Collection of health information

Collection of family medical history information by health service providers

63.3 NPP 10.1 provides that, subject to a number of exceptions, an organisation must not collect sensitive information without consent. This requirement is also included in the ‘Collection’ principle in the model UPPs.[5] On 21 December 2001, the Privacy Commissioner made two Temporary Public Interest Determinations (TPIDs) in response to concerns that the long-standing and accepted practice of collecting health information about third parties—for example, family members—without their consent, for inclusion in the social and medical histories of health consumers may breach the NPPs.

63.4 The TPIDs were given effect for up to 12 months, to permit the Privacy Commissioner to conduct consultations on the issue. Over 60 submissions were received during the consultation period; and a conference was held in August 2002 to consider a draft determination.[6] The Privacy Commissioner formed the view that the collection of health information about third parties without consent in the course of delivering a health service was a breach of NPP 10.1, but that the act or practice should be allowed to continue. In the Privacy Commissioner’s view, the public interest in its continuation substantially outweighed the public interest in adhering to NPP 10.1:

The collection of family, social and medical history information is a critical part of providing assessment, diagnosis and treatment to individuals. The Commissioner acknowledged that obtaining the consent of third parties to collect their information, and notifying those individuals about these collections, would be impractical, inefficient and detrimental to the provision of quality health outcomes.[7]

63.5 In October 2002, the Privacy Commissioner made two public interest determinations (PIDs)—PID 9, in relation to the particular health service provider that made the original application; and PID 9A, in relation to health service providers generally—to replace the TPIDs. PIDs 9 and 9A were tabled in the Australian Parliament and took effect on 11 December 2002 for a period of up to five years. Under PIDs 9 and 9A, health service providers could collect health information from health consumers about third parties without consent when both of the following circumstances were met:

  • the collection of the third party’s information into a health consumer’s social, family or medical history was necessary to enable health service providers to provide a health service directly to the consumer; and

  • the third party’s information was relevant to the family, social or medical history of that consumer.[8]

63.6 The PIDs were reviewed in 2007; and PIDs 10 and 10A were issued with effect from 11 December 2007. PIDs 10 and 10A replaced PIDs 9 and 9A and were similar in scope, but expressly clarified that health service providers may collect third party information from a ‘person responsible’ for a health consumer where the health consumer is incapable of providing the information themselves. A ‘person responsible’ for an individual is defined in NPPs 2.5 and 2.6.

63.7 In the course of the OPC’s review of the private sector provisions of the Privacy Act 1988 (Cth) (the OPC Review)—which preceded the issue of PIDs 10 and 10A—the Privacy Commissioner considered whether the effect of PIDs 9 and 9A should be made permanent by an amendment to the Privacy Act. A number of submissions to the OPC Review commented on the effectiveness and importance of PIDs 9 and 9A and expressed support for such an amendment.[9] The OPC recommended that the Australian Government consider amending NPP 10 to include an exception that mirrors the operation of PIDs 9 and 9A.[10]

63.8 National Health Privacy Principle 1 (NHPP 1) of the draft National Health Privacy Code specifically provides for the collection of health information without consent where

the information is a family medical history, social medical history or other relevant information about an individual, that is collected for the purpose of providing a person (including the individual) with a health service, and is collected by a health service provider:

(i) from the person who is to receive that service; or

(ii) from a relative or carer of the individual;[11] or

(iii) in any other situation, in accordance with any guidelines issued for the purposes of this paragraph.[12]

Issues Paper 31

63.9 In the Issues Paper, Review of Privacy (IP 31), the ALRC asked whether the Privacy Act should be amended to allow health service providers to collect information about third parties without their consent, in line with PIDs 9 and 9A. The ALRC also asked whether NHPP 1 of the draft National Health Privacy Code provided a more appropriate and effective framework for the collection of such information than the current provisions of the Privacy Act.[13]

63.10 A number of stakeholders, including the OPC, expressed support for amending the Privacy Act to give statutory effect to PIDs 9 and 9A.[14] The OPC noted that the PIDs were due to expire on 11 December 2007 and that no submissions to the OPC Review were critical of the content of the PIDs. The OPC suggested, however, that consideration might be given to limiting the provision to exclude genetic information and information in electronic health records, given the potential detail in such sources.[15]

63.11 The OPC also expressed a preference for the wording of the PIDs over the wording of NHPP 1 of the draft National Health Privacy Code on the basis that the health sector has been working with the wording of the PIDs for a number of years. The OPC suggested, however, that there may be merit in including the provision from the draft Code allowing collection of health information about third parties from ‘a relative or carer of the individual’.[16] A number of other stakeholders expressed a preference for the wording in NHPP 1 of the draft Code.[17]

63.12 The National Health and Medical Research Council (NHMRC) suggested that an amendment was needed to the notification requirements in NPP 1.5. NPP 1.5 requires that, where an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in NPP 1.3, such as the identity of the organisation and the purpose for which the information was collected. The NHMRC submitted that:

NPP 1 should be amended to clarify that there may be circumstances in which it is reasonable for organisations to take no steps to ensure that an individual is:

  • notified of the fact that personal information about them has been collected from a third party; and/or

  • made aware of the specified matters relating to the collection and/or disclosure of that personal information.[18]

63.13 The NHMRC noted that the Privacy Commissioner had not included an exemption from the notification requirements in PIDs 9 and 9A. Instead, the Privacy Commissioner confirmed that, in the normal course of events, a health service provider will not be required to notify third parties that their health information has been collected for inclusion in the family, social or medical history of another individual.

The NHMRC submits that it would be unreasonable to require notification in such circumstances. While notification in any individual case may be feasible, notification in relation to the vast number of patient encounters at which such information is collected would be administratively burdensome and practically impossible in many cases. In addition, a notification requirement would be likely, in many circumstances, to impair the provision by consumers to their health care providers of sensitive information about family members, which may be vital to their own health care.[19]

Discussion Paper proposal

63.14 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that PIDs 9 and 9A should be given statutory effect by being promulgated in the new Privacy (Health Information) Regulations.[20] This was on the basis that collection of health information about family members and others is routine practice and essential to provide appropriate health care to individuals.

63.15 The ALRC expressed the view that the proposed regulation should not exclude genetic information or information in electronic health records. Genetic information, because of its familial nature, is particularly important in family medical histories. The proposed regulation, however, was to be limited to collection of health information about third parties from the individual health consumer or a person who is ‘responsible for’ the individual, as discussed further below. This was intended to limit the amount and type of health information collected about third parties.

63.16 A regulation along these lines would not, for example, allow health service providers to collect health information from third party genetic samples. In addition, an individual health consumer generally will not have access to comprehensive genetic or electronic health records about third parties without their consent, and so will not be able to provide these to health service providers without the knowledge and consent of the third party.

63.17 The ALRC agreed that, in general, PIDs 9 and 9A were preferable to NHPP 1. The ALRC acknowledged, however, that the provisions in NHPP 1, allowing the collection of third party information from relatives and carers, were a valuable addition to the provisions in PIDs 9 and 9A.

63.18 The ALRC noted the concerns raised by the NHMRC in relation to the notification requirements in NPP 1.5. The ALRC agreed that it was unreasonable to require health service providers to notify third parties that personal information about them had been collected in the context of taking a family medical history. Under the ‘Notification’ principle—discussed in Chapter 23—where an agency or organisation collects personal information from an individual about a third party, the agency or organisation is required only to take such steps, if any, as are reasonable in the circumstances to notify the third party. Where personal information about third parties is collected by health service providers in these circumstances, it would be reasonable to take no steps to notify those third parties.

Submissions and consultations

63.19 There was general support for giving PIDs 9 and 9A statutory force.[21] The OPC agreed with the ALRC’s reasoning in relation to genetic information, and expressed the view that such information should not be excluded from the provision. The OPC remained of the view, however, that collection from electronic health record systems should remain outside the provision.[22]

63.20 The Australian Medical Association (AMA) agreed with the ALRC that third parties would not expect to be notified where personal information about them has been collected in the context of taking a family medical history.[23] The NHMRC stated that:

We note that the ALRC agrees that it is unreasonable to require health service providers to notify third parties about whom health information has been collected in these circumstances. It would be helpful to include this advice in guidance supporting the Privacy (Health Information) Regulations to ensure clarity for providers.[24]

63.21 A number of stakeholders expressed support for allowing information about third parties to be collected from a person responsible for the health consumer.[25] The OPC noted that:

PIDs 10 and 10A, issued by the Privacy Commissioner to replace PIDs 9 and 9A, permit the collection of third party health information for family, social or medical history purposes from an individual, or from a person ‘responsible’ for that individual where the individual is incapacitated. PIDs 9 and 9A did not expressly refer to collection from ‘responsible’ persons, although proposal 57–3 does so.[26]

63.22 On the other hand, Privacy NSW submitted that this proposed extension was too broad and that the provision should include a finite list of those from whom third party information can be collected.[27]

ALRC’s view

63.23 The new Privacy (Health Information) Regulations should include provisions based on PIDs 10 and 10A. The content of these PIDs is premised on years of experience, consideration and review and has been found to be appropriate and effective. The new regulation should allow the collection of health information about third parties from the individual or a ‘person responsible’ for the individual. For example, it may be necessary to collect third party information from parents attending a health service with a child, or from a spouse or partner where the health consumer is unconscious. The concept of a ‘responsible person’ is discussed in detail below and includes family members, carers and legal guardians.[28] In the ALRC’s view the recommended definition of a ‘person responsible’ is sufficiently clear and limited to be appropriate in these circumstances.

Recommendation 63-1 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Collection’ principle, an agency or organisation that provides a health service may collect health information from an individual, or a person responsible for the individual, about third parties when:

(a) the collection of the third party’s information is necessary to enable the health service provider to provide a health service directly to the individual; and

(b) the third party’s information is relevant to the family, social or medical history of that individual.

Collection of family medical history information by insurance companies

63.24 A second issue raised in the OPC Review was the collection of third party health information without consent by insurance companies. In Essentially Yours: the Protection of Human Genetic Information in Australia (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the NHMRC noted that:

Insurance companies routinely collect family medical history information and use it in underwriting. The collection and use is based on the long recognised fact that certain diseases have a hereditary component, and that information about the medical history of family members is relevant in assessing the applicant’s risk.[29]

63.25 The public interest issues to be considered in relation to the collection of this information by insurers are not the same as those considered in the development of PIDs 9 and 9A and PIDs 10 and 10A, which focused on collection by health service providers. The ALRC and AHEC suggested that it would be appropriate to consider the specific issues that arise in the insurance context in the course of a PID process, recommending that:

Insurers should seek a Public Interest Determination under the Privacy Act 1988 (Cth) in relation to the practice of collecting genetic information from applicants about their genetic relatives for use in underwriting insurance policies in relation to those applicants.[30]

63.26 The OPC Review noted that the Privacy Commissioner had not yet considered an application for a PID in these terms[31] and recommended that:

The Australian Government should consider undertaking consultation on limited exceptions or variations to the collection of family, social and medical history information, particularly with regard to genetic information and the collection practices of the insurance industry.[32]

63.27 In IP 31, the ALRC asked whether the Privacy Act should be amended to allow insurance companies to collect health information about third parties without their consent in similar circumstances to those set out in PIDs 9 and 9A.[33] The ALRC did not include a specific proposal on this matter in DP 72.

Submissions and consultations

63.28 The Insurance Council of Australia expressed support for amending the Privacy Act to allow insurance companies to collect health information about third parties without their consent, noting that, ‘in some instances health information of a third party is relevant to the medical history of a claimant and therefore required to properly manage and understand a claim’.[34] The Investment and Financial Services Association (IFSA) and a number of other stakeholders also expressed support for a specific exception.[35]

63.29 The Office of the Health Services Commissioner in Victoria noted that an amendment would be desirable to ensure that insurance companies only use third party information for the purpose of processing individual insurance contracts and claims, and in compliance with the Privacy Act. The Office submitted that ‘clarity is needed in this area, and a working group should be set up to consult with stakeholders to come up with a suitable position on the issue’.[36]

63.30 By contrast, the OPC and other stakeholders did not support an exception to allow insurance companies to collect third party information without consent.[37] The OPC noted that the nature of the interests involved in the provision of health services and the provision of insurance differ considerably. While PIDs 9 and 9A concern the collection of third party information for the preservation of life and health, the collection of such information by insurance companies involves actuarial decision making and risk management. The OPC expressed the view that, while important, ‘the latter arguably lacks the compelling policy considerations necessary to warrant potentially lessening privacy protections’.[38]

63.31 The OPC noted that the IFSA Family Medical History Policy provides a practical solution to compliance with the Privacy Act. The Policy states that ‘insurers will not collect family medical history information in an identifiable format’.[39] The OPC expressed support for this approach, which allows the insurance industry to collect relevant third party health information while complying with the requirements of the Privacy Act.

ALRC’s view

63.32 The ALRC notes that the insurance industry has not yet applied to the Privacy Commissioner for a PID in relation to the collection of family medical history information without consent. IFSA’s Family Medical History Policy appears to indicate that it is feasible for insurers to collect and use health information about third parties that does not identify them. If this is so, then amending the Privacy Act is unnecessary. If information collected by insurance companies is not ‘about an individual whose identity is apparent, or can reasonably be ascertained, from the information’, then it does not fall within the definition of ‘personal information’ and is not covered by the Privacy Act.

63.33 The ALRC notes, however, that the accompanying commentary in the IFSA Family Medical History Policy states that ‘Family medical history information collected will be done on a de-identified basis, that is name and date of birth of the relative will not be collected.’[40] Collecting information without names and dates of birth attached may not be sufficient to ensure that information is not ‘about an individual whose identity is apparent, or can reasonably be ascertained, from the information’. For example, if it is apparent from the information collected that the third party is the mother or father of the individual applying for insurance, the third party’s identity can reasonably be ascertained from the information. In order to comply with the existing provisions of the Privacy Act, insurance companies must ensure that any third party health information they collect without consent is not about an individual whose identity is apparent or can reasonably be ascertained.

63.34 The ALRC is concerned that, although names and dates of birth are not collected, identities of third parties may be inferred from other information collected. If this is the case, insurance companies are collecting third party health information in breach of the Privacy Act. Insurers should seek a PID under the Privacy Act in relation to the practice. This is consistent with the relevant recommendation in ALRC 96,[41] discussed above.

Collection of health information as required or authorised by or under law

63.35 As noted above, NPP 10.1 provides, in part, that an organisation must not collect sensitive information, including health information, without consent except in a number of specified situations, including where ‘the collection is required by law’.

63.36 NPP 10.2 provides a further exception to the general rule that health information must not be collected without consent. NPP 10.2 provides:

Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected:

(i) as required or authorised by or under law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

63.37 NPP 10.2 recognises that health service providers may have legal obligations to collect certain health information without consent in the course of providing a health service. The OPC Guidelines note that ‘law’ includes Commonwealth, state and territory legislation, as well as the common law.[42]State and territory public health Acts, for example, require health service providers to collect and record certain information about health consumers with ‘notifiable diseases’, such as tuberculosis, Creutzfeldt-Jakob disease and HIV/AIDS.[43]

63.38 It is unclear why the language in NPP 10.1—‘unless the collection is required by law’—and NPP 10.2—‘where the information is collected as required or authorised by or under law’—is different. NHPP 1 of the draft National Health Privacy Code provides that health information may be collected without consent where the collection is ‘required, authorised or permitted, whether expressly or impliedly, by or under law’.

Submissions and consultations

63.39 The OPC did not support the form of words in NHPP 1 on the basis that the formulation is too wide. The legal authority to collect health information without an individual’s consent should be ‘relatively narrow, transparent and subject to a clear statement from a Parliament’.[44]

63.40 The OPC expressed the view that the existing provisions in NPP 10.2—that allow health information to be collected without consent where necessary to provide a health service to the individual ‘as required or authorised by or under law’—were appropriate. The OPC noted that the Prescription Shopping Information Service (PSIS)—established by Medicare Australia to allow registered medical practitioners to ring and find out if health consumers are ‘prescription shopping’ or acquiring medicines in excess of medical needs—is an example of collection that is authorised, rather than required, by or under law.[45]

63.41 The Department of Health and Ageing (DOHA) submitted that

as a matter of general principle it should not be considered an interference with privacy for an agency or organisation to collect health information where ‘the collection is required or authorised by law’.[46]

ALRC’s view

63.42 The ‘Collection’ principle, discussed in detail in Chapter 21, provides that sensitive information, including health information, must not be collected without consent except where ‘the collection is required or authorised by or under law’. The Privacy Act should not fetter a government’s discretion to require or authorise that personal information, including health information, be handled in a particular way.[47] The ‘required or authorised by or under law’ exception in the ‘Collection’ principle is intended to replace the exceptions currently set out in NPP 10.1(b) and NPP 10.2. This will eliminate the problem of inconsistency between these two existing provisions.

Binding rules established by health or medical bodies

63.43 NPP 10.2 also provides that health information may be collected without consent if the information is collected in order to provide a health service to the individual and in accordance with binding rules established by ‘competent health or medical bodies that deal with obligations of professional confidentiality’. The draft National Health Privacy Code does not include this exception.

63.44 The OPC Review recommended that:

The Australian Government should consider amending NPP 10.2(b)(ii) to clarify the nature of the binding rules intended to be covered by this provision, particularly with regard to the substantive content of such rules.[48]

63.45 The OPC’s submission considered the exception provided by NPP 10.2(b)(ii), arguing that such rules would need to:

  • be formally adopted by a state or territory medical board as a statement of appropriate professional practice;

  • prescribe the circumstances in which the collection can occur without the patient’s consent;

  • define or regulate obligations of professional confidentiality in relation to the information collected; and

  • provide a mechanism for sanctions for breach.

63.46 The OPC stated that:

NPP 10.2(b)(ii) is intended to provide a mechanism to allow collection by health service providers where necessary to provide a health service, and in accordance with binding rules of professional confidentiality. However, it is the Office’s view that no current rules fit the terms of 10.2(b)(ii) in such a way that it could be confidently relied upon.[49]

63.47 The NHMRC submitted that no such rules existed, and that the provision should be deleted.[50]

ALRC’s view

63.48 Both the OPC and the NHMRC stated that they were not aware of any existing ‘rules established by competent health or medical bodies that deal with obligations of professional confidentiality’ that would fulfil the requirements of NPP 10.2(b)(ii). No such rules were drawn to the attention of the ALRC in the course of this Inquiry, and no objections were raised in response to the ALRC’s view, expressed in DP 72, to leave these provisions out of the ‘Collection’ principle. Consequently, the ALRC has not included this mechanism in the ‘Collection’ principle.

Difference between the collection, use and disclosure principles

63.49 Another issue raised in IP 31 was a discrepancy in approach between NPP 2 on the use and disclosure of sensitive information, and NPP 10 on collection of sensitive information.[51] In many communications of health information, there is both a disclosure and a collection. For example, a general practitioner collects health information for the primary purpose of providing a health service to a health consumer. The general practitioner may disclose that information to a number of other health service providers involved in treating the consumer, for example, a pathologist and a specialist.

63.50 Such disclosures are consistent with NPP 2 if they are directly related to the primary purpose of collection and within the reasonable expectations of the individual health consumer. NPP 10 requires that health information be collected with consent, although that consent may be express or implied. The issue is whether the pathologist and the specialist in the above example can rely on the implied consent of the health consumer to collect the consumer’s health information.

63.51 To better align the use and disclosure of health information under NPP 2 and collection of health information under NPP 10, the OPC suggested that NPP 10 should be amended to allow the collection of health information where necessary for providing a health service and where the collection was within the expectations of a reasonable person:

In the Office’s view, option 3 would appear to offer an appropriate and transparent mechanism for reforming NPP 10.2(b)(ii), and would cause the least interference with current good practice in the health sector. This option would provide greater alignment between the disclosure and collection provisions of the NPPs, and resolves the possible uncertainty surrounding collection by members of a treating team and other similar scenarios.[52]

63.52 A number of other stakeholders also suggested that this matter should be clarified.[53]

Discussion Paper proposal

63.53 In DP 72, the ALRC noted that health information must be collected with consent—except in specified circumstances—and that consent, to be valid, must be voluntary and informed.[54] If health information is used or disclosed for the primary purpose of collection or for a directly related secondary purpose and the individual would reasonably expect the health service provider to use or disclose the information in that way, the ALRC expressed the view that the resulting collection by another member of the treating team, for example, a pathologist or specialist, is likely to be consistent with the express or implied consent provided at the point of original collection. Good communication between health service providers and consumers at the point of original collection would put this beyond doubt.

63.54 The ALRC recognised, however, that it is important to facilitate information flow in the health services context among members of treatment teams. The ALRC asked whether the proposed Privacy (Health Information) Regulations should provide that health information may be collected without consent where it is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information.[55] A regulation of this nature would bring the ‘Collection’ principle, as it applies to health information, more into line with the ‘Use and Disclosure’ principle.

Submissions and consultations

63.55 A significant number of stakeholders expressed support for bringing the ‘Collection’ principle and the ‘Use and Disclosure’ principle into line in this way.[56] The NHMRC stated that this was clearly in the interests of health consumers.[57] Avant Mutual Group Ltd agreed, noting that:

Medical care is often delivered by a number of healthcare professionals. An individual will reasonably expect that a medical specialist will write to his GP following a consultation. Another example is a patient being discharged from hospital. A discharge summary will be sent to the plaintiff’s treating GP and/or specialists. The individual would reasonably expect his/her GP and other treatment providers to be kept appraised of the treatment he/she received at the hands of the specialist or whilst in hospital in order to ensure continuity of care. Avant has noted with some dismay that some health organisations have already adopted practices that impede the proper flow of information between healthcare professionals treating the same patient because of the organisation’s misapprehension of contemporary privacy laws. An example is the increasing practice of hospitals to require written consent from patients before important but routine health information is disclosed to the patient’s nominated general practitioner.[58]

63.56 On the other hand, a number of stakeholders expressed concern about this issue. Medicare Australia stated that:

This question refers to collection without consent in order to provide a health service where the person would reasonably expect the information to be collected for that purpose. It might be more appropriate to suggest that such information would be collected with implied consent, and that the person should be asked for specific consent if there is doubt about whether consent would be provided.

It is important to note that health information should not be collected without either express or implied consent.[59]

63.57 One stakeholder thought that the proposed formulation was too wide. It suggested that a more appropriate approach would be to allow the collection of health information without consent where:

  • it is necessary to provide a health service to the individual; and

  • the collection results from the disclosure by another health service provider for a directly related secondary purpose within the reasonable expectations of the individual; or

  • where it is impracticable to obtain the individual’s consent; or

  • the individual is incapable of providing consent and it is not possible to obtain consent from a responsible person or authorised representative on behalf of the individual.[60]

63.58 Privacy NSW submitted that it would be difficult for health service providers to know whether the collection was within the reasonable expectations of the individual.[61]

ALRC’s view

63.59 As noted above, it is possible to argue that the sharing of an individual’s health information among a team of health service providers treating the individual is done on the basis of express or implied consent—in which case, the privacy principles do not require amendment. It is important to be clear in the health services context, however, that the collection, use and disclosure of such information by members of the treating team are supported by the ‘Collection’ principle and the ‘Use and Disclosure’ principle where the collection, use or disclosure would fall within the reasonable expectations of the individual.

63.60 The new Privacy (Health Information) Regulations should provide that an agency or organisation that is a health service provider may collect health information about an individual, if the information is necessary to provide a health service to the individual and the individual reasonably would expect the agency or organisation to collect the information for that purpose. The recommended provision is not too wide, as it is limited to the collection of health information in the health services context and is linked to the reasonable expectations of the individual. The provision is intended to ensure that health service providers are confident to collect information where necessary to provide a health service to the individual, in circumstances in which the individual would expect them to do so.

63.61 Health service providers will be required to exercise judgement in relation to the reasonable expectations of the individual. The ALRC notes that the OPC has issued guidance in relation to the use and disclosure of health information in the health services context for a directly related secondary purpose that is within the reasonable expectations of the individual.

A patient’s expectations can be effectively managed through good provider–patient communication. This usually means the patient has been told the use or disclosure would happen, or they would expect it to happen because of why they gave the information to the provider in the first place.[62]

63.62 The guidance goes on to suggest that the usual starting point for assessing a health consumer’s reasonable expectations is what an ordinary individual would expect to happen to their health information in the given circumstances. A great deal of this guidance would be relevant to the collection of health information in the health services context. The ALRC anticipates that the OPC would revisit the guidance following the implementation of the recommendations in this Report.

Recommendation 63-2 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Collection’ principle, an agency or organisation that is a health service provider may collect health information about an individual if the information is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information for that purpose.

[5] The IPPs do not require that agencies have consent before collecting health information and so the same issue did not arise.

[6]Privacy Act 1988 (Cth) s 76 provides for a conference to be held to consider a draft determination on the Privacy Commissioner’s initiative.

[7] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 274.

[8] Privacy Commissioner, Public Interest Determination 9, effective 11 December 2002; Privacy Commissioner, Public Interest Determination 9A, effective 11 December 2002.

[9] Australian Government Department of Health and Ageing, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004; Australian Medical Association, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 21 December 2004; Mental Health Privacy Coalition, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 22 December 2004.

[10] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 81.

[11] This paragraph would apply, for example, where the individual was a child or an adult with a decision-making disability. Handling the health information of children, young people and adults with a decision-making disability is discussed further in Part I of this Report.

[12] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003), NHPP 1.1(i).

[13] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–13.

[14] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[15] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[16] Ibid.

[17] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; A Smith, Submission PR 79, 2 January 2007.

[18] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[19] Ibid.

[20] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 57–3.

[21] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Australian Medical Association, Submission PR 524, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[22] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[23] Australian Medical Association, Submission PR 524, 21 December 2007.

[24] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[25] ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007.

[26] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[27] Privacy NSW, Submission PR 468, 14 December 2007.

[28] Rec 63–3.

[29] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), [28.49].

[30] Ibid, Rec 28–3.

[31] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 276.

[32] Ibid, rec 82.

[33] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–14.

[34] Insurance Council of Australia, Submission PR 485, 18 December 2007.

[35] Investment and Financial Services Association, Submission PR 538, 21 December 2007; Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[36] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[37] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Nursing Federation, Submission PR 205, 22 February 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; K Pospisek, Submission PR 104, 15 January 2007; I Turnbull, Submission PR 82, 12 January 2007.

[38] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[39] Investment and Financial Services Association, Family Medical History Policy: IFSA Standard No 16.00 (2005), [10.2].

[40] Ibid, [10.2.1].

[41] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 28–3.

[42] Office of the Federal Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001), 3. See also Ch 16.

[43] See, eg, Public Health Act 1991 (NSW) s 14; Health (Infectious Diseases) Regulations 2001 (Vic) reg 6.

[44] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[45]National Health Act 1953 (Cth) s 135AC.

[46] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[47] See Ch 16 for a detailed discussion of this issue.

[48] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 84.

[49] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[50] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[51] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), [8.160].

[52] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[53] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[54] See Ch 19 for a detailed discussion of consent.

[55] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 57–1.

[56] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Confidential, Submission PR 519, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[57]National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[58]Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[59]Medicare Australia, Submission PR 534, 21 December 2007.

[60]Confidential, Submission PR 570, 13 February 2008.

[61]Privacy NSW, Submission PR 468, 14 December 2007.

[62] Office of the Privacy Commissioner, Sharing Health Information to Provide a Health Service, Information Sheet 25 (2008).