Agencies and organisations

62.45 Broadly speaking, Australian Government agencies are required to handle health information in accordance with the IPPs. Private sector organisations are required to handle health information in accordance with the NPPs. There are a number of significant exemptions in the Privacy Act, however, that mean that some agencies and organisations holding health information may not be subject to the Act in relation to that information.^[54]

62.46 Perhaps the most significant exemption in the context of health information is for small business operators. Section 6D of the Privacy Act defines a small business as one that has an annual turnover of $3 million or less in the previous financial year.^[55] Some small businesses operators that pose a higher risk to privacy have been brought back into the regime. In particular, small businesses are required to comply with the NPPs if, among other things, they:

• provide a health service and hold health information, except where the information is held in an employee record;

• disclose personal information for a benefit, service or advantage; or

• provide a benefit, service or advantage to collect personal information.^[56]

62.47 Small businesses that hold health information and provide a health service, therefore, are bound by the NPPs. This leaves open the possibility, however, that small businesses that hold health information but do not provide health services, do not pay to collect the information and are not paid to disclose the information—for example, health data registers that store health information for research purposes—may not be required to comply with the Act.

62.48 This possibility was considered in ALRC 96 in relation to genetic information. The ALRC and AHEC concluded that: small businesses that hold genetic information should be subject to the provisions of the Privacy Act, whether or not they provide a health service; and there was sufficient doubt about the coverage of Privacy Act to justify amending the Act to make it clear that all small businesses that hold genetic information are subject to its provisions.^[57]

62.49 The Australian Government did not support this recommendation. The Government considered that the existing provisions provided sufficient protection for the privacy of genetic information held by small businesses, while at the same time ensuring that small businesses were not burdened unfairly by the costs of complying with privacy legislation.^[58]

62.50 The draft National Health Privacy Code, by way of contrast, is expressed to apply to ‘every organisation that is a health service provider or collects, holds or uses health information’.^[59] The Victorian Health Records Act also applies to organisations that are health service providers or collect, hold or use health information.^[60] The Act does not exempt small business operators. On the other hand, the New South Wales Health Records and Information Privacy Act exempts small business operators by reference to the Privacy Act.^[61]

62.51 In IP 31, the ALRC asked whether the Privacy Act should be amended to ensure that all agencies and organisations that collect, hold or use health information are required to comply with the Act.^[62]

Submissions and consultations

62.52 DOHA noted in its submission that:

It is considered that given its characteristics and sensitivities, individuals need reassurance that their health information will be handled appropriately by whoever holds it. Any misuse will heighten concerns about disclosing this kind of information, and unwillingness to disclose this information in a healthcare setting could result in detriment to the individual concerned or to the community as a whole.^[63]

62.53 DOHA expressed the view that the handling of health information should be subject to appropriate privacy regulation across both the public and private sectors, although noting the need for some exemptions for agencies and organisations, such as the courts. Other stakeholders agreed that appropriate privacy regulation should apply in both the public and private sectors and regardless of the size of the business involved.^[64]

62.54 In its submission, the NHMRC stated that:

The NHMRC cannot identify any relevant policy rationale for excluding the majority of small businesses from compliance with the Privacy Act. We consider that it is vitally important that the protections currently provided for health information apply to all agencies and organisations that handle health information (including genetic information) and to all agencies and organisations that handle genetic information that is not health information.^[65]

ALRC’s view

62.55 Part E examines the policy basis for each of the exemptions from the Privacy Act and makes recommendations for change where necessary. In Chapter 39, the ALRC recommends the removal from the Privacy Act of the small business exemption. For the reasons discussed in that chapter, the ALRC is not convinced that an exemption for small business is either necessary or justifiable. The fact that comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—do not have an exemption for small business is a relevant consideration.

62.56 In Chapter 40, the ALRC also recommends the removal from the Act of the employee records exemption. This will extend for the first time privacy protections to health information held in private sector employee records.

62.57 The recommendations in Parts D and E, once implemented, will ensure that personal information—and, in particular, health information—will receive appropriate protection in the Australian Government public sector and the private sector. The recommendations in Chapter 3, aimed at achieving national consistency, will extend this protection into state and territory public sectors. These n combination will mean that the handling of health information is regulated consistently and appropriately throughout Australia.