This Information Sheet has been developed in response to a number of enquiries in relation to the adoption, use and disclosure of Commonwealth identifiers (including the Medicare number) in the health sector. These enquiries have arisen with the commencement of the Commonwealth-s new privacy law. This law came into effect on 21 December 2001.

The Privacy Amendment (Private Sector) Act 2000 amends the Privacy Act 1988 (Privacy Act) and extends privacy protection to personal information held by many private sector organisations, including all providers of private sector health services. The legislation includes ten National Privacy Principles (NPPs), which set out the minimum standards for handling personal information by private sector organisations, including all private health service providers. For more information refer to Information Sheet 1 - 2001 Overview of the Private Sector Provisions.

National Privacy Principle 7 (NPP 7) regulates the handling of Commonwealth government assigned identifiers, such as the Medicare, Department of Veterans' Affairs and Healthcare Card numbers. The purpose of this principle is to prevent the use of Commonwealth government assigned identifiers, in the private sector, as de facto common identity numbers for individual Australians. This Information Sheet has been produced to assist health service providers to understand how NPP 7 applies in practice to the health sector.

Rules relating to Commonwealth assigned identifiers

Individual identifiers are commonly used throughout the health sector - for example, in hospital or individual practitioner record systems. Identifiers often contain letters or numbers. It is important to note that a name is not an identifier.

While using identifiers provides many benefits, including increased administrative efficiency and ensuring the accurate identification of individuals for clinical or research purposes, their use also creates some privacy risks. In particular, identifiers can facilitate the bringing together of data about an individual from disparate sources.

In relation to Commonwealth assigned identifiers, NPP 7 provides that:

• a private sector organisation must not adopt as its own identifier of an individual, an identifier assigned to the individual by a Commonwealth agency; and
• a private sector organisation must not use or disclose an identifier assigned to an individual by a Commonwealth agency, unless the use or disclosure is necessary for the organisation to fulfil its obligations to the agency, or in a limited number of other circumstances permitted under the Privacy Act. Refer to the Privacy Act, especially NPP2.1(e) to (h), for further details on these limited circumstances.

As a general rule, the collection of Commonwealth identifiers by private sector health organisations should only be for the purpose of providing care and treatment to a client; where such care and treatment is authorised by, and will be financed by, a specific government agency - eg. collecting the Medicare number for treatments under the Medicare Benefits Scheme, or the Department of Veterans- Affairs (DVA) Card number for treatment under DVA entitlements. Then, these identifiers should only be used or disclosed by private sector organisations to fulfil their reporting obligations to the Commonwealth agency that assigned the identifier and not for any other purpose (eg. for research), unless specifically authorised.

Public Sector

Commonwealth, State and Territory agencies and authorities are not subject to the private sector provisions of the Privacy Act 1988 and are therefore not bound by NPP 7.

Identifiers assigned by other bodies

NPP 7 does not apply to identifiers issued by State or Territory government agencies, or to identifiers created and issued by individual private practitioners or their private sector organisations. However, health service providers should be aware that State or Territory law may regulate the adoption, use and disclosure of State or Territory assigned identifiers. Health service providers - responsibilities regarding the adoption, use and disclosure of State or Territory assigned identifiers will depend on the laws in each jurisdiction.

Additional, prescribed circumstances

The adoption, use or disclosure of a Commonwealth assigned identifier is also lawful if it occurs in prescribed circumstances. Regulations can be made under the Privacy Act to prescribe circumstances in which a Commonwealth assigned identifier may be adopted, used or disclosed in a manner that would ordinarily breach NPP 7.

Before such regulations can be made, the Federal Attorney-General must be satisfied that:

• the agency, or principal executive of the agency that assigns the identifier, has agreed that its adoption, use or disclosure is appropriate in the specified circumstances; and
• the agency, or principal executive of the agency, has consulted with the Privacy Commissioner regarding the specified circumstances for the proposed adoption, use or disclosure of the identifier; and
• the adoption, use or disclosure of the identifier, in the specified circumstances, is only for the benefit of the individual/s concerned.

As at March 2002 no regulations have been issued.

Further information and enquiries

To assist health service providers in understanding their obligations under the amended Privacy Act, the Privacy Commissioner has developed Guidelines on Privacy in the Private Health Sector. This document and further information available for sale or download can be found at the Privacy Commissioner's website - www.privacy.gov.au.

Health service providers or organisations seeking further clarification concerning the use of Commonwealth assigned identifiers can contact the Office of the Privacy Commissioner's Hotline.

Office of the Privacy Commissioner ISBN 1-877079-40-5 Privacy Hotline 1300 363 992 (local call charge)