Speech by Nari Sahukar, Deputy Director (A/g), Policy, to the Medico Legal Congress 2008, Sydney, 27 February 2008.

Introduction

On behalf of the Office of the Privacy Commissioner, I welcome the opportunity to speak to you all here today at the Medico Legal Congress 2008. Participating at this event is particularly timely for the Office - and I hope for you too - as we move towards a key period of possible reform for privacy regulation in Australia. I refer in particular to the inquiry into privacy law that the Australian Law Reform Commission is currently conducting, now due to report to the Government in May this year. It's also timely because 2008 marks 20 years since the Privacy Act 1988 (Cth) ('Privacy Act') came into force. [1]. The Privacy Act initially covered the handling of personal information by Australian government agencies, including for Tax File Numbers. It later expanded to cover consumer credit reporting, health service providers and many other private sector organisations.

With that context in mind, I'd like to begin with an overview of privacy regulation at the Commonwealth level, focusing on the role of the Privacy Act and the Privacy Commissioner in relation to the private health sector. In the second half of my speech, I'll highlight some potential options for health privacy reform that may emerge from the current ALRC inquiry. In particular, I'd like to discuss options for:

• Firstly, harmonising privacy regulation across the Commonwealth, state and territory jurisdictions; and
• Secondly, enhancing the way that the privacy principles under the Privacy Act apply to health information.

Overview of the Commissioner's Role

So to begin, I'll provide a sketch of the Commonwealth privacy landscape, and the role of the Privacy Commissioner in the area of health privacy. I should note that when I talk about privacy here, I really mean 'information privacy', not other concepts like bodily or territorial privacy, which lie outside the regulatory scope of the Privacy Act [2].

The current Privacy Commissioner is Karen Curtis, and her Office is an independent statutory body with responsibilities under the Privacy Act [3]. Since the change of federal government, the Office has moved from the Attorney General's portfolio to sit in the Department of Prime Minister and Cabinet.

Since 2001, the Privacy Act has regulated the handling of personal information held by all 'health service providers' in the private sector. This includes private hospitals, GPs and private specialists, pharmacists, private sector nurses, and many others in allied and complementary healthcare. The Privacy Act doesn't cover healthcare providers in the state and territory public sectors (such as public hospitals or their staff). Those bodies may have to comply with state or territory privacy laws that fall outside the remit of our Office.

Aside from health service providers, the Privacy Act also regulates Australian and ACT government agencies, large private sector organisations, and some other small businesses. As well as the Privacy Act, the Privacy Commissioner also has some responsibilities under other legislation, like the National Health Act 1953 (Cth). That Act requires the Commissioner to issue binding Guidelines for the handling of Medicare and PBS claims information by Australian Government agencies. In fact, after an extensive review process, the Commissioner is about to release a new set of those Guidelines shortly.

All health service providers in the private sector have to comply with the 10 National Privacy Principles ('NPPs') under the Privacy Act. In brief, the NPPs regulate the collection, use, disclosure and security of personal information, including health information. The NPPs also give individuals a right to seek access to their personal information, and have it corrected if it's wrong. If an individual believes that a health service provider has handled their personal information in a way that breaches a National Privacy Principle, they can complain to the Privacy Commissioner about an "interference" with their privacy.

As their name suggests, the NPPs are principles-based law, sometimes expressed in terms of reasonable steps and expectations. The intent behind principles-based law is to emphasise the objectives of the law rather than prescribe what the regulated party may do. Principles-based law is aimed at encouraging organisations to understand the policy underpinning the law and adapt their practices accordingly; not just to prevent intervention from the regulator, but because they recognise the purpose of the law [4].

This approach is intended to give health service providers sufficient flexibility to determine how best to run their business in a manner that complies with the Privacy Act. In the Office's view, the NPPs sit comfortably alongside providers' obligations of confidentiality, reinforcing the strong tradition of trust between patients and providers. This flexibility is also intended to minimise complex legal compliance regimes, although admittedly, this task is made more difficult by the existence of state and territory privacy laws which overlap with the federal Privacy Act. I will return to this issue further on.

Functions and structure of the Office

I'll turn now to the functions of the Office of the Privacy Commissioner. The Office is primarily a regulator, though it also has policy advice and education functions. The Office's vision is "an Australian culture that values and respects privacy" [5]. In achieving this, wherever possible, the Office encourages agencies and organisations to work towards good privacy practice, including where that may go beyond minimum compliance obligations. The Office's structure reflects the Privacy Commissioner's statutory functions, and is divided into three sections: Compliance; Policy; and Corporate and Public Affairs.

Compliance Section

The Compliance section mainly investigates complaints from individuals about alleged interferences with their privacy, including under the National Privacy Principles just described. The Commissioner can also initiate "own motion investigations" about potential interferences with privacy that don't relate to a particular complainant.

The Office takes a conciliatory approach to its regulatory role. The emphasis is on working with agencies and organisations to encourage voluntary compliance with the Privacy Act. Our approach to resolving complaints focuses on attempting to conciliate an outcome wherever possible [6]. Where an outcome can't be conciliated, the Privacy Commissioner may make a determination.

To give you a quick snapshot, we received 113 complaints about health service providers last financial year. That amounts to about 9% of total complaints received [7]. If we exclude complaints about Australian government agencies and focus on the private sector, then the proportion of complaints related to health service providers increases to around 18% of all private sector complaints.

So what are the key issues that patients are complaining to the Privacy Commissioner about? Around one third of health sector complaints relate to individual requests for access to medical records. This mainly includes denial of access, or lack of response to individual requests for access. It also includes complaints about excessive access fees, or correction of information. Another quarter of health sector complaints are about improper use or disclosure of health information by a provider or their staff.

In addition to complaint-handling, the Compliance section is also responsible for the Office's audit functions, although these don't relate to the health sector. The final part of the Compliance section is the Office's Enquiries Line. These staff can provide general assistance by phone and email to the public about the operation of the Privacy Act. Last financial year our Enquiries Line received about 17,400 calls, and answered over 2000 written enquiries - including from individuals, providers , agencies and others [8].

Policy Section

The second major area of the Office is the Policy section, which provides more detailed advice and guidance on the application of the Privacy Act to the private sector - including to providers and peak health bodies. The section also advises federal and ACT government agencies, consumer groups and others. In addition, the Policy section:

• examines proposed legislation and makes submissions to public inquiries;
• comments on projects that have significant privacy implications;
• and keeps abreast of technological and social developments that affect individual privacy.

Corporate and Public Affairs Section (CAPA)

Compliance and Policy activities are supported by the Office's Corporate and Public Affairs section. This includes the Office's media, website, parliamentary and educational functions, and organising events like Privacy Awareness Week, to be held this year in the last week of August.

While the work of each section is distinct, the Office relies on its cumulative experience to ensure consistent understanding and interpretation of the Privacy Act.

External expertise

The Privacy Commissioner also draws on additional expertise from outside the Office, through the Privacy Advisory Committee and a Health Privacy Forum which meets two or three times a year. The Privacy Advisory Committee ('PAC') gives strategic advice to the Commissioner from a broad range of perspectives, including health, information technology, business, government and consumer views.

The Health Privacy Forum is a more specialised group of thirteen senior representatives from the health professions, as well as consumer, government and research groups. The Forum is convened by the Privacy Commissioner to discuss topical health privacy issues, and to share clinical and administrative experience. This helps to further inform the Commissioner's advice to government and the health sector on appropriate and balanced policies for health privacy.

Referring back to the Office's preparation of guidance material, I should note that the Office is about to release a series of new Health Information Sheets and Frequently Asked Questions. This material will cover a range of topics which the health sector has raised as needing further guidance or clarification [9]. These topics include:

• Sharing patient information to provide a health service (such as between multiple providers in a treating team)
• Denying access to health information where giving access would cause a serious threat to life or health
• Fees for access to medical records
• Use and disclosure of health information for the management, funding and monitoring of a health service, and
• Disclosure of health information to relatives of an incapacitated patient.

"Personal information" and "health information" under the Privacy Act

I'd now like to give you a quick sense of the type of information that is and is not protected by the Privacy Act. The Act applies to all "personal information". In short, this means information about a living individual whose identity is apparent, or can be reasonably ascertained. Whether a person's identity is reasonably ascertainable will depend on the context in which that information is held. Significantly, this also means that if personal information is properly deidentified, it won't be regulated by the Privacy Act.

The Privacy Act also deals expressly with "health information", which is a subset of personal information and is defined in broad terms [10].10 For clarity, any personal information held by a health service provider is likely to be "health information" under the Privacy Act [11].

Health information is also considered to be "sensitive information" under the Privacy Act [12]. Sensitive information is given additional protection under the Privacy Act, in recognition of its special nature in the eyes of the community [13]. For example, an individual's consent is usually needed before health information can be collected, unless another limited exception applies under NPP 10 (such as where the collection is required by law).

Community trust in the health sector

Earlier I referred to the NPPs reinforcing community trust in the health sector - so what do I really mean by that trust? According to Community Attitude Research conducted by the Office last year, public trust in the ability of health service providers to handle personal information has increased over the past six years. By comparison, this trust declined slightly for financial institutions, and remained stable for a range of others. Overall, 91% of respondents trusted the health sector when it came to handling their personal information - more than any other sector [14]. The Office tries to reinforce this trust by working with the health sector to produce guidance that clarifies any areas of uncertainty, and provide advice on good privacy practice.

There were also interesting survey results on the issue of sharing health information with other providers. For example:

• 32% of respondents thought that health professionals should share health information only if it is relevant to the specific condition being treated;
• 12% said information should be shared only if the condition was serious or life threatening.
• 30% believed health professionals should share health information only with the patient's consent.
• While 26% of respondents believed that anything to do with a patient's health care could be discussed between health professionals [15].

The variation in these results indicates that sharing information between providers continues to be an area where active discussion should take place, to align expectations between providers and patients. This issue is discussed further in one of our forthcoming information sheets.

Overview of the recent reform context in Australia

Having given you some background on the application of the Privacy Act to the health sector as it stands today, I'll move now to the topic of privacy law reform for the future.

In 2006, the then Attorney-General asked the Australian Law Reform Commission to begin its current Review of Privacy. The ALRC's terms of reference are to examine the extent to which the Privacy Act and related laws continue to provide an adequate framework for privacy protection in Australia [16]. The review commenced at a time of renewed public interest in privacy issues, including concerns about how personal information should be handled in an era of developing technology, globalised information exchange, increased public surveillance, and greater emphasis on national security.

At the same time, community debate has continued over how to strike the right balance between privacy and a free press, for example, in relation to the reporting of medical information about vulnerable individuals. Controversy too has surrounded reporting of the health information of celebrities such as Naomi Campbell, photographed leaving a Narcotics Anonymous meeting in 2004 [17]; reporting on the late Rene Rivkin's incarceration and illness [18]; and the revelation of the medical records of AFL stars allegedly obtained outside a clinic in 2006 [19]. Much to my dismay, my own coffee table at home has recently been sullied with a large black and white photo and a glossy pink magazine headline: "Britney Committed: Inside the Psych Ward". But I dare not enter.

The Office of the Privacy Commissioner released its first two submissions to the ALRC's inquiry in February and March 2007. Notably, the health chapter was the longest and most detailed, responding to each of the questions posed by the ALRC [20]. These questions related to the core of health privacy law, while questions such as whether individuals should be able to sue for breaches of privacy were left to other chapters.

The Office released its most recent submission in December last year, this time responding to the ALRC's Discussion Paper 72, which included more specific proposals for health privacy reform [21].

I'd now like to mention some of the over-arching principles driving the reform agenda. I'll then go on to a more in-depth discussion of possible privacy law reforms.

Privacy law reform - some overarching drivers

The need for a single set of principles

In the Privacy Commissioner's view, an important starting point for privacy law reform is to combine the Privacy Act's two sets of existing principles into one.

The fact that the Act has two sets of privacy principles - the Information Privacy Principles ('IPPs') for the Commonwealth public sector, and the National Privacy Principles ('NPPs') for the private sector - is a result of how the Act has evolved over the past 20 years. But there appears to be no good rationale now for maintaining this dual approach.

Having separate principles for agencies and organisations contributes to confusion and fragmentation of privacy law. A single set of privacy principles would make things simpler for organisations and agencies, and lessen administrative and cost burdens. It would also empower individuals to better understand and exercise their privacy rights. The Office therefore strongly supports the ALRC's proposal for a single set of Unified Privacy Principles ('UPPs') under the Privacy Act.

Fostering national consistency of health privacy regulation

The second overarching goal of privacy reform is fostering national consistency across jurisdictions. Under the current framework, there is potential inconsistency and overlap between the Privacy Act, and state and territory laws in the private sector. There are also differing public sector requirements across the federal and state jurisdictions. The Office therefore agrees with the ALRC that national consistency in privacy regulation should be a key aim for privacy reform. This could be promoted through enhanced dialogue between governments, including as part of the Council of Australian Governments ('COAG') agenda.

If a single set of Unified Privacy Principles are enacted under the Privacy Act, it is further hoped that the states and territories would mirror these principles to cover their own public sectors. As state privacy laws regulate public hospitals, this would get us closer to the aim of national consistency on two fronts - across public and private sectors; as well as across Commonwealth, state and territory jurisdictions.

Complexity of privacy regulation in the private health sector

As I've mentioned, at the national level, the Privacy Act regulates all health service providers in the private sector. Victoria, NSW and the ACT have also enacted laws which purport to regulate health information in the private sector. In addition, some states and territories have developed separate privacy legislation for their public sectors. Western Australia (WA) is currently considering a Bill which, if enacted, may regulate that state's public sector, as well as health information in Western Australia's private sector.

Submissions to the Office's 2005 Review of the NPPs gave several examples of the complexity that results from regulatory overlap in health privacy [22]. One submission from a national medication service said that its call centre operators had to read different statements to obtain consent, depending on which state the individual was calling from. Other submitters referred to the compliance burden of having to comply with differing laws that apply to the same piece of information.

It's not difficult to imagine a situation where a resident of Wodonga, Victoria, visits a medical practitioner in neighbouring Albury, NSW. This patient's information would potentially be covered by Commonwealth, Victorian and NSW health privacy laws. If the patient had a privacy complaint against the medical practitioner, they may have difficulty working out who to complain to - the Office of the Privacy Commissioner, or to Victorian or NSW health privacy regulators.

And as we're on the cusp of the age of shared electronic health records, further complications may arise based on the location of computer servers that store our e-health records. Multiple storage locations may involve multiple jurisdictions, with different requirements for the handling of the information stored on each server.

To avoid confusion, the Office believes the Privacy Act should remove any uncertainty that it is the sole source of privacy regulation for all private sector health service providers - to the exclusion of state or territory legislation. In other words, the Commonwealth Privacy Act should 'cover the field' for the private sector. This would not affect the states' ability to regulate their own public health sectors, although it would be ideal if the states enacted complementary legislation for these sectors in due course.

The Office of the Privacy Commissioner is committed to supporting such efforts to reduce uncertainty around privacy regulation in the private health sector.

The proposed National Health Privacy Code

As I've already mentioned, a key driver of health privacy reform is the desire to achieve a nationally consistent regime for the regulation of health information. A number of options have been proposed to address this. For example, in 2003 a working group of the Australian Health Ministers' Advisory Council released a draft National Health Privacy Code, which has since been the subject of some discussion [23].

While the Office of the Privacy Commissioner supports the notion of national consistency, the Office believes the proposed Code would be likely to reduce certain protections currently applying to health information under the NPPs. The Office also views the proposed Code as overly complex and prescriptive, as outlined in its submissions to the ALRC in February and December 2007. The Office therefore welcomes the ALRC's decision not to endorse the proposed Code, instead pursuing more targeted health privacy reforms within the Privacy Act [24].

A separate set of health regulations?

As I touched on earlier, a cornerstone of the ALRC's proposed reforms involves combining the IPPs and the NPPs into a single set of Unified Privacy Principles - an area in which the ALRC and the Privacy Commissioner are in strong agreement.

However, while the UPPs would still apply to health information, the ALRC has also recommended that additional protections for health information should be made as a separate set of regulations under the Privacy Act. Such regulations would incorporate a number of specific health-related amendments, some of which I will outline below.

In the Office's view, a simpler solution would be to incorporate those suggested health amendments into the framework of the Unified Privacy Principles. In effect, this would avoid health service providers having to comply with two instruments - the UPPs, plus a new set of health regulations.

Specific reforms to the privacy principles regulating health information

Having outlined some of the options for high-level structural change for privacy regulation, I turn now to some possible changes to the substance of the privacy principles themselves. Given the general effectiveness of the existing NPPs in the health sector, and the lack of major compliance issues, the Privacy Commissioner's view on this area of reform is very much one of refinement, rather than reinvention. That is, the most fundamental difficulty raised by privacy laws at present is not the content of the principles themselves, but the existence of multiple and overlapping regulatory standards.

In its submissions to the ALRC last year, the Office proposed some key measures to enhance the effectiveness of health privacy laws, which could easily be adopted into a unified set of principles under the Privacy Act. These changes include clarifying rights and obligations around the handling of medical records, while ensuring that information can be readily shared for treatment in ways that patients expect. I'll now outline a few of these recommendations for reform.

Transfer of medical records and providers ceasing to trade

At present, National Privacy Principle 6 gives individuals a general right of access to health and other personal information held in the private sector. However, the NPPs are silent on the issues of transferring records between providers at an individual's request, or what should happen to medical records when a provider sells their business, retires or passes away.

On the issue of transfer of records, some patients express dissatisfaction when providers refuse to transfer medical records to another provider when requested. While a patient could request access to their medical record, this doesn't guarantee that a copy will be provided. The patient may also prefer the convenience of having the record transferred directly to the other provider, with reasonable costs payable. At the same time, specifying a process for transfer of records would also increase certainty and simplify the appropriate flow of patient information for providers.

Accordingly, the Office agrees with the ALRC's proposal that the Privacy Act should expressly provide for the transfer of records between providers following a patient's request. The Act should also allow a provider to make that request on behalf of their patient [25].

On the second issue of obligations when a provider ceases practising, the Office is aware of several instances where medical records have been left 'in limbo' as a result of practice closures. For example, this includes:

• medical records left on the property of a landlord who had evicted the tenant health service provider; and
• records left in the custody of a doctor's widow after her husband died unexpectedly.

In such situations, the resulting privacy issues are complex. They often involve non-health service providers who are individuals or small businesses that are unlikely to be bound by the Privacy Act. While this can be a problem for whoever ends up holding the records, it can also leave patients in an unenviable 'limbo' when it comes to adequate security, access, and protection of their records from improper use and disclosure.

The Office therefore agreed with the ALRC that where a provider sells their practice, retires or dies, the Privacy Act should require the provider or their legal representative to take certain reasonable steps:

• Firstly, to make patients aware of the sale, amalgamation or closure of the health service, or the death of the provider; and
• Secondly, to inform patients about proposed arrangements for the transfer or storage of individuals' health information [26].

Clarifying providers' obligations in the common event of practice closures would improve certainty for providers and patients alike, and avoid some of the situations I've just described.

Improved arrangements for access through intermediaries

Another proposed reform that the Office supports is to improve options for patients to access their health information through an appropriate and agreed intermediary, such as another health service provider or a trusted relative [27]. The ALRC Inquiry, and submissions to the Office's own 2005 review of the NPPs, have revealed some dissatisfaction with the existing provisions. These provisions stop short of giving individuals a clear right to request an intermediary when access is denied. However, the Office acknowledges that improved provisions on intermediary access should not be overly complex, and shouldn't unnecessarily prolong the procedures for giving access.

Providing protection for deceased people's health information

The Privacy Act currently protects the personal information of 'natural persons', which doesn't include deceased people. The Office has proposed that limited privacy protections should apply to the health information of deceased individuals. For example, this should ensure:

• that governments and organisations don't collect that information unnecessarily;
• that the information is used and disclosed only for proper purposes, including allowing providers to disclose information to relatives where appropriate [28];
• and that reasonable security measures are employed for the storage of deceased people's health information [29].

Such protections would recognise three important factors:

• Firstly, that many individuals would expect that their health information will be protected even after death (ensuring such protection would also encourage patients to share all relevant information with their provider).
• Secondly, inappropriate disclosures of deceased people's health information can potentially impact on living individuals. For example, relatives of the deceased may suffer social stigma or embarrassment if such information is inappropriately released.
• Thirdly, extending certain Privacy Act protections to this information aligns with existing obligations of medical ethics and confidentiality.
  • For example, the World Medical Association's Declaration of Geneva in 2006, provides that health service providers '... will respect the secrets that are confided in me, even after the patient has died'. The AMA has adopted this declaration alongside its code of ethics [30].

Clarifying the role of authorised representatives in the Privacy Act

Onto a separate matter of specific reforms - the Privacy Act implicitly recognises the ability of legal representatives to exercise privacy rights by 'standing in the shoes' of an individual (this includes legal guardians and powers of attorney, for example). However, the Office sees merit in expressly clarifying the right of an 'authorised representative' to act on behalf of an incapacitated individual under the Privacy Act.

The Office has also suggested that where a patient's incapacity is intermittent or temporary, appropriate limits should be placed around the exercise of rights by authorised representatives [31]. While this is a difficult area, these proposals would provide appropriate privacy protections for incapacitated individuals, as well as added clarity for practitioners, carers and relatives regarding decision-making related to health information.

Retention of the imminence test

Briefly, the Office has also backed the retention of the "imminence" test for disclosures of personal information made without consent, in order to lessen or prevent a "serious and imminent" threat to someone's life, health or safety. The ALRC and others have advocated the removal of the "imminence" requirement from Privacy Act exceptions. However, the Office submitted that the "imminence" test provides robust protection of privacy, and clearer delineation for providers as to when disclosures are appropriate. At the same time, a recent article in an Australian medical magazine referred to potential legal indemnity complications if the "imminence" arm of the test is removed [32].

The Office has also noted that in appropriate areas - such as for serious threats to public health and safety, and in the case of denying access to health information - there is currently no "imminence" test. This recognises the difficulties in predicting exactly when such threats may eventuate in those particular situations.

Simplifying research approval processes, while recognising the special benefits of health and medical research

The Privacy Act currently provides a mechanism for the use of personal information without individuals' consent for health and medical research, subject to certain protections. The Office supports the ALRC's proposal to harmonise the existing framework, so that a single set of rules apply to researchers in the private sector and Australian public sector.

However, the Office opposes a number of other ALRC proposals on research. Taken cumulatively, these proposals would unnecessarily broaden the scope for the use of personal information for non-health research without individuals' consent. At the same time, they would lower the public interest threshold required to use personal information for those purposes [33]. The Office does not support the proposal that personal information should be made available without consent for human research more generally, beyond health and medical research.

Establishment and use of health information databases and registers

The Office's submissions to the ALRC also addressed privacy issues relating to the establishment and use of health information databases or registers for research purposes. In order to maintain public confidence, the Office believes such initiatives should be established under legislation setting out their purposes, and appropriate uses of personal information held within them [34].

Relevantly to the current navigation towards a shared electronic health record system, the Office's 2007 Community Attitudes Research revealed that a large majority of Australians surveyed (76%) felt that inclusion in a national health database should be voluntary, compared with 64% in 2004. In addition, the respondents were evenly divided on whether or not de-identified information from this database should be made available for research purposes.

Conclusion: Good privacy protections will continue to support good healthcare

In closing, I hope I've been able to give you a sense of where the Australian Privacy Commissioner sits in the health privacy landscape, as well as an outline of where health privacy law reform may be headed in the coming years. For those of you wishing to delve more deeply into the Office's positions on privacy law reform, I'd urge you to visit our website's ALRC submissions page. And can I also remind you to check the website for our forthcoming Health Information Sheets in the coming days.

Overall, the Office of the Privacy Commissioner agrees with many stakeholders that health privacy regulation - indeed privacy laws generally - need to be simpler and clearer than the current scenario of regulatory overlap, and multiple sets of privacy principles at the Commonwealth, state and territory levels.

At the same time, the Office also notes that the existing protections under the Privacy Act have generally served the community well. Most relevantly, the National Privacy Principles have been successfully adopted by the health sector since 2001. Those principles remain consistent with professional ethical standards and confidentiality, and reinforce the collaborative relationship of trust between patients and providers. Accordingly, the Office believes that promoting greater simplicity through regulatory reform will address many of the significant issues in health privacy law today.

So as we await the final report of the ALRC's Review of Privacy due in May, and further engagement on the Government's response which will follow it, it is hoped that future reforms will include the following:

Firstly, a single set of unified privacy principles under the Privacy Act, to replace the separate sets of principles for the Australian public sector, and the private sector;

Secondly, clarification that the Privacy Act is the single source of health privacy regulation for the private sector in Australia;

Thirdly, a cooperative approach between governments to promote consistent privacy protections in the Commonwealth, state and territory public sectors; for example, by enacting mirror legislation in the states and territories to reflect the protections of a new-look Privacy Act; and

Finally, specific reforms to improve the current principles under the Privacy Act, including on:

• the transfer and handling of medical records between health service providers,
• protection for deceased people's health information;
• a clearer role for 'authorised representatives' of individuals; and
• (simplification of the rules that govern personal information used for health and medical research).

In the Office's view, if these reforms can come to fruition, then there is much to look forward to for the future of health privacy protection - in a way that minimises complexity, and supports quality health outcomes for all Australians.

Thank you.

[1] For more information see the Office's webpage, "Privacy Act 1988 - Celebrating 20 Years", at www.privacy.gov.au/about/priv20/index.html

[2] A well established typology of different forms of 'privacy' is:

• Information privacy - involving rules for the handling of personal data
• Bodily privacy - protection of our physical selves against invasive procedures
• Privacy of communications - security and privacy of mail, telephones etc
• Territorial privacy - setting limits on intrusions into domestic and other environments.

See D Banisar, "Privacy and Human rights: an international survey of privacy laws and developments" (2000), Electronic Privacy Information Center, Washington DC. Available at www.privacyinternational.org/survey/

[3]See www.privacy.gov.au/act/privacyact/

[4] See also Karen Curtis, Privacy Commissioner, 'Reducing overlap, duplication and inconsistency', speech to Australian Regulatory Reform Evolution 2006, available at www.privacy.gov.au/materials/types/download/8285/6285

.

[5] See the Office Strategic Plan 2007-09, available at www.privacy.gov.au/materials/types/plans/view/5892

.

[6] Common resolutions after the investigation proceeds to conciliation include: apologies to complainants; changes to database systems; correction of records; provision of access to records; and amounts of compensation ranging from less than $500 to $20 000.

[7] See Office of the Privacy Commissioner's 2006-07 Annual Report, The Operation of the Privacy Act, 1 July 2006 - 30 June 2007, p 48, available at www.privacy.gov.au/materials/types/reports/view/6817

[8] 8 More detailed statistics are available in the Office's 2006-07 Annual Report, available at www.privacy.gov.au/materials/types/reports/view/6817.

[9] 9 These issues largely arose in submissions to the Office's 2005 Review of the Private Sector Provisions of the Privacy Act, available at www.privacy.gov.au/materials#R.

[10] 10 'Health information' is discussed further in the Office's Guidelines on privacy in the private health sector at www.privacy.gov.au/materials/types/guidelines/view/6517#a32.

[11] 11 The terms "health information" and "health service" are defined under section 6 of the Privacy Act.

[12] 12 Along with things like racial or ethnic origin, and information about criminal records. "Sensitive information" is defined under section 6 of the Privacy Act 1988 (Cth).

[13] 13 See, for example, the Hon Daryl Williams QC (then Attorney-General), Second Reading Speech for the Privacy Amendment (Private Sector) Bill 2000, available at http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=HANSARDR&Criteria=DOC_DATE:2000-11-08%3BSEQ_NUM:8%3B.

[14] 14 See the Office of the Privacy Commissioner, Community Attitudes to Privacy 2007, p 17, available at www.privacy.gov.au/materials/types/download/8820/6616.

[15] 15 Ibid, at 10.2.

[16] 16 The ALRC's Terms of Reference are available at www.alrc.gov.au/inquiries/current/privacy/terms.htm.

[17] 17 See, for example, ABC Radio National, The Law Report, 'The Naomi Campbell House of Lords Decision; Reality TV Legal Traps', 1 June 2004 (transcript available at www.abc.net.au/rn/lawreport/stories/2004/1119374.htm

[18] 18 See, for example, 'Stockbroker Rene Rivkin found dead', The Age, May 2, 2005, available at www.theage.com.au/news/National/Stockbroker-Rene-Rivkin-found-dead/2005/05/01/1114886254817.html. See generally Steve Dow, 'Goodbye to Privacy', The Age, 12 February, 2005, available at < ahref = "http://www.theage.com.au/articles/2005/02/10/1107890347087.html">www.theage.com.au/articles/2005/02/10/1107890347087.html.

[19] 19 See, for example, J Wilson, 'Police probe on drugs leak', Herald Sun/Fox Sports online, May 3, 2006, available at www.foxsports.com.au/story/0,8659,19008686-23211,00.html.

[20] 20 The Office's February 2007 submission to the ALRC's Issues Paper 31 is available in full and in parts at www.privacy.gov.au/materials/types/submissions/view/6757.

[21] 21 The Office's December 2007 submission to the ALRC's Discussion Paper 72 ('DP 72') is available at www.privacy.gov.au/materials/types/download/9111/6748. In particular, Part H (Chapters 56-58) deals with health privacy proposals.

[22] 22 See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005, at 2.5, available at www.privacy.gov.au/materials/types/reports/view/6049#2_5.

[23] 23 An archived version of the Draft National Health Privacy Code is available at http://pandora.nla.gov.au/pan/44612/20060314-0000/www7.health.gov.au/pubs/nhpcode.htm. The ALRC's Issues Paper 31 asked stakeholders whether the draft National Health Privacy Code would be an effective way to achieve a nationally consistent and appropriate regime for the regulation of health information (question 8-3).

[24] 24 Office response to proposal 56-2.

[25] 25 See the Office's response to the ALRC's DP 72, Proposal 57-8, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr24.

[26] 26 This obligation could be expressed in terms of 'reasonable steps'. See the Office's response to the ALRC DP 72, Proposal 57-8, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr22.

[27] 27 See the Office's response to the ALRC's DP 72, Proposal 57-6 , available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr20.

[28] 28 This could be similar to the existing NPP 2.4 discretion to disclose health information where an individual is incapacitated.

[29] 29 See the Office's response to the ALRC's DP 72, Proposals 3-11 to 3-13, available at www.privacy.gov.au/publications/submissions/alrc_72/PartA.html#apr22.

[30] 30 See www.ama.com.au/web.nsf/doc/WEEN-6U362Q. For further information on duties of confidentiality after death, see, eg, Jon Hoeskma, "Patient confidentiality extends beyond death", E-Health Insider, October 2007 (www.e-health-insider.com/news/3081/patient_confidentiality_extends_beyond_death). See further Dr J Deacon, "Privacy's life of its own", Australian Doctor, 18 January 2008.

[31] 31 See the Office's response to the ALRC's DP 72, Proposals 61-1 and 61-2, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr22.

[32] 32 Desi Corbett, 'Privacy plans a legal 'minefield'', Medical Observer, 18 January 2008.

[33] 33 See the Office's response to the ALRC's DP 72, Chapter 58, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#ach2.

[34] 34 See the Office's response to the ALRC's DP 72, Proposals 58-11, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr50.