December 2007

Explanatory Statement

1.      PURPOSE AND AUTHORITY

1.1      Public Interest Determinations 10 and 10A

This explanatory statement has been drafted for the purpose of fulfilling the Privacy Commissioner's obligations under section 26(1) of the Legislative Instruments Act 2003 (Cth).

This explanatory statement refers to two determinations issued under section 72 of the Privacy Act 1988 (Cth) (the Privacy Act):

• Public Interest Determination 10
• Public Interest Determination 10A

1.2      Purpose

The purpose of PID 10 is to exempt the applicant, Dr Tony Hobbs, a general practitioner and obstetrician who is a ''health service' provider and ''organisation' for the purposes of the Privacy Act, from complying with National Privacy Principle (NPP) 10.1 in certain circumstances.[1]  NPP 10.1 prohibits the collection of ''sensitive information' (including health information) unless a prescribed exception applies such as where the individual consents.  PID 10 permits the applicant to collect health information from an individual (a ''health consumer'), or from a person responsible for the health consumer, about another individual (a ''third party') in circumstances where:

• (a) the collection of the third party's information into the health consumer's family, social or medical history is necessary for the applicant to provide a health service directly to the health consumer; and
• (b) the third party's information is relevant to the health consumer's family, social or medical history; and
• (c) the applicant collects the third party's information without obtaining the consent of the third party; and
• (d) the third party's information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.[2]

Consistent with s 72(4) of the Privacy Act, PID 10A gives general effect to PID 10 for other health service providers in the same circumstances.

1.3      Provisions for Public Interest Determinations

The Privacy Act provides a mechanism for dealing with matters where the public interest in protecting the privacy of individuals and other public interests need to be considered and where in some circumstances the protection of privacy should be set aside to some degree. 

This mechanism is given effect through the Privacy Commissioner's power to make a public interest determination.  The Privacy Commissioner may make a public interest determination setting aside the protection of the privacy of individuals by declaring that a specific act or practice of the organisation will not be a breach of the National Privacy Principles.  Alternatively, the Privacy Commissioner may make a public interest determination dismissing the application thereby not setting aside the protection of the privacy of individuals. 

Further information on the provision for making public interest determinations and temporary public interest determinations is provided below at Section 1.4 ''Authority for making these determinations'.

1.4      Authority for making these determinations

The authority for the Privacy Commissioner (the Commissioner) to make Public Interest Determination 10 rests in subsection 72(2) of the Privacy Act.  Subsection 72(2) states that the Privacy Commissioner may make a written determination about an organisation's acts and practices if the Commissioner is satisfied that:

(a) an act or practice of an organisation breaches, or may breach, an approved privacy code, or a National Privacy Principle, that binds the organisation; but

(b) the public interest in the organisation doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that code or Principle.

Public Interest Determination 10A is made pursuant to s 72(4) of the Privacy Act which states that:

The Commissioner may make a written determination that no organisation is taken to contravene section 16A if, while that determination is in force, an organisation does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that organisation or any other organisation.

All requirements under Part VI of the Privacy Act, including notice of receipt and consultation requirements, have been met.

1.5      Application for a Public Interest Determination

On 21 August 2007, an application[3] was made to the Privacy Commissioner under s 73 of the Privacy Act for a Public Interest Determination (PID) that would, in effect, replace existing PIDs 9 and 9A which have been in effect since October 2002 and are due to expire on 10 December 2007.  Temporary determinations[4] of similar effect to PIDs 9 and 9A were also in place between December 2001 and October 2002 pursuant to Part VI division 2, s 80A of the Privacy Act.

The application for a public interest determination is available at http://www.privacy.gov.au/materials/types/download/9257/6836.

1.6      Relevant National Privacy Principle

On 21 December 2001 the Privacy Amendment (Private Sector) Act2000 commenced extending the Privacy Act to the private sector through the operation of ten National Privacy Principles (NPPs).  These principles govern the collection, use, disclosure and other handling of personal information.

The application raised an issue relating to one NPP, this being NPP 10 which prohibits ''organisations' from collecting ''sensitive information' (which is defined to include ''health information') unless a prescribed exception applies.  These exceptions include where the collection is required by law and, most relevantly, where the individual chooses to consent to the collection.  The definitions for the relevant terms are provided in section 6 of the Privacy Act and attached at A.

The effect of NPP 10 would be to prohibit the applicant and other health service providers from collecting health information about a third-party for the purpose of compiling a health consumer's medical history unless consent could be obtained from the third-party.

1.7             Documents incorporated by reference

National Privacy Principle 10.1 (under Schedule 3 of the Privacy Act), to which PIDs 10 and 10A relate, is incorporated by reference and available at Attachment A. National Privacy Principles 2.5 and 2.6 (under Schedule 3 of the Privacy Act) which determine the meaning of person ''responsible' for the purpose of PIDs 10 and 10A, are incorporated by reference and can also be found at Attachment A.

The application that led to the making of PIDs 10 and 10A is available at http://www.privacy.gov.au/materials/types/download/9257/6836. The Privacy Commissioner's notice of receipt of the application (required by s 74(1) of the Privacy Act) is available at http://www.privacy.gov.au/materials/types/other/view/6837. The previous Public Interest Determinations that dealt with medical history collection, PIDs 9 and 9A, are available from http://www.privacy.gov.au/law/act/pid/. 

2.      REASONS FOR MAKING DETERMINATIONS

2.1      Issues raised by the applicant

In applying for a public interest determination the applicant asserted that PIDs 10 and 10A, like their predecessors PIDs 9 and 9A, would support the well-established clinical practice of collecting health information about third parties (such as family or household members) from an individual where that information is directly relevant to the diagnosis, treatment or care of that individual.  The practice is commonly referred to as ''medical history taking' and is one of the factors used as an aid in medical assessment, diagnosis and treatment.  The practice is also necessary for the provision of quality health services to health consumers in allied health settings such as counselling and therapeutic health services, and residential and community aged care services.  However, in the absence of a PID expressly permitting the practice, the practice would be a breach of NPP 10.1, which states that an organisation must not collect sensitive information about an individual unless a prescribed exception to this general rule applies. 

2.2      Operation of Public Interest Determinations 10 and 10A

In approving the original PIDs 9 and 9A, a thorough stakeholder consultation process was undertaken and details of that process are available on the Office of the Privacy Commissioner's website.[5]  Since their adoption in 2002, no concerns regarding the operation of PIDs 9 and 9A have been raised with the Privacy Commissioner nor with any of the stakeholder organisations and agencies which participated in the consultation process for the extension of the existing PIDs.

PIDs 10 and 10A allow health service providers to collect third party health information from an individual, without the third party's consent, for inclusion in the individual's family, social or medical history where that information is necessary to provide a health service to the individual.  In the absence of PIDs 10 and 10A, health service providers engaging in this practice could be in breach of NPP 10.1.  Accordingly, the likely effect of PIDs 10 and 10A will be to permit the established and widely supported healthcare practice of medical history-taking to continue. 

In addition, PIDs 10 and 10A clarify that third party health information can also be collected from ''a person responsible' for an individual where the individual lacks the capacity to provide that informational themselves. The expression ''responsible person' has the same meaning as in the Privacy Act and is set out in attachment A.  This is discussed further below under "2.5 Inclusion of provision for collection from a ''person responsible'".

2.3      Public interest considerations

In issuing PIDs 10 and 10A, the Privacy Commissioner took account of the matters raised including in the application, the written submissions and at the conference on the draft determinations.  The Privacy Commissioner found that permitting the relevant practice accords with widely accepted healthcare practices that contribute to continuing, comprehensive and quality health care for individual consumers and better public health outcomes.  Importantly, the practice is generally known and accepted in the community and is therefore likely to be consistent with individuals' reasonable expectation of privacy.

Based on the available evidence including clinical practice examples presented by the applicant, submitters (including peak bodies) and at the conference, the Privacy Commissioner considered that:

• individual health assessment, diagnosis, treatment and care could be compromised if the proposed act is not permitted
• requiring health and medical professionals to seek third party consent for the collection of relevant health information in these circumstances would be impractical and would delay the healthcare delivery process in individual cases
• requiring a consent-based mechanism in these circumstance may have an unreasonably burdensome impact on the efficient and effective running of medical businesses which may in turn reduce capacity to provide adequate and timely health services to the public.

Dr Hobbs's application asserted that collection of third-party health information for the purposes outlined in the application are "...still of critical importance in the context of the collection of social, family or medical histories from health consumers across all clinical settings and by all clinicians".  In particular, the applicant noted that collection of this type of information is used to inform efficient and accurate patient diagnoses and treatment plans. 

The key issue of continuing to support best practice in patient care was echoed in almost all of the submissions received with a number offering specific examples of the health care situations in which this practice is critical.  For example, one submitter noted that in the context of residential and community care "the ability to deliver an appropriate service to a client is, in part, reliant on being able to ascertain their history."  Another submission supported the application on the basis that there is "a clear public interest in relation to the early diagnosis and treatment of inherited genetic conditions".

In assessing the public interest the Privacy Commissioner also considered the extent to which the proposed act or practice is inconsistent with an individual's reasonable expectation of privacy.  The practice of collecting health consumers' family, social and medical histories for diagnosis, treatment and care - without the need to obtain third parties' consent - is widespread, considered best clinical practice and generally known and accepted in the community.  Several submissions made specific reference to the high degree of consumer awareness regarding the importance of family, social and medical history information in facilitating accurate diagnosis and treatment. The perception that this practice is consistent with individuals' reasonable expectations is further demonstrated by the lack of complaints about the operation of PIDs 9 and 9A over the past five years and by the absence of any submissions opposing Dr Hobbs's application.

The potential harm to individual's privacy was also a factor considered by the Privacy Commissioner.  The confidential setting in which medical and allied health consultations occur supports the collection of relevant information about both health consumers themselves and other relevant third parties.  Existing ethical protocols in these settings mean that all health information is collected in an environment of, using the applicant's words, ''maximum consumer privacy' governed by professional codes of practice relating to confidentiality.  The context in which the information is collected therefore reduces the risk of harm to individuals through inappropriate use or disclosure of their sensitive information.

In addition to ethical clinical practice, the third parties' information, once collected, will continue to be protected under NPPs 1 to 9 and 10.2 to 10.3.  For example, NPPs 1.1 and 1.2 ensure that information that is collected should be confined to that necessary to an organisation's functions or activities, be collected only by lawful and fair means and in a way that is not unreasonably intrusive.[6] 

NPP 2 provides protection regarding the use and disclosure of the information collected under PIDs 10 and 10A.  Under NPP 2, information collected may generally only be used or disclosed for the primary purpose of collection such as establishing an individual's family, social or medical history in order to provide a health service directly to the individual.  Exceptions do apply, for example, under NPP 2.1(a) whereby information may be used or disclosed for a directly related secondary purpose within the reasonable expectations of the person to whom the information relates.  Other limited exceptions are set out in paragraphs 2.1(b) and 2.1(d) to 2.1(h).  Overall, the remaining NPPs appear to provide adequately for the protection of information that may be collected under PIDs 10 and 10A.

Accordingly, the Privacy Commissioner found that the public interest in permitting the practice substantially outweighed the public interest in maintaining the privacy protections of NPP 10.1 in these circumstances.

2.5      Inclusion of provision for collection from a ''person responsible'

A substantive issue, not addressed in PIDs 9 and 9A, was raised by a small number of submitters, and in the course of the Australian Law Reform Commission's review of privacy.[7]  This issue was that good clinical practice may require collection of the relevant third party health information from a ''person responsible' for a health consumer when the consumer is incapable of providing that information themselves.  Examples of where this need may arise include in the treatment and care of patients living with dementia or intellectual disabilities. 

The Privacy Commissioner wrote to 14 key privacy, health professional and health consumer stakeholders seeking views on this issue. Attendees at the conference offered the view that PIDs 10 and 10A should provide a mechanism for permitting collection of third-parties health information from ''person responsible' where the health consumer is not capable of providing that information themselves. 

The Commissioner was satisfied that the public interest in addressing this issue substantially outweighs the public interest in protecting privacy and accordingly provision is made for such collections in PID 10.

This provision is reflected in paragraph 3(d) of PID 10.

3.      OPERATION OF PUBLIC INTEREST DETERMINATIONS 10 AND 10A

PID 10 applies directly to the applicant, Dr Tony Hobbs, in his capacity as the provider of a ''health service' and hence an ''organisation' under the Privacy Act.

PID 10A applies to all other organisations that provide a ''health service' under the Privacy Act (health service providers) where those organisations collect third party information in the limited circumstances referred to under PID 10.

Under s 6 of the Privacy Act, ''health service' means:

• (a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
• (i) to assess, record, maintain or improve the individual's health; or
• (ii) to diagnose the individual's illness or disability; or
• (iii) to treat the individual's illness or disability or suspected illness or disability; or
• (b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

Accordingly, the Privacy Act and these public interest determinations apply to all private sector organisations that deliver these types of services and hold health information including all small health service providers.  The types of health services covered include traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals, such as counsellors, as well as complementary therapists, gyms, weight loss clinics and many others.

4.      CONSULTATION PROCESS

Part VI of the Privacy Act requires that the Privacy Commissioner conduct consultation before making a PID.  Pursuant to s 74, the Privacy Commissioner published notice of receipt of the new application in The Weekend Australian and the Canberra Times on 8 September 2007, in a special notice in the Commonwealth Gazette on 12 September 2007, and on the Office's website.[8]  In addition, a media release was issued on 6 September 2007, letters were sent to 85 stakeholder organisations and notification by email was provided to members of the Office's Privacy Connections Network.

The process resulted in 31 written submissions from a range of sectors, including peak health and other professional bodies, private sector health service providers, state and territory health departments, Commonwealth agencies, health and privacy regulators, medical indemnity insurers and consumer groups. 

In addition, a conference, convened at the request of the applicant (pursuant to s 76 of the Privacy Act), was held on 29 October 2007.  Fourteen parties that had previously expressed interested in attending such a conference were invited to attend.  In total, four parties attended the conference.

 

Attachment A:  Relevant provisions in the Privacy Act 1988 (Cth)

''Health information' is defined in section 6 as:

(a) information or an opinion about:

(i) the health or a disability (at any time) of an individual; or

(ii) an individual's expressed wishes about the future provision of health services to him or her; or

(iii) a health service provided, or to be provided, to an individual; that is also personal information; or

(b) other personal information collected to provide, or in providing, a health service; or

(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

''Sensitive information' is defined in section 6 as:

(a) information or an opinion about an individual's:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi)  membership of a professional or trade association; or

(vii)  membership of a trade union; or

(viii)  sexual preferences or practices; or

(ix)  criminal record; that is also personal information; or

(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information.

''Person responsible' is defined in National Privacy Principle 2.5 as:

(a) a parent of the individual; or

(b) a child or sibling of the individual and at least 18 years old; or

(c) a spouse or de facto spouse of the individual; or

(d) a relative of the individual, at least 18 years old and a member of the individual's household; or

(e) a guardian of the individual; or

(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or

(g) a person who has an intimate personal relationship with the individual; or

(h) a person nominated by the individual to be contacted in case of emergency.

National Privacy Principle 2.6 states that in subclause (NPP) 2.5:

child of an individual includes an adopted child, a step-child and a foster-child, of the individual.

parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

 

National Privacy Principle 10.1 states:

10.1 An organisation must not collect sensitive information about an individual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(d) if the information is collected in the course of the activities of a non-profit organisation - the following conditions are satisfied:

(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual's consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

 

 

 

 

[1] See the definitions of ''health service' and ''organisation in s 6 and s 6D(4)(b), respectively: http://www.privacy.gov.au/act/privacyact/index.html

[2] ''Person responsible' has the same meaning as defined in NPP 2.5 and 2.6: http://www.privacy.gov.au/materials/types/download/8776/6583

[3] The application can be viewed at: http://www.privacy.gov.au/materials/types/download/9257/6836

[4] Temporary Public Interest Determination No. 2001-1 and Determination under section 80B(3) giving general effect to Temporary Public Interest Determination No. 2001-1 are available at: http://www.privacy.gov.au/materials/types/determinations/view/6464

[5] For details of PID 9 see http://www.privacy.gov.au/materials/types/download/8803/6604 and for PID 9A see http://www.privacy.gov.au/materials/types/download/8805/6605

[6] The NPPs, which form Schedule 3 of the Privacy Act, are available at http://www.privacy.gov.au/materials/types/download/8776/6583

[7] Australian Law Reform Commission (ALRC), Discussion Paper 72, Review of Australian Privacy Law (September 2007), available at:  http://www.austlii.edu.au/au/other/alrc/publications/dp/72/

[8]http://www.privacy.gov.au/materials/types/other/view/6837