[13] The following table provides an overview of the jurisdictional scope of some of the major pieces of health privacy legislation in Australia.

Table 60–1: Privacy Legislation Regulating the Handling of Health Information

Jurisdiction

Public Sector

Private Sector

Commonwealth

Privacy Act 1988 (Cth)

Privacy Act 1988 (Cth)

New South Wales

Health Records and Information Privacy Act 2002 (NSW)

Health Records and Information Privacy Act 2002 (NSW)

Privacy Act 1988 (Cth)

Victoria

Health Records Act 2001 (Vic)

Health Records Act 2001 (Vic)

Privacy Act 1988 (Cth)

Queensland

[See 60.10 below]

Privacy Act 1988 (Cth)

Western Australia

[See 60.12 below]

Privacy Act 1988 (Cth)

[See also 60.12 below]

South Australia

[See 60.11 below]

Privacy Act 1988 (Cth)

Tasmania

Personal Information Protection Act 2004 (Tas)

Privacy Act 1988 (Cth)

ACT

Health Records (Privacy and Access) Act 1997 (ACT)

Privacy Act 1988 (Cth)

Health Records (Privacy and Access) Act 1997 (ACT)

Privacy Act 1988 (Cth)

Northern Territory

Information Act 2002 (NT)

Privacy Act 1988 (Cth)

60.10 Although there is no specific privacy legislation regulating the handling of health information in the public sector in Queensland, Western Australia or South Australia, such information may be protected in other ways. In Queensland, the state government has introduced a privacy policy by administrative, rather than legislative, means. Information Standard 42 on Information Privacy[14] is based on the Information Privacy Principles (IPPs) and Information Standard 42A on Information Privacy for the Queensland Department of Health[15] is based on the National Privacy Principles (NPPs). Both standards are issued under the Financial Management Standard 1997 (Qld).

60.11 The South Australian Government also has introduced a privacy policy by administrative, rather than legislative, means. The PC012—Information Privacy Principles Instruction is based on the IPPs. The Department of Health Code of Fair Information Practice is based on the NPPs.

60.12 In Western Australia, no legislation or formal administrative arrangements are currently in place. The Information Privacy Bill 2007, however, was introduced into the Western Australian Parliament on 28 March 2007. The Bill proposes to regulate the handling of personal information in the state public sector and the handling of health information in the public and private sectors.[16] It contains a set of eight Information Privacy Principles and 10 Health Privacy Principles.

60.13 As indicated in Table 60–1 above, both the federal Privacy Act and state or territory legislation regulate the handling of health information in the private sector in a number of jurisdictions. The New South Wales Health Records and Information Privacy Act and the Victorian Health Records Act contain a set of Health Privacy Principles (HPPs). The ACT Health Records (Privacy and Access) Act contains a set of Privacy Principles. Private sector health service providers in these jurisdictions are therefore required to comply with two sets of principles: the NPPs in the Privacy Act and the relevant set of HPPs or Privacy Principles. While the HPPs in New South Wales and Victoria are based on the NPPs, they are not identical, and in some cases impose different standards. The ACT Privacy Principles are based on the IPPs, but have been modified to apply specifically to health information.[17]

60.14 In addition, the scope of the state and territory legislation may differ from the federal legislation. For example, the Victorian Health Records Act covers small business operators and employee records—unlike the Privacy Act.

60.15 The New South Wales and Victorian HPPs and the ACT Privacy Principles also differ from each other, so that information passing from one jurisdiction to the other may become subject to a different set of rules. This causes particular difficulty for health service providers and researchers operating across jurisdictional borders or nationally.

The public-private sector divide

60.16 Another problem arises in jurisdictions like Tasmania, where health information in the public sector is regulated by the Personal Information Protection Act, while health information in the private sector is regulated by the Privacy Act. The Personal Information Protection Act contains a set of Personal Information Protection Principles (PIPPs) that are not identical to the NPPs.

60.17 In the health services context, individuals regularly move between public and private sector health service providers. For example, an individual may be referred by a private sector general practice for treatment in a public hospital. In some situations the public and private sector providers work side by side, for example, where an individual is treated as a private patient in a public hospital. This means that health information may be subject to two different sets of privacy principles at the same time.

60.18 Similar problems arise because of the distinction in the Privacy Act between public sector agencies and private sector organisations. Agencies are bound by the IPPs; organisations are bound by the NPPs. There are also circumstances in which an organisation or agency may be subject to both the IPPs and the NPPs. For example, an Australian Government contractor may be bound to comply with the NPPs as an organisation, while at the same time being bound by contract to comply with the IPPs in relation to information held pursuant to that contract.[18] These issues, including the need for a single set of principles in the Privacy Act, are considered in detail in Parts C and D of this Report.

The OPC Review

60.19 The review by the Office of the Privacy Commissioner of the private sector provisions of the Privacy Act 1988 (Cth) (the OPC Review) identified the following problems that arise because of inconsistency and overlap in the regulation of personal information:

  • increased compliance costs, particularly where businesses are conducted across jurisdictional boundaries;
  • confusion about which regime regulates particular businesses;
  • forum shopping to exploit differences in regulation; and
  • uncertainty among consumers about their rights.[19]

60.20 In its submission to the OPC Review, DOHA stated that:

The co-existence of Commonwealth, state and territory health information privacy legislation has created a significant burden on private sector health care services in understanding and meeting respective obligations, as well as confusion for health consumers affected by dual legislative instruments.[20]

60.21 In relation to health and medical research, the National Health and Medical Research Council (NHMRC) stated in its submission to the OPC Review that:

There is evidence that legitimate and ethical activities (which in some cases are vital to the quality provision of health care or the conduct of important health and medical research) are being delayed or proscribed because some key decision-making bodies are unable to determine, with sufficient confidence, whether specific collections, uses and/or disclosures of information accord with legislative requirements. The adoption of a highly conservative approach is resulting in excessive administrative effort and a reluctance to approve the legitimate use and disclosure of health information for the purposes of health care, as well as health and medical research.[21]

60.22 Those making submissions to the OPC Review overwhelmingly expressed the view that the existing state of health privacy law in Australia was unsatisfactory for health service providers, health and medical researchers and individuals.[22] In addition, concern was expressed that the problem would get worse as electronic health records become commonplace.[23]

60.23 In Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the NHMRC recommended that:

As a matter of high priority, the Commonwealth, States and Territories should pursue the harmonisation of information and health privacy legislation as it relates to human genetic information. This would be achieved most effectively by developing nationally consistent rules for handling all health information.[24]

A recommended solution

60.24 As discussed in Chapter 3, the Privacy Act expressly allows state and territory privacy legislation to operate to the extent that it is capable of operating concurrently with the Privacy Act. Section 3 of the Privacy Act indicates the Australian Parliament’s intention that the Act should not ‘cover the field’ in the constitutional sense and that state and territory legislation should be allowed to operate alongside the Privacy Act, to the extent that such laws are not directly inconsistent with the Privacy Act. Where state and territory law is directly inconsistent with the Privacy Act—that is, it is not capable of operating concurrently with the Act—that law will be invalid to the extent of the inconsistency.[25]

Discussion Paper proposals

60.25 In DP 72, the ALRC made a number of proposals aimed at achieving greater national consistency in the regulation of personal information, including health information. These included the consolidation of the IPPs and the NPPs into a single set of Unified Privacy Principles (UPPs) to apply across the public and private sectors.[26]

60.26 The ALRC also proposed that the Privacy Act be amended to make clear that the Act was intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by organisations in the private sector. In particular, the following state and territory laws were to be excluded from applying in the private sector: the Health Records and Information Privacy Act 2002 (NSW); the Health Records Act 2001 (Vic); the Health Records (Privacy and Access) Act 1997 (ACT); and any other laws prescribed in the regulations.[27] In addition, the ALRC proposed that the states and territories enact legislation regulating the handling of personal information in each state or territory’s public sector and that this legislation apply the UPPs and amending regulations as in force under the Privacy Act from time to time.[28] This was intended to ensure that the same UPPs, as well as proposed regulations dealing specifically with health information, would apply in every jurisdiction and across the public sector and the private sector.[29]

Submissions and consultations

60.27 There was strong support in submissions and consultations for greater national consistency in the regulation of health information.[30] The NHMRC expressed the view that:

the current state of privacy regulation in Australia is entirely unsatisfactory. Its complexity is impacting on the proper provision of health care and the conduct of important health and medical research, in addition to creating significant unnecessary compliance costs.

The NHMRC considers that a solution to the current problem of an unnecessarily complex privacy regulatory regime needs to be identified and implemented as a priority.

The NHMRC supports the development of a national set of privacy principles that apply to all health information uniformly across the public and private sectors.[31]

60.28 The Pharmacy Guild of Australia noted that the ‘marginally different laws on the handling of health information’ across Australia had caused problems for the national initiative ‘Project STOP’, making implementation of the project complex and time consuming. Project STOP is a program to track pseudoephedrine sales by requiring pharmacists to record personal information about any person requesting pseudoephedrine-based products in a web-based database.[32]

60.29 A number of insurance bodies discussed the difficulties that overlapping and inconsistent health privacy legislation posed for their national operations.[33] Other stakeholders expressed concern about the difficulty of conducting research or providing health services across jurisdictional boundaries. It was noted that health consumers often shift between jurisdictions and should receive the same level of protection in every state and territory.[34] The New South Wales Guardianship Tribunal noted that the inconsistencies and complexities in privacy law caused particular problems for those working in the disability sector, as people with disabilities often receive services from a range of public and private organisations.[35]

60.30 The OPC expressed the view that:

there is a strong need to clarify the application of the Privacy Act to private sector health service providers. Section 3 of the Privacy Act should be amended to make clear that the National Privacy Principles ‘cover the field’ for the regulation of private sector health service providers. This would address a key source of uncertainty and potential fragmentation in health privacy regulation in Australia.[36]

60.31 A number of stakeholders expressed support for a cooperative approach to achieving national consistency, rather than amending s 3 of the Privacy Act to exclude state and territory legislation.[37] The Government of South Australia did not support the Australian Government legislating to ‘cover the field’, expressing concern about the possibility that the Privacy Act might have an adverse impact on the operation of state legislation dealing with issues such as compulsory notification in relation to child abuse and notifiable diseases.[38] The Western Australian Department of Health noted that the regulation of health privacy has important implications for areas of state responsibility including the delivery of health care and the management of health services. The Department was of the view that health privacy should be regulated at the state level.[39]

60.32 The Office of the Health Services Commissioner (Victoria) suggested that state health privacy legislation was important to allow health consumers access to local complaint-handling bodies:

As well as administering the Health Records Act, HSC [the Office of the Health Services Commissioner] also handles complaints about health services in Victoria. HSC is therefore familiar with the workings of the local health system. This is very important when handling complaints about possible breaches of health privacy. HSC receives a number of complaints where the person is complaining about the health service they received as well as a breach of health privacy. Both complaints are dealt with together, as there is often an overlap of issues.[40]

ALRC’s view

60.33 The importance of national consistency in the handling of personal information is examined in detail in Chapter 3. Although the health information privacy legislation in New South Wales, Victoria and the ACT highlights the problems caused by overlapping and inconsistent legislation, the issue is not confined to the handling of health information. The ALRC’s main proposals in relation to national consistency are framed in relation to personal information (including health information), and can be found in Chapter 3.

60.34 The ALRC has found that inconsistency and fragmentation in privacy regulation causes a number of problems, including unjustified compliance burden and cost, and impediments to information sharing and national initiatives in the provision of health services and the conduct of research.[41] The ALRC has concluded that national consistency should be one of the goals of privacy regulation in Australia and that personal information should attract similar protection, whether that personal information is being handled by an Australian Government agency, a state or territory government agency or a private sector organisation.

60.35 In Chapter 3, the ALRC recommends that the Privacy Act be amended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information in the private sector.[42] In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations: the Health Records and Information Privacy Act 2002 (NSW); the Health Records Act 2001 (Vic); and the Health Records (Privacy and Access) Act 1997 (ACT).

60.36 Other state and territory laws may be introduced to regulate the handling of personal information or health information in the private sector, for example, the Information Privacy Bill 2007 (WA). The ALRC therefore recommends that the Privacy Act be amended to allow the making of regulations to exclude such laws, if necessary, in the future.[43]

60.37 The ALRC notes state and territory concerns about the interaction of the amended Privacy Act with state and territory laws. These laws include, for example, state and territory public health Acts requiring health service providers to collect and record certain information about health consumers with notifiable diseases, such as tuberculosis, Creutzfeldt-Jakob disease and HIV/AIDS.[44] Other state and territory laws contain provisions that require mandatory reporting when a child is suspected of being at risk of harm.[45]

60.38 The model UPPs will allow most of these laws to operate under express exceptions for acts or practices that are ‘required or authorised by or under law’.[46] In relation to areas that are not covered adequately by such exceptions, the ALRC recommends that the Australian Government, in consultation with state and territory governments, develop a list of specific ‘preserved matters’ for the purposes of the Privacy Act.[47] The Act should not apply to the exclusion of a state or territory law so far as the law deals with a ‘preserved matter’.

60.39 In relation to the handling of personal information in the state and territory public sectors, the ALRC recommends an intergovernmental agreement. A major cause of inconsistency in Australian privacy laws is that the Privacy Act and state and territory privacy laws include similar, but not identical, privacy principles. It is the ALRC’s view that the most effective method of dealing with these inconsistencies is the adoption of identical privacy principles across Australia. The intergovernmental agreement would provide that state and territory privacy legislation apply the model UPPs and any relevant regulations made under the Privacy Act that modify the application of the UPPs.[48] These would include the new Privacy (Health Information) Regulations, discussed further below and in Chapter 63, as in force under the Act from time to time.

60.40 The ALRC does not recommend that the states and territories be required to develop legislation that exactly mirrors the Privacy Act. Apart from the specified elements, the states and territories would be free to develop legislation in relation to their public sectors that accommodates existing state and territory information laws and compliance and enforcement mechanisms. The ALRC does recommend, however, that definitions of key terms used in the Privacy Act (such as ‘personal information’, ‘sensitive information’ and ‘health information’) should be adopted in state and territory privacy legislation.[49]

Complaint handling

60.41 In DP 72, the ALRC considered the issue of complaint handling under the various federal, state and territory privacy laws. Because of overlapping legislation, complaints against private sector health service providers in Victoria, for example, may be handled by either the OPC or the Victorian Health Services Commissioner. The ALRC’s proposal that the Privacy Act operate to the exclusion of state and territory health privacy law in the private sector would have removed this jurisdiction from state and territory complaint-handling authorities. The ALRC recognised, however, that there were advantages to handling complaints at a local level. The local complaint handler often has contacts and relationships with local providers, and is in a better location to conduct conciliation conferences.

60.42 In DP 72, the ALRC proposed that the Privacy Act be amended to allow the Privacy Commissioner to delegate his or her powers relating to the handling of complaints to state and territory authorities.[50] This proposal was intended to allow the Privacy Commissioner to enter into agreements with state or territory authorities, such as the Office of the Victorian Health Services Commissioner, to allow those authorities to handle complaints under the Privacy Act. In DP 72, the ALRC also proposed that the Privacy Commissioner consider delegating the power to handle complaints about the handling of health information by private sector health service providers to state and territory health complaint agencies.[51]

Submissions and consultations

60.43 There was a mixed response from stakeholders to this proposal. Some were opposed; some offered qualified support; and others were fully supportive. The OPC did not support the proposal, on the basis that it would introduce a level of complexity and uncertainty into the complaint handling process. If this function were delegated, the OPC expressed the view that it would be necessary to ensure that the state or territory authority had complaint-handling processes and remedies that were consistent with those of the OPC. The OPC noted that proximity to the parties to a complaint was no longer as important as it had been in the past, given modern communication options such as email and voice and video conferencing.[52]

60.44 The Australian Privacy Foundation gave qualified support, stating that it would support the ALRC’s proposal only if it incorporated a guarantee that complaint mechanisms and remedies at the state and territory level were of at least the same standard as those provided in the Privacy Act.[53]

60.45 In its submission, the Australian Medical Association (AMA) expressed concern about the proposal, noting that the AMA had developed a good working relationship with the OPC and that state and territory health complaint agencies may lack the expertise and training to deal with privacy issues.[54] The Health Informatics Society of Australia expressed a preference for a well resourced, nationally consistent complaint-handling process, rather than a system in which this function was delegated to the states and territories.[55]

60.46 The Government of South Australia did not support the proposal on the basis that, in its view, health information does not need to be treated differently from other types of personal information. The South Australian Government also noted that this proposal would result in increased resourcing and staff development needs for the South Australian Health and Community Services Complaints Commissioner.[56]

60.47 The Victorian Office of the Health Services Commissioner endorsed the importance of handling health privacy complaints locally but did not support the proposal to achieve this through delegation:

One reason for the effectiveness of state and territory health complaint agencies is their independence and the long standing relationships they have built up within the health sector. HSC is concerned that in acting as a delegate to the Privacy Commissioner, the state and territory agencies may be restricted in the independence of their decision making and their ability to respond to local circumstances. There are also resource implications that need to be taken into account.[57]

60.48 On the other hand, a range of stakeholders expressed support for the ALRC’s proposal.[58] The Australian Government Department of Human Services noted that the ALRC’s proposed approach would allow complaints to be dealt with as quickly and efficiently as appropriate and possible. The Department, and a number of other stakeholders, noted that there would be a need to ensure some level of consistency in complaint handling on behalf of the OPC, and that the OPC would need to consider the capacity, expertise and level of resources available to state and territory health complaint agencies.[59] Medicare Australia commented that health privacy complaints often arise in the context of a wider complaint about health service provision and that health complaint agencies can deal with all the related issues. Medicare Australia also noted that such agencies are more accessible and have a good understanding of the context in which such issues arise.[60]

60.49 In addition, the NHMRC suggested that it would be necessary to develop clear and transparent criteria on which to base the decision to delegate the complaint-handling function. NHMRC expressed the view that cross-jurisdictional complaints and those with potentially national implications should be investigated by the Privacy Commissioner rather than being delegated to state or territory health complaint agencies.[61]

ALRC’s view

60.50 In Chapter 49, the ALRC examines the options for investigating and resolving complaints under the Privacy Act, including referral of complaints to registered external dispute resolution schemes and state and territory complaint-handling authorities. The ALRC concludes that such referral has the potential to increase efficiency in dispute resolution, and to provide parties with a one-stop-shop for complaints that involve both privacy and service delivery issues.

60.51 In that chapter, the ALRC recommends that the Privacy Act be amended to enable the Privacy Commissioner to delegate all or any of his or her powers in relation to complaint handling to a state or territory authority.[62] The Commissioner would not be required to delegate his or her powers unless he or she was of the view that such delegation would be appropriate and effective.

60.52 This leaves open the possibility that the Privacy Commissioner could delegate the power to handle complaints relating to health information to a state or territory health complaints authority. Under any such arrangement, the state or territory authority would be able to handle complaints under the Privacy Act and to exercise the powers of the Privacy Commissioner. Thus, the broad framework for handling complaints would be consistent with the framework imposed on the OPC complaint-handling process. The Commissioner, however, could include other stipulations in the arrangements surrounding any such delegation.

60.53 The ALRC agrees with stakeholders that it will be necessary for the Privacy Commissioner to consider issues of capacity, expertise, and resources before entering into such an arrangement with a state or territory authority. The ALRC also agrees with the NHMRC that cross-jurisdictional complaints and those with national implications may be more appropriately dealt with at the national level. It may be, for example, that the Privacy Commissioner decides to delegate only the conciliation function to a state and territory authority and to retain the determination-making power at the national level.

60.54 In summary, it would be valuable for the Privacy Commissioner to consider delegating the power to handle complaints under the Privacy Act in relation to health information to state and territory health complaint authorities. On the basis of the recommendations in Chapter 49, this will be possible under the amended Act. The ALRC does not consider it necessary, therefore, to make a further recommendation in this chapter.

[13]Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Personal Information Protection Act 2004 (Tas); Health Records (Privacy and Access) Act 1997 (ACT); Information Act 2002 (NT). Other state and territory legislation may also have an impact on the handling of health information, for example, the New South Wales Government Department of Health, NSW Health Privacy Manual (Version 2) (2005) includes information on the Health Administration Act 1982 (NSW); Mental Health Act 1990 (NSW); Public Health Act 1991 (NSW); State Records Act 1989 (NSW); and the Freedom of Information Act 1989 (NSW).

[14] Queensland Government, Information Standard 42—Information Privacy (2001).

[15] Queensland Government, Information Standard 42A—Information Privacy for the Queensland Department of Health (2001).

[16] A related Bill, the Freedom of Information Amendment Bill 2007 (WA), was introduced on the same day. This Bill provides the Privacy and Information Commissioner with powers to resolve FOI complaints by conciliation. At the time of writing in April 2008, both Bills were awaiting passage by the Legislative Council.

[17] Explanatory Memorandum, Health Records (Privacy and Access) Bill 1997 (ACT).

[18] See Privacy Act 1988 (Cth) s 95B in relation to requirements for Commonwealth contracts; and s 6A(2)—no breach of an NPP if an act or practice of the contracted service provider is authorised by a provision of the contract that is inconsistent with the NPP.

[19] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 66–68. The costs of legislative inconsistency and regulatory fragmentation are considered in detail in Ch 14.

[20] Australian Government Department of Health and Ageing, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004.

[21] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[22] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 65.

[23] Ibid, 43.

[24] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–1.

[25] Section 109 of the Australian Constitution provides that ‘When a law of a State is inconsistent with a law of the Commonwealth, the latter shall prevail, and the former shall, to the extent of the inconsistency, be invalid’.

[26] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 15–2.

[27] Ibid, Proposal 4–1.

[28] Ibid, Proposal 4–4.

[29] The recommended Privacy (Health Information) Regulations are discussed in Ch 63.

[30] See, for example, Unisys, Submission PR 569, 12 February 2008; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Investment and Financial Services Association, Submission PR 122, 15 January 2007; Royal Women’s Hospital Melbourne, Submission PR 108, 15 January 2007.

[31] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[32] Pharmacy Guild of Australia, Submission PR 433, 10 December 2007.

[33] AAMI, Submission PR 147, 29 January 2007; Investment and Financial Services Association, Submission PR 122, 15 January 2007.

[34] Health Informatics Society of Australia, Submission PR 196, 16 January 2007; I Turnbull, Submission PR 82, 12 January 2007; A Smith, Submission PR 79, 2 January 2007; R Magnusson, Submission PR 3, 9 March 2006.

[35] New South Wales Guardianship Tribunal, Submission PR 209, 23 February 2007.

[36] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[37] Australian Nursing Federation, Submission PR 205, 22 February 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Queensland Institute of Medical Research, Submission PR 80, 11 January 2006.

[38] Government of South Australia, Submission PR 187, 12 February 2007.

[39] Department of Health Western Australia, Submission PR 139, 23 January 2006.

[40] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[41] See Ch 14.

[42] Rec 3–1.

[43] Rec 3–1.

[44] See, eg, Public Health Act 1991 (NSW) s 14; Health (Infectious Diseases) Regulations 2001 (Vic) reg 6.

[45] See, eg, Children, Youth and Families Act 2005 (Vic) pt 4.4; Child Protection Act 1999 (Qld); Children’s Protection Act 1993 (SA) pt 4; Children Young Persons and Their Families Act 1997 (Tas) pt 3.

[46] See, eg, the exception to the ‘Use and Disclosure’ principle for use and disclosure that is ‘required or authorised by or under law’.

[47] Rec 3–3.

[48] Rec 3–4.

[49] Rec 3–4.

[50] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–3.

[51] Ibid, Proposal 56–1.

[52] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[53] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[54] Australian Medical Association, Submission PR 524, 21 December 2007.

[55] Health Informatics Society of Australia, Submission PR 554, 2 January 2008.

[56] Government of South Australia, Submission PR 565, 29 January 2008.

[57] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[58] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Northern Territory Government Department of Health and Community Services, Submission PR 480, 17 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[59] Government of South Australia, Submission PR 565, 29 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007.

[60] Medicare Australia, Submission PR 534, 21 December 2007.

[61] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[62] Rec 49–3.