14/5/2001

"Every Australian will have a right of access to their health information on 21 December 2001. They will also have the right to correct inaccuracies on their records," said Malcolm Crompton, Privacy Commissioner, today as he released the Draft Health Privacy Guidelines for public comment. "Consumer choice and control over our health information is set to strengthen and so too will the traditional doctor/patient relationship," he said.

The Draft Health Privacy Guidelines complement the recently released Draft National Privacy Principles Guidelines by giving special consideration to the particular needs and responsibilities of health service providers. They aim to give a clear interpretation of what the National Privacy Principles (NPPs) mean for health service providers and the consumer. For example the guidelines make clear the individual's right of access to their records.

"Under the privacy scheme, health providers should provide their clients with free access to their records. It is important to remember that doctor's written opinions on the patient form part of the record," said the Privacy Commissioner. "The draft guidelines recommend that access to an individual's health record to be given within 30 days of the original request. Providing this access to patients will build trust in the relationship between the health provider and their patient. The Draft Health Privacy Guidelines are consistent with good clinical care."

"The National Privacy Principles (NPPs) in the amended Privacy Act 1988 establish a national framework for privacy in Australia including personal health information. The Draft Health Privacy Guidelines give detailed information on the application of the NPPs in the health sector," said Mr Crompton. "The guidelines set the minimum standard of privacy and I expect the health service providers will find that they also complement existing ethical standards and codes of practice in the health sector."

"Many individuals regard their personal health information as intensely intimate information. As the Privacy Commissioner I think it is very important that the new privacy legislation protects that information and ensures that individuals have control over their health information", said Mr Crompton.

"It is essential that we receive comment on the Draft Health Privacy Guidelines from both consumers and health providers. We need to test the guidelines for readability, practicality and content to make sure they deliver good privacy outcomes. The guidelines will form the basis of educational tools and complaints resolution processes in the implementation of the legislation", said Mr Crompton. "While the National Privacy Principles are already part of the Privacy Act, we need to ensure they are properly interpreted and implemented. This is why I am seeking everybody's input to the guidelines" said Mr Crompton. Submissions are due by 20 July 2001 and the final Health Privacy Guidelines will be published late October 2001.

The Privacy Commissioner is committed to fostering an Australian culture that respects privacy by working with, and providing expert advice to key stakeholders and the broader Australian community about the Privacy Act 1988. The Act applies to all health service providers in the private sector. It will protect personal and sensitive information (particularly health information), through the National Privacy Principles or codes approved by the Privacy Commissioner. This protection is backed by strong enforcement mechanisms.

"As the Privacy Commissioner it is important to me that I work with health service providers and the community to establish a privacy culture that works for the whole of the Australian community", said Mr Crompton.

For a copy of the Draft Health Privacy Guidelines visit www.privacy.gov.au/aboutus/consult or call the enquiry Hotline 1300 363 992. Submissions should be sent to consult@privacy.gov.au

Draft Health Privacy Guidelines (HTML version359 kb orWord 6  382 kb  or Rich text version 1.4mb  or PDF 548kb  or ZIP format 135 kb)

Privacy Act 1988 Changes on 21 December 2001

Background and Scenarios

Scenarios

Scenario 1: Consent sought on behalf of the individual A nursing home provides ongoing care for a person with dementia and wants to disclose health information to an allied health worker to assist with the individual's care. What steps need to be taken if the individual is unable to give consent?

If the additional care is related to the individual's overall treatment plan, is in their interests, and is something that both the individual and their family would reasonably expect, then it is unlikely consent will be required.

If, on the other hand, this is a new care initiative that the individual or family might not be aware of or might not agree to, and there are complex privacy or other ethical issues, then the nursing home may need to seek consent to disclose information for this purpose. If the individual is unable to give consent, the nursing home may need to seek consent from someone acting on the individual's behalf.

The Guidelines propose that consent could be sought from either a person legally appointed to represent the individual, a person previously informally nominated by the individual to act on his or her behalf, or, where there is no nominated person, someone the health provider judges to be an appropriate representative for the individual. This approach to consent is based on state law and current practice. It particularly aims to support the privacy rights of people with disabilities.

Scenario 2 - Collecting information in a fair manner An individual is videoed as part of the health service they are receiving. Would it appropriate for the health provider to use the video for training purposes in future?

To collect information in a manner that is fair, an organisation would need to seek consent from the individual to use the video for training purposes. The provision of the health service should not be contingent upon the individual consenting to this further use of the information.

Background

National Privacy Principles The National Privacy Principles are ten principles or rules in the amended Privacy Act 1988 which outline the base line standards organisations should observe when handling personal information

The ten principles include: NPP1 - Collection NPP2 - Use and disclosure NPP3 - Data quality NPP4 - Data security NPP5 - Openness NPP6 - Access and correction NPP7 - Identifiers NPP8 - Anonymity NPP9 - Transborder flow of data NPP10 - Sensitive information

For a summary of the NPPs, go to www.privacy.gov.au/

Privacy Guidelines

The Office of the Privacy Commissioner has released three sets of draft guidelines as the main interpretive sources prior to the legislation taking effect 21 December 2001.

The draft guidelines and the dates by which submissions are due are listed below:

• Draft Code Development Guidelines - 15 June 2001
• Draft National Privacy Principles Guidelines - 6 July 2001
• Draft Health Guidelines - 20 July 2001

All these drafts can be downloaded from www.privacy.gov.au/aboutus/consult, or a hard copy can be obtained by calling 1300 262 992.

In addition to working on these resources the Office will shortly release Draft Public Key Infrastructure Guidelines for the Public Sector for comment.