62.1 This chapter examines the key definitions in the Privacy Act 1988 (Cth) relating to the handling of health information—that is, the definitions of ‘health information’ and ‘health service’. The chapter also examines the impact of the Act on the provision of health services and a number of concerns raised in this context, including the issues of consent and capacity. These issues are discussed more generally in Chapters 19 and 70.

62.2 The Information Privacy Principles (IPPs) in the Privacy Act do not distinguish between ‘personal information’, ‘sensitive information’ and ‘health information’. Public sector agencies are required to deal with all personal information, including health information in the same way; that is, in accordance with the IPPs.

62.3 The National Privacy Principles (NPPs), however, provide a separate regime for ‘sensitive information’, including ‘health information’, and make specific provision for the handling of health information in some circumstances. This regime applies to private sector organisations, including all organisations that hold health information and provide a health service that might otherwise be exempt from the provisions of the Privacy Act under the small business exemption.[1]

62.4 The NPPs require that sensitive information, including health information, be given a higher level of protection than other personal information. For example, sensitive information must be collected with consent, except in a range of specified circumstances.[2] It may be used or disclosed only for the purpose for which it was collected or a directly related secondary purpose—and only so long as the individual would reasonably expect the information to be used in this way.[3] There is also special provision in the NPPs for the:

  • collection, use or disclosure of health information for research, or the compilation or analysis of statistics, relevant to public health or public safety;[4]

  • collection of health information for the management, funding or monitoring of a health service;[5]

  • collection of health information if necessary to provide a health service to the individual and the information is collected as required or authorised by or under law or in accordance with rules relating to professional confidentiality;[6] and

  • disclosure of health information to a person who is responsible for the individual, for example, a member of the individual’s family, where the individual is physically or legally unable to consent to disclosure.[7]

[1]Privacy Act 1988 (Cth) s 6D(4)(b). The need for a single set of Unified Privacy Principles (UPPs) applying to both agencies and organisations is discussed in detail in Part D. The small business exemption is discussed in Ch 39.

[2] Ibid sch 3, NPP 10.

[3] Ibid sch 3, NPP 2.1(a)(i).

[4] Ibid sch 3, NPPs 2.1(d), 10.3(a)(i). Research is discussed in detail in Chs 64–66.

[5] Ibid sch 3, NPP 10.3(a)(iii). This issue is discussed in Ch 63.

[6] Ibid sch 3, NPP 10.2. This issue is discussed in Ch 63.

[7] Ibid sch 3, NPPs 2.4–2.6. This issue is discussed in Ch 63.