Consent

62.72 Consent is a central concept in the Privacy Act—as it is in health ethics—and is of particular importance in dealing with health information because of the sensitive nature of that information. Consent provisions allow individual health consumers a measure of control over the collection, use and disclosure of their health information. This contributes to an environment in which the autonomy and dignity of the individual are respected, and supports the public interest in health consumers seeking advice and assistance from health service providers when needed, with the assurance that they will be able to maintain appropriate control of their personal information. It is important to note in the context of the Privacy Act that the issue under consideration is consent to the handling of health information and not consent to medical treatment.

62.73 The role of consent in the privacy regime generally, including issues such as the definition of consent and the use of ‘bundled consent’, is considered in detail in Chapter 19. In this chapter the ALRC will consider the role of consent in dealing with health information.

62.74 The OPC Guidelines on Privacy in the Private Health Sector (OPC Guidelines) state that the key elements of consent require that:

  • it must be provided voluntarily;

  • the individual must be adequately informed; and

  • the individual must have the capacity to understand and communicate his or her consent.[81]

Consent in the IPPs and the NPPs

62.75 In general terms, both the IPPs and the NPPs attempt to align consent requirements with what reasonable health consumers would expect in relation to the handling of their health information.

62.76 Consent is generally required when collecting health information under the NPPs, subject to a number of specific exceptions.[82] Consent is not required, however, when collecting health information under the IPPs.[83] Consent is not required for use under the NPPs or the IPPs if health information is used for the purpose for which it was collected or any other directly related purpose and, in the case of the NPPs, individuals would reasonably expect the organisation to use health information in that way.[84]

62.77 Consent is not required for disclosure under the IPPs if the individual was reasonably likely to have been aware that such disclosures are usually made.[85] Consent is not required for disclosure under the NPPs if the information is disclosed for the purpose for which it was collected or a directly related purpose and individuals would reasonably expect the organisation to disclose health information in that way.[86]

62.78 There are a number of exceptions to these general rules. For example, health information may be used without consent under both the IPPs and the NPPs where the use is:

  • necessary to lessen or prevent a serious and imminent threat to an individual’s life or health;[87]

  • required or authorised by law;[88] or

  • reasonably necessary to enforce the criminal law.[89]

62.79 In addition, the Act allows health information to be used without consent for research in some circumstances, with the approval of a Human Research Ethics Committee (HREC). This regime is discussed in detail in Chapters 64–66.

Express and implied consent

62.80 ‘Consent’ is defined in the Privacy Act as ‘express or implied consent’.[90] Express consent ‘refers to consent that is clearly and unmistakably stated’.[91] Consent may be stated orally, in writing, electronically or in any other form, so long as it is clearly communicated. Implied consent also requires communication and understanding between health service providers and health consumers. The OPC has stated that:

If the discussion has provided the individual with an understanding about how their health information may be used, then it would be reasonable for the health service provider to rely on implied consent.[92]

Specific and general consent

62.81 Consent runs along a spectrum from the very specific to the very general. In some cases, consent is sought to a wide range of uses and disclosures of personal information without giving individuals an opportunity to distinguish between those uses and disclosures to which they consent and those to which they do not. This is a particular problem where some of the uses and disclosures bundled together do not relate to the primary purpose of collection. This is referred to as ‘bundled consent’ and is discussed in Chapter 19.

62.82 In relation to sensitive information, such as health information, it may be reasonable to seek consent to a range of things at the same time—for example, collection into a health record maintained by the health service provider that will be retained for some period into the future; disclosure to, and use by, a pathology laboratory for testing purposes; and disclosure to a medical specialist for expert advice. Consent, however, should not be so general as to undermine the requirements that it be voluntary and adequately informed.

Capacity

62.83 Significant issues arise when individuals do not have the capacity to understand and communicate their consent to the way in which their health information is handled. For example, an adult’s decision-making capacity may be impaired temporarily or permanently by injury, illness or disability. This issue is discussed in detail in Chapter 70. Children and young people may have limited capacity to understand and consent. This issue is discussed in Chapters 67–69.

62.84 The draft National Health Privacy Code provides detailed provisions relating to the powers of an ‘authorised representative’. These provisions include powers to consent to collection, use and disclosure of health information on behalf of an individual who is incapable of giving consent, as well as powers to access and correct health information.[93]

62.85 In IP 31, the ALRC asked whether the Privacy Act provides an appropriate and effective regime for handling health information in those circumstances where an individual has limited capacity to give consent.[94] The ALRC also asked whether there are any other issues relating to consent to deal with health information in the health services context that the ALRC should consider.[95]

Submissions and consultations

62.86 In its submission, DOHA stated that:

Where the individual lacks capacity, it should be permissible for a person who is authorised under general law to make decisions on behalf of the individual, such as a parent, legal guardian or a person with an enduring power of attorney, to give consent, or to exercise rights of access or correction.[96]

62.87 A number of stakeholders expressed the view that detailed guidance was required in this area.[97] There was some support for the approach adopted in the draft National Health Privacy Code.[98]The National E-Health Transition Authority (NEHTA) commented, however, that although the draft Code included provision for an ‘authorised representative’ to make decisions on behalf of an individual, the Code did not allow for less formal arrangements. NEHTA’s view was that it was important to allow sufficient flexibility for alternative decision making in the health services context.[99]

ALRC’s view

62.88 Chapter 19 discusses in detail the concept of consent, including what amounts to valid consent and the problem of ‘bundled consent’. In that chapter the ALRC recommends that the OPC develop and publish guidance about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act in specific contexts. This would include the health services context and reliance on express and implied consent. The ALRC also recommends that the guidance should address when it is or is not appropriate to use the mechanism of ‘bundled consent’.[100]

62.89 The ALRC does not recommend adopting the ‘authorised representative’ mechanism. Instead, in Chapter 70, the ALRC makes a range of recommendations aimed at facilitating a flexible approach to the involvement of third parties in decision making on behalf of other individuals. These recommendations include the adoption of the concept of a ‘nominee’. A nominee, appointed by the individual, may act on behalf of the individual in dealing with an agency or organisation that has established arrangements to recognise and verify the nominee. The ALRC recommends that nominees should be under an obligation to act in the best interests of the individual.[101]

62.90 ‘Nominee’ arrangements are based on consent and are intended to be less formal than arrangements such as an enduring power of attorney or a guardianship order. Formal, legal appointments will be required, however, where the individual does not have capacity to appoint a nominee. The ALRC recommends that the OPC develop and publish guidance on dealing with third party representatives and on recognising and verifying substitute decision makers authorised by a federal, state or territory law.[102] The ALRC also recommends that agencies and organisations that regularly handle the personal information of individuals with impaired decision-making capacity should ensure that relevant staff are adequately trained in relation to issues concerning capacity, and in recognising and verifying the authority of third party representatives.[103]

62.91 These recommended provisions, in combination with the model UPPs, will provide an appropriate and effective regime for handling health information in those circumstances where an individual has limited capacity to give consent. In everyday situations, nominee and other third party representative arrangements may operate. In emergency situations, the ‘Collection’ principle—which allows the collection of health information without consent where the collection is necessary to lessen or prevent a serious threat to the life or health of any individual—and the ‘Use and Disclosure’ principle—which allows the use or disclosure of health information where necessary to lessen or prevent a serious threat to an individual’s life, health or safety or to public health or public safety—will operate.

[81] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), Guideline A5.2.

[82]Privacy Act 1988 (Cth) sch 3, NPP 10.1.

[83] Ibid s 14.

[84] Ibid s 14, IPP 10.1; sch 3, NPP 2.1.

[85] Ibid s 14, IPP 11.1.

[86] Ibid sch 3, NPP 2.1.

[87] Ibid s 14, IPP 10.1(b); sch 3, NPP 2.1(e).

[88] Ibid s 14, IPP 10.1(c); sch 3, NPP 2.1(g).

[89] Ibid s 14, IPP 10.1(d); sch 3, NPP 2.1(h).

[90] Ibid s 6.

[91] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), Guideline A5.3.

[92] Ibid, Guideline A5.3.

[93] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003), pt 4 cl 4.

[94] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–11.

[95] Ibid, Question 8–12.

[96] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[97] See, eg, Australian Nursing Federation, Submission PR 205, 22 February 2007.

[98] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[99] National E-health Transition Authority, Submission PR 145, 29 January 2007.

[100] Rec 19–1.

[101] Rec 70–1.

[102] Rec 70–3.

[103] Rec 70–4.