62.45 Broadly speaking, Australian Government agencies are required to handle health information in accordance with the IPPs. Private sector organisations are required to handle health information in accordance with the NPPs. There are a number of significant exemptions in the Privacy Act, however, that mean that some agencies and organisations holding health information may not be subject to the Act in relation to that information.
62.46 Perhaps the most significant exemption in the context of health information is for small business operators. Section 6D of the Privacy Act defines a small business as one that has an annual turnover of $3 million or less in the previous financial year. Some small businesses operators that pose a higher risk to privacy have been brought back into the regime. In particular, small businesses are required to comply with the NPPs if, among other things, they:
provide a health service and hold health information, except where the information is held in an employee record;
disclose personal information for a benefit, service or advantage; or
provide a benefit, service or advantage to collect personal information.
62.47 Small businesses that hold health information and provide a health service, therefore, are bound by the NPPs. This leaves open the possibility, however, that small businesses that hold health information but do not provide health services, do not pay to collect the information and are not paid to disclose the information—for example, health data registers that store health information for research purposes—may not be required to comply with the Act.
62.48 This possibility was considered in ALRC 96 in relation to genetic information. The ALRC and AHEC concluded that: small businesses that hold genetic information should be subject to the provisions of the Privacy Act, whether or not they provide a health service; and there was sufficient doubt about the coverage of Privacy Act to justify amending the Act to make it clear that all small businesses that hold genetic information are subject to its provisions.
62.49 The Australian Government did not support this recommendation. The Government considered that the existing provisions provided sufficient protection for the privacy of genetic information held by small businesses, while at the same time ensuring that small businesses were not burdened unfairly by the costs of complying with privacy legislation.
62.50 The draft National Health Privacy Code, by way of contrast, is expressed to apply to ‘every organisation that is a health service provider or collects, holds or uses health information’. The Victorian Health Records Act also applies to organisations that are health service providers or collect, hold or use health information. The Act does not exempt small business operators. On the other hand, the New South Wales Health Records and Information Privacy Act exempts small business operators by reference to the Privacy Act.
62.51 In IP 31, the ALRC asked whether the Privacy Act should be amended to ensure that all agencies and organisations that collect, hold or use health information are required to comply with the Act.
Submissions and consultations
62.52 DOHA noted in its submission that:
It is considered that given its characteristics and sensitivities, individuals need reassurance that their health information will be handled appropriately by whoever holds it. Any misuse will heighten concerns about disclosing this kind of information, and unwillingness to disclose this information in a healthcare setting could result in detriment to the individual concerned or to the community as a whole.
62.53 DOHA expressed the view that the handling of health information should be subject to appropriate privacy regulation across both the public and private sectors, although noting the need for some exemptions for agencies and organisations, such as the courts. Other stakeholders agreed that appropriate privacy regulation should apply in both the public and private sectors and regardless of the size of the business involved.
62.54 In its submission, the NHMRC stated that:
The NHMRC cannot identify any relevant policy rationale for excluding the majority of small businesses from compliance with the Privacy Act. We consider that it is vitally important that the protections currently provided for health information apply to all agencies and organisations that handle health information (including genetic information) and to all agencies and organisations that handle genetic information that is not health information.
62.55 Part E examines the policy basis for each of the exemptions from the Privacy Act and makes recommendations for change where necessary. In Chapter 39, the ALRC recommends the removal from the Privacy Act of the small business exemption. For the reasons discussed in that chapter, the ALRC is not convinced that an exemption for small business is either necessary or justifiable. The fact that comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—do not have an exemption for small business is a relevant consideration.
62.56 In Chapter 40, the ALRC also recommends the removal from the Act of the employee records exemption. This will extend for the first time privacy protections to health information held in private sector employee records.
62.57 The recommendations in Parts D and E, once implemented, will ensure that personal information—and, in particular, health information—will receive appropriate protection in the Australian Government public sector and the private sector. The recommendations in Chapter 3, aimed at achieving national consistency, will extend this protection into state and territory public sectors. These n combination will mean that the handling of health information is regulated consistently and appropriately throughout Australia.
 Exemptions are discussed in detail in Part E.
 Ch 39 examines the small business exemption in detail.
Privacy Act 1988 (Cth) s 6D(4). Note that s 6D(7)–(8) of the Privacy Act provides that small businesses trading in personal information may not be required to comply with the NPPs if they have the consent of the individuals concerned or if the collection or disclosure of personal information is required or authorised by law.
 Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–7.
 Australian Government Attorney-General’s Department, Government Response to Australian Law Reform Commission and Australian Health Ethics Committee Report: Essentially Yours: The Protection of Human Genetic Information in Australia (2005) <www.ag.gov.au> at 24 April 2008, 8.
 National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003) pt 2 div 1 cl 1.
Health Records Act 2001 (Vic) s 11.
Health Records and Information Privacy Act 2002 (NSW) s 4.
 Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–8.
 Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.
 Australian Nursing Federation, Submission PR 205, 22 February 2007; Health Informatics Society of Australia, Submission PR 196, 16 January 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Royal Women’s Hospital Melbourne, Submission PR 108, 15 January 2007; K Pospisek, Submission PR 104, 15 January 2007; W Caelli, Submission PR 99, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007; Queensland Institute of Medical Research, Submission PR 80, 11 January 2006; A Smith, Submission PR 79, 2 January 2007; Caroline Chisholm Centre for Health Ethics, Submission PR 69, 24 December 2006.
 National Health and Medical Research Council, Submission PR 114, 15 January 2007.