|
|
The Privacy Amendment (Private Sector) Act 2000 extends the operation of the Privacy Act 1988 to cover the private health sector throughout Australia.
The co-regulatory approach offered by the legislation allows for flexibility in how organisations (including health service providers) deal with their privacy obligations, while ensuring standards apply to the protection of personal information, including health information. The legislation recognises the particularly sensitive nature of health information, and places extra protections around its handling, including enforcement mechanisms to deal with breaches of the privacy standards.
In the private health sector, the legislation will complement the existing culture of confidentiality that is fundamental to many health service providers' professional practice obligations.
The legislation, through its ten National Privacy Principles, promotes greater openness between health service providers and consumers regarding the handling of health information. The legislation introduces, for instance, a general right of access for consumers to their own health records, and requires health service providers to have available documentation that clearly sets out their policies for the management of personal information.
Clear and open communication between the health service provider and health consumer is integral to good privacy. This document recognises that when such communication occurs, then ordinarily, many of the privacy obligations of health service providers will be met. When providers are open about the health information they hold, and how they use and disclose it, surprises are unlikely and with fewer surprises there are likely to be fewer complaints.
The recent research on community attitudes toward privacy, conducted by the Office, shows the importance Australians place on controlling their health information, even when used in relation to their treatment.
The guidelines acknowledge that the health service provider's principal concern is the health care of the patient. The Privacy Act realises individuals' wishes to have their privacy protected. Therefore, the guidelines aim to assist health service providers to meet their obligations under the National Privacy Principles while providing treatment and care.
The document aims to assist the private health sector in better understanding the application of the National Privacy Principles to its business and services. The document is supported by Information Sheets on the application of the Privacy Act in a number of other areas. These are available on the Office's website at www.privacy.gov.au. Health service providers are also advised to refer to information and advice on privacy from their respective professional bodies.
Malcolm Crompton
Federal Privacy Commissioner
October 2001
| Are these guidelines relevant to my organisation? |
iii
|
|
| I am collecting information from an individual. |
5
|
|
| What must I tell the individual? |
|
|
| There are a number of professionals treating an individual. |
13
|
|
| Are there any constraints on the sharing of information in this situation? |
|
|
| A research body has asked for health information. |
17
|
|
| How can I respond while safeguarding privacy? |
|
|
| The police have asked me for information about an individual. |
21
|
|
| Do I have to disclose the information? |
|
|
| A relative asks for health information about a family member who is not able to consent to the disclosure. |
22
|
|
| What does the Privacy Act require? |
|
|
| A parent has asked for information about a child and I have concerns about disclosing to the parent. |
24
|
|
| What does the Privacy Act require? |
|
|
| What is a Privacy Policy? |
28
|
|
| Does my organisation need one? |
|
|
| An individual asks me for access to their records. |
32
|
|
| How should I respond? |
|
|
| An individual asks for a copy of their health records, but I am concerned that this may present a risk to their health. |
34
|
|
| Do I need to provide access to records? |
|
|
Appendix 1 - National Privacy Principles
Appendix 2 - Definitions from the Privacy
Act (1988)
A.1.1 New privacy legislation for the private sector
In Australia, for the first time, there is now a comprehensive privacy law covering
the private sector. In an amendment to the Privacy Act 1988 (the 'Privacy
Act'), private sector organisations now have an obligation to protect the privacy
of individuals' personal information.
This amendment applies to all health service providers in the private sector, regardless of size, from 21 December 2001.
Most people consider health information to be highly personal, and therefore
need to be confident that their privacy will be protected whenever they use
a health service. The Privacy Act offers privacy protection to individuals and,
at the same time, balances this with the legitimate need for health service
providers to share information in order to facilitate the provision of quality
health care.
The privacy legislation covers a wide range of information handling practices,
including:
The provisions in the Privacy Act are based around 10 National Privacy Principles (NPPs) that represent the minimum privacy standards for handling personal information. Enforcement of the Act is generally through resolution of individual complaints lodged with the Privacy Commissioner or a Code Adjudicator, and sometimes through the Privacy Commissioner launching an investigation. The full text of the NPPs is included at Appendix 1.
A.1.2 Status of these guidelinesThe guidelines are not legally binding; they aim to help health service providers comply with the NPPs and avoid interfering with the privacy of individuals. Nothing in the guidelines limits how the Commissioner will handle complaints.
If an individual thinks a health service provider has interfered with their privacy they can complain to the Privacy Commissioner. When the Privacy Commissioner receives a complaint the individual must in most cases be referred back to the provider to give the provider a chance to resolve the complaint directly (see s.40(1A) of the Privacy Act).
If the individual and the provider cannot resolve the complaint between themselves, the Office of the Federal Privacy Commissioner conciliates the complaint using letters and phone calls, or in some cases, face-to-face meetings. In the majority of cases, the complaint is resolved this way. As a last resort, the Privacy Commissioner can make a formal determination. If a health service provider does not comply with the determination either the Privacy Commissioner or the complainant can seek to have it enforced by the Federal Court. The Privacy Commissioner may also investigate an act or practice that may be a breach of privacy even if there is no complaint (see s.40(2) of the Privacy Act).
For further information to assist in preparing for the commencement of the
new privacy provisions see the following:
• Information Sheet 1 - 2001 Overview of the Private Sector Provisions
• Information Sheet 2 - 2001 Preparing for 21 December 2001, and
• Information Sheet 12 - Coverage of and Exemptions from the Private
Sector Provisions.
|
Part A/ Part B/ Section
1/ Section 2/ Section 3/ Section
4/ Section 5/ Section 6/ |
In these guidelines, organisations that provide health services are referred
to as 'health service providers'. The guidelines have been developed primarily
with the following types of health service providers in mind (this is not an
exhaustive list):
However, any health service provider, or organisation working closely with them, may choose to consult these guidelines.
These guidelines are also intended for health service providers working within larger, non-health environments, such as community dentists employed in schools and medical practitioners in prisons and detention centres.
The guidelines are intended as a reference to the new privacy legislation for health service providers. They offer discussion and explanation on a range of privacy issues. However, they cannot cover all circumstances faced by a diverse range of providers across the sector.
Health service providers' professional associations will, usually, be the best source of advice, as and when more complex privacy issues arise. 'Quick guides', such as those being developed by some professional associations, will provide important assistance on a day-to-day basis.
|
Tip for compliance Each employee and contractor of a private or non-government organisation that provides a health service needs to be aware of their obligations, and those of the organisation, under the Privacy Act. These guidelines aim to assist in this regard. |
A.2.3 Health service providers that operate in both the public and private
sectors
A number of health service providers work in both the public and private sectors.
For example, medical practitioners who work in both public and private hospitals,
and organisations contracted by government for some of their work, but which
otherwise operate privately.
In general, when a provider works in the private sector, the Privacy Act applies, and these guidelines are relevant. When working in the public sector, the relevant Commonwealth, State or Territory laws apply.
Complexities arise when services are delivered through a mix of private and public sector providers across both private and public sector sites. For example, where public and private hospitals are co-located.
Where a private health service provider works within a public hospital, it is generally the case that the medical record remains subject to management by the public sector hospital, and therefore comes under relevant State/Territory legislation - regardless of clinical entries in those records by public or private sector providers.
However, if a private health service provider treats an individual in a public hospital, but retains records (including copies) in a private clinic or other place away from the public hospital, these records would be subject to the Privacy Act.
A.3.1 Personal information
The Privacy Act only applies to 'personal information'. That is, information
about an individual who can be identified, or whose identity could be reasonably
ascertained, from the information.
Personal information must relate to a natural, living person. A 'natural person' is a human being as opposed to an entity recognised by the law as a 'legal person', such as a company.
The NPPs do not apply to de-identified information or statistical data sets,
which would not allow individuals to be identified.
A.3.2 Health information
These guidelines are concerned with 'health information', which is a particular
subset of personal information. Health information is personal information:
'Health information' includes any information collected by a health service provider during the course of providing treatment and care to an individual, including:
For organisations that do not provide health services, the distinction between 'personal information' and 'sensitive information' is an important one, due to the higher privacy standards that apply to the latter.
This distinction is not so critical in the health context, as all personal
information collected in the course of providing a health service (including
the types of sensitive information listed above) is 'health information'. Therefore,
the higher privacy standards apply to all personal information collected by
health service providers in the course of providing a health service.
A.3.4 Information held in different forms
The NPPs are high-level principles and apply in a range of situations. They
are not designed to be specific to a particular technical or administrative
environment. The principles apply to health information held in any form, including
paper, electronic, visual (x-rays, CT scans, videos and photos) and audio records.
A.3.5 Employee records
The Privacy Act does not apply to information held by an employer about its
current and former employees, where that information is held in employee records
and its use or disclosure relates to the employment relationships.
However, if an individual attends a health service provider in a personal capacity (and that provider is also their employer), the information collected would not constitute part of their employee record. Thus, the Privacy Act would apply to health information collected in this situation.
The Act applies to information held about applicants for employment who were unsuccessful, and who never entered into an employee relationship with the organisation.
The Act also applies to the records of employees of other organisations when health service providers handle them, such as in relation to workers' compensation claims.
A.3.6 Health information held before the commencement of the Privacy Act
The new provisions in the Privacy Act are effective from 21 December 2001.Only some of the National Privacy Principles (NPPs) apply to information collected before 21 December 2001. These include NPP 4 (on data security), NPP 5 (on openness), NPP 7 (on identifiers), and NPP 9 (on transborder data flows).
NPP 6 (on access) also applies to information already collected, but only where that information is still in use, and if giving access would not pose an unreasonable administrative burden or expense on the health service provider.
For more guidance on how the NPPs apply to information a health service provider has already collected when the private sector scheme commences, see Information Sheet 10 - 2001 Application of the Privacy Act to Information Already Held.
In some instances, these codes or professional obligations apply stronger privacy protections than the NPPs, as is appropriate in the health context.
In other areas, the NPPs contain additional requirements to those in some professional
codes of practice, and may broaden the obligations of health service providers.
For example, generally, the legislation obliges health service providers to
give individuals right of access to their records.
A.4.2 Other legislation on health and privacy
There are also other Commonwealth, State and Territory laws which apply to health
service providers and regulate how individual health information must be handled.
To the extent that there are direct inconsistencies between Commonwealth and
State or Territory laws, generally, the Commonwealth law will prevail.
A.4.3 General guidelines on the NPPs
The Privacy Commissioner has developed 'Guidelines to the National Privacy Principles'
(the 'NPP Guidelines'), and Information Sheets, to explain how the NPPs apply
to private sector organisations across a broader range of sectors beyond the
health sector. The NPP Guidelines and Information Sheets are available on the
Office web site, at www.privacy.gov.au.
Most health service providers should find the information they need regarding the NPPs and their privacy obligations in these guidelines, as they have been developed to advise specifically on health-related issues. However, the NPP Guidelines and Information Sheets may be useful if further information is required about how the legislation applies outside the health sector.
For example, Information Sheet 9 - 2001 Handling Health Information for
Research and Management provides more information on health research issues.
A.4.4 Codes approved under the Privacy Act
The Privacy Act allows the Privacy Commissioner to approve codes to replace
the NPPs, as long as they include privacy protections that are at least the
equivalent of all the obligations within the NPPs. An organisation can subscribe
to an approved code and so be bound by it.
For more information about privacy codes see the Privacy Commissioner's Code Development Guidelines available on the Office web site, at www.privacy.gov.au.
Consent is relevant to many decisions about how health information is collected, used or disclosed.
Consent is not, however, required by the Privacy Act in all situations. The circumstances in which consent may or may not be required are discussed in more detail in Part B of this document.
To give some background, this section briefly explains the notion of consent as it relates to the handling of health information.
This section explains:
The Privacy Act states that, in the context of the NPPs, consent can be express or implied. Express consent is given explicitly, either orally or in writing. Implied consent is agreement that can be inferred from an individual's conduct.
|
Tip for compliance If a health service provider has the consent of an individual to collect, use or disclose their health information, then the provider may work with the information within the limits of that consent. |
A.5.1 Consent to the handling of personal information, not to medical treatment
Consent, as discussed in the Privacy Act and these guidelines, applies to decisions about how an individual's health information is handled. The Privacy Act does not cover consent to medical or dental treatment.
In practice, consent to the handling of information and consent to medical
treatment often occur at the same time, though they are distinct authorities
by the individual to do different things: to provide treatment and to
use health information in particular ways.
A.5.2 Key elements of consent
The key elements to consent are:
• it must be provided voluntarily;
• the individual must be adequately informed; and
• the individual must have the capacity to understand, provide and communicate
their consent.
Consent must be voluntary - the individual must have a genuine opportunity to provide or withhold consent; that is, they must be able to say 'yes' or 'no' without extreme pressure which would equate to an overpowering of will.
Consent must be informed - the individual must know what it is they are agreeing to. In other words, the individual needs to be aware of the implications of providing or withholding consent, having received the information in a way meaningful to them and appropriate in the circumstances.
The individual must have the capacity to provide consent - the individual must be capable of understanding the issues relating to the decision, forming a view based on reasoned judgment and communicating their decision.
A.5.3 Express or implied consent
The Privacy Act states that consent may be 'express or implied'.
Express consent - refers to consent that is clearly and unmistakably stated, and can be obtained either in writing, orally, or in any other form where the consent is clearly communicated.
As a general rule, if a health service provider needs or wants consent and is in doubt about whether an individual is giving consent or not, it is preferable to seek express consent.
Implied consent - there are situations when health service providers may reasonably rely on implied consent by individuals to handle health information in certain ways.
Similarly, if a medical practitioner collects a specimen to send to a pathology laboratory for testing, it would be reasonable to consider that the individual is giving implied consent to the passing of necessary information to that laboratory.
Where there is open communication and information sharing between the health service provider and the individual, consent issues will usually be addressed during the course of the consultation. If the discussion has provided the individual with an understanding about how their health information may be used, then it would be reasonable for the health service provider to rely on implied consent.
Where consent is required from individuals for the collection and use of data for public health purposes, such as in relation to the establishment and maintenance of a disease register, it may sometimes be appropriate to take the approach of giving individuals the opportunity to opt out of being included on the register. The use of this approach by a health service provider would only be appropriate where individuals are clearly informed about the option to opt out and this is prominently presented and easy to adopt.
A.5.4 Consent on behalf of an individual
An individual cannot give valid consent if they lack the capacity to make an
informed decision.
An individual may be unable to give consent for a number of reasons, including because they:
A lack of decision-making capacity and privacy-related consent issues should not mean that individuals miss out on getting necessary health care, support and other services. Yet, neither should an individual's privacy rights be undermined unnecessarily by virtue of their inability to give consent.
There are complex issues to balance here, and a few factors to consider are:
Involve the individual in decision-making
Most people with disabilities are able to make their own privacy decisions and
have the legal right to do so. Health service providers will need to ensure
that privacy issues are discussed with the individual in a way that is understandable
and comprehensible, to the greatest extent possible in the circumstances.
Moreover, even if an individual lacks legal capacity, they should be involved
as far as is practical in decision-making processes.
Who may act on the individual's behalf?
When consent is required, and an individual lacks capacity, a health service
provider may need to consider who can act on the individual's behalf. There
may be a range of options, including:
In situations where there is no one available to act for an individual, the
health service provider may have to make decisions about appropriate handling
of the individual's health information. Professional and ethical obligations
and current accepted practices may provide guidance in these circumstances.
Children and young people
The Privacy Act does not specify an age after which individuals can make their
own privacy decisions. Determining the decision-making capabilities of a young
person can be a complex matter, often raising other ethical and legal issues.
Health service providers will need to address each case individually.
Section 2.9, Disclosure of health information to a responsible person,
gives further information on children and young people's competence to make
privacy decisions about the disclosure of their records.
Access
This involves a health service provider giving an individual information about
themselves. Access may include inspecting personal information or having a copy
of it.
Collection
A health service provider collects personal information if it gathers, acquires
or obtains personal information from any source and by any means. Collection
includes when a health service provider keeps personal information it has not
asked for or it has come across by accident.
Disclosure
In general terms, a health service provider discloses personal information when
it releases information to others outside the organisation. Disclosure does
not include giving an individual information about themselves (this is 'access',
see above).
Use
In general terms, use of personal information refers to the handling of personal
information within an organisation, including 'the inclusion of information
in a publication'.
Collecting Information
• Only collect health information necessary for your functions or activities.
• Use fair and lawful ways to collect health information.
• Collect health information directly from an individual if it is reasonable
and practicable to do so.
• At the time you collect health information or as soon as practicable
afterwards, take reasonable steps to make an individual aware of:
Storage and Maintenance
• Take reasonable steps to ensure the health information you collect, use
or disclose is accurate, complete and up-to-date.
• Take reasonable steps to protect the health information you hold from
misuse and loss and from unauthorised access, modification or disclosure.
• Take reasonable steps to destroy or permanently de-identify health information
if it is no longer needed for any further purposes.
Use and Disclosure of Information
• Only use or disclose health information for the primary purpose of collection
unless one of the exceptions in NPP 2.1 applies (for example, if it is for a
directly related secondary purpose within the individual's reasonable expectations,
if you have consent, or where there are specified law enforcement or public
health and public safety circumstances).
• Only adopt, use or disclose a Commonwealth government identifier if particular
circumstances apply that allow you to do so.
• Only transfer health information overseas if you have checked that you
meet the requirements of NPP 9.
Access (by the individual) to information
• If an individual asks, give them access to the health information you
hold about them unless particular circumstances apply that allow you to deny
access - these include where there is a serious threat to life or health.
Openness
• Have a short document that sets out your policies on how you manage health
information. Make it available to anyone who asks for it.
*This is a summary only and NOT a full statement of obligations. These are set
out in the NPPs themselves.
 |
|
Part A/ Part B/ Section
1/ Section 2/ Section 3/ Section
4/ Section 5/ Section 6/ |
| National Privacy Principles
1 and 10 These principles set out a health service provider's obligations when collecting health information. These include: |
|
| • | only collect personal health information with consent, except in specified circumstances including, but not limited to, emergencies, as required by law, or in circumstances relating to legal or equitable claims. A health service provider may also collect health information without consent, under special conditions, when providing a health service or when undertaking certain research or management activities; |
| • | take reasonable steps to ensure that individuals are aware of certain matters, including, but not limited to, who is collecting the information, the fact that the individual is able to gain access to the information and the purposes for which the information is collected. |
| • | only collect information necessary for the performance of the health service provider's functions or activities; and |
| • | collect information directly from the individual where this is reasonable and practicable. |
Health service providers collect health information about individuals from
a number of sources, most often from individuals themselves. Information is
collected for a range of purposes though predominantly for providing health
care.
Both NPPs 1 and 10 regulate collection of personal health information. NPP1
covers collection of all personal information, while NPP10 places special conditions
on the collection of sensitive information, including health information. From
the perspective of health service providers, it is useful to consider these
principles together.
1.1 What is collection?
Meaning of collection
A health service provider collects personal information if it gathers, acquires, or obtains it. Information about an individual is collected if a health service provider receives it directly from the individual, or from somebody else, and retains it. Information that a health service provider comes across by accident, or has not asked for, but nevertheless keeps, is also collected.
The NPPs apply equally to the collection of solicited or unsolicited health
information.
Examples of collection include where a health service provider:
Collection occurs at the point where the health service provider first receives
the information. Subsequent passing of information between staff within the
health service provider organisation is 'use', and is discussed in Chapter 2.
Collection also occurs where the provider obtains new information from or about
the individual.
1.2 Collect only necessary information
NPP 1.1, NPP 10.1(c) & (e), NPP 10.2(a), NPP 10.3(a)
Information collected should be limited to what is necessary for the health service provider's functions and activities. This is of particular importance where information is collected without consent.
In assessing what is 'necessary', professional practice standards and obligations will be relevant.
This principle does, however, aim to limit situations where unnecessary information is collected, even unintentionally.
For example, a hospital may have a form with spaces to collect much standard
information, particularly where the form serves a number of purposes. Often,
people may have the impression that they must fill in all fields, even if this
is unnecessary.
1.3 Collecting information with consent
NPP 10.1(a)
A health service provider may only collect health information about an individual where they have that individual's express or implied consent to do so, or under certain other conditions described in the next section, Collecting information without consent.
In situations where health information is collected directly from the individual, the individual's consent to the collection could generally be implied as long as it is clear to them what information is being recorded and for what purposes. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the health service provider.
1.4 Collecting information without consent
There are a limited number of situations where NPP 10 allows a health service
provider to collect information about an individual without consent.
Professional rules of confidentiality of competent health or medical bodies
NPP 10.2
A health service provider may collect health information without an individual's consent when the collection is necessary to provide a health service, and where either the collection is carried out according to particular kinds of professional rules of confidentiality, or as required by law.
The rules dealing with obligations of professional confidentiality must be binding on the health service provider, and must be established by a competent health or medical body. Competent bodies might include medical boards and other rule-making bodies recognised in Commonwealth, State or Territory legislation. Binding rules are rules that must be followed, and generally, will give rise to some sort of adverse consequence if breached.
Laws requiring collection
NPP 10.1(b), 10.2(b)(i)
A health service provider can collect information without consent if there is a law requiring them to do so.
'Law' includes Commonwealth, State and Territory legislation, as well as the common law. Health service providers' legal obligations in this regard are generally set out in State and Territory legislation.
For example, under a number of State and Territory public health Acts, health professionals are required to keep a record of certain details about an individual who they believe has a notifiable disease. Notifiable diseases include tuberculosis, Legionnaires' Disease and HIV/AIDS.
Depending on jurisdiction, a health service provider may also be legally required
to record certain details while providing health services, such as about an
adverse event following immunisation.
Serious and imminent threats to life or health
NPP 10.1(c)
In situations where there may be a serious and imminent threat to the life or health of any person, a health service provider can collect, without consent, the information necessary to lessen or remove the threat.
This provision only applies where an individual is unable to provide or communicate their consent. This may include an emergency in which an individual is unconscious, or in significant distress or confusion, or otherwise unable to provide consent, and urgent treatment is required. This would include some acute psychiatric emergencies.
(Section 2.4, Serious threats to life, health or safety, and Section 6.7,
Information withheld in some situations, both provide further guidance.)
Information required for management, research or statistical purposes
NPP 10.3
This principle allows for collection related to management, research or statistics where it is impracticable to seek consent from the relevant individuals.
It applies where information is collected for research, or for the compilation or analysis of statistics, relevant to public health or public safety, or for the management, funding or monitoring of a health service. 'Management, funding or monitoring of a health service' may include some quality assurance and audit activities.
Health information may only be collected without consent for these purposes if seeking consent is impracticable, and de-identified information would not be sufficient. Where these preconditions exist, collection must be carried out either according to 'Section 95A Guidelines', or in accordance with binding rules of confidentiality issued by a competent health or medical body, or as required by law.
In this example, it will be assumed that it is impracticable to seek consent from the individuals involved, and that de-identified statistical data would be insufficient. The psychiatrist could then make use of the provisions of NPP10.3, for example by following the Section 95A Guidelines.
An example of collection for management, funding or monitoring of a health service would be an incident monitoring body, collecting information about dangerous incidents occurring in a private hospital.
For further information on this topic see Information Sheet 9 - 2001 Handling Health Information for Research and Management.
1.5 Advising individuals about information collected
NPP 1.3 and NPP 1.5
Advising the individual, at the time health information is collected, about how the health service provider will handle their information is an important part of protecting privacy.
Where health information is collected with consent, the advice given at the time of collection will also be important in ensuring that the individual is giving informed consent.
Where health information is collected without consent, the NPPs still require reasonable steps to be taken to inform individuals about how their information is to be handled.
Under NPP 1.3, when collecting personal information, including health information,
a health service provider must take reasonable steps to ensure that the individual
is aware of the following:
However, if the doctor is an employee of a large organisation, the identity of the organisation collecting the information may not be obvious to the individual.
|
Tip for compliance The time at which information is collected is often the ideal time to seek consent from the individual about future uses of their information. |
How to provide advice on these matters
According to NPP 1.3, 'reasonable steps' must be taken to 'ensure that the individual
is aware of' the matters listed above.
What steps are reasonable, if any, will depend on the circumstances. In, many instances, such as when an individual visits their general practitioner, these steps will already occur as part of usual communication. Also, these issues usually only need to be addressed on a first visit by the individual, unless later changes to information-handling practices require that individuals be given updated information.
Thus, in many situations, a health service provider can inform the individual about how their information will be handled during discussion with them.
Another helpful method is to have a brochure or handout that provides general information on the health service provider's practices for handling and protecting health information.
Where a health service provider collects personal information on a form it could ordinarily satisfy its obligations under NPP 1.3 by including a statement on the form.
Where a health service provider collects personal information orally, a brief
notice could be displayed, covering all relevant information, with the provider
giving the individual more detailed information in a brochure.
|
Tip for compliance Care is needed to ensure that information given to the individual is clear, understandable, and relevant to the circumstances. |
If not practicable to advise at time of collection
NPP 1.3
There are situations where it may not be practicable to make the individual aware of all the matters listed earlier. If this is the case, reasonable steps should be taken as soon as practicable after the collection to notify the individual.
If a health service provider has limited time with an individual, they may choose (on balance with other health priorities) only to notify the individual, at the time, of the points most important to the individual in the context - this may be what is reasonable in the circumstances.
1.6 Collecting information lawfully, fairly and not intrusively
NPP 1.2
One of the requirements of this principle is that information must be collected by lawful and fair means, and this must not be done in an unreasonably intrusive way.
The principle reinforces a good practice approach to information collection.
Lawful collection
Essentially, for collection to be considered lawful, the manner in which information
is collected must not breach any State, Territory or Commonwealth law.
Fair collection
Collection of information is considered to be 'fair' if the approach taken is
open and not misleading, and if the individual is not coerced into providing
information against their will.
Intrusive Collection
An example of intrusive collection would be a situation when an individual is
required to disclose delicate information where they can be easily overheard.
|
Tips for compliance When a health service provider collects health information from an individual
in a place where they may be overheard, such as a waiting room or open
pharmacy, this should be done in a manner sensitive to the surroundings.
|
1.7 Collect from the individual where possible
NPP 1.4
Where it is reasonable and practicable to do so, a health service provider must collect information about an individual only from that individual.
Deciding whether or not it is reasonable and practicable to collect personal information directly from the individual depends on the circumstances and involves balancing a number of possible factors, including whether a reasonable person might expect their information to be collected directly or indirectly, how sensitive the information is and what is accepted practice (by consumers and the health sector).
When collecting health information from another source (other than the individual) NPP 10 still applies. This means that either the individual has consented to the indirect collection (either explicitly or impliedly), or collection without consent is allowable under NPP 10. Section 1.4, Collecting without consent, provides more information on this topic.
There are a number of situations where collecting health information directly from the individual may not be reasonable or practical, and the health service provider may need to collect information from another source. For example:
In circumstances where an individual lacks decision-making capacity and is in need of health services, a health service provider may need to collect information from others, such as carers. In some situations this could occur with the consent of a person representing the individual (Section A.5.4, Consent on Behalf of an Individual, may provide useful information.).
However, where there is no one to act for the individual, the provider may
need to take decisions about collection in accordance with their professional
and ethical obligations and current accepted practices.
What to advise individuals when information is collected from another source
NPP 1.5
In situations where information is not collected directly from an individual, they still need to be given advice about NPP 1.3 collection issues. (Section 1.5, Advising individuals about information collected, gives further guidance.)
This advice is not required if it would pose a serious threat to the life or health of any individual. Therefore, if a health service provider receives information about an individual, and determines that giving the individual advice about the matters set out at NPP 1.3 would pose a serious threat to the individual's own life or health or that of any other person, the provider does not have to give the advice.
If health information is collected from a third party, for example another health service provider, and the third party has informed the individual of the NPP 1.3 matters (as they relate to the health service provider now collecting the information), then no further notice is required.
|
Tip for compliance When a health service provider collects information indirectly, they could ask the original collector to also advise about the NPP 1.3 information of the indirect collector. Depending on the circumstances, this could mean that the health service provider that collects the information originally would need to include the name of the health service provider that is going to indirectly collect the individual's information, the fact that the individual can get access to that information, the purposes for which the collection occurs and to whom the indirectly collecting provider might give the information. |
Where specialists (such as pathologists) collect information from a referring health service provider and do not personally see the individual, it may often be the case that the referring provider has gained consent (whether express or implied) to the disclosure of the information to the specialist, and to the collection by that specialist for the purposes of the referral.
|
Tip for compliance Where a health service provider, such as a pathologist, does not collect information directly from the individual, the pathologist could ensure the individual is aware of how their information will be handled (according to NPP1.3) via the referring provider. Alternately, the pathologist may decide to include this information with their bill or with their report from the referral. |
Medical history-taking
Collecting information about an individual's family members, for example when
taking a medical history, may involve collecting identifiable personal information
about those people. In some circumstances, the NPPs may require that family
members' consents be sought before collection occurs, and that they are informed
of the collection. However, generally, this is not in line with the necessary
and accepted practice of medical history-taking.
The Privacy Commissioner will ensure that the necessary collection of family
medical history information can continue through the use of other provisions
in the Privacy Act.
|
Part A/ Part B/ Section
1/ Section 2/ Section 3/ Section
4/ Section 5/ Section 6/ |
|
National Privacy Principle 2 This principle sets out a health service provider's obligations when using and disclosing personal information. These include: |
|
| • | only use or disclose personal information for the primary purpose for which it was collected, or for directly related secondary purposes if these fall within the reasonable expectations of the individual, unless another exception under this principle applies; |
| • | only use or disclose personal information in other ways if the individual gives consent (whether express or implied), or if one of the exceptions to this principle applies. The exceptions include, but are not limited to, uses or disclosures required or authorised by law, those necessary to prevent or lessen a serious or imminent threat to someone's life, health or safety, or for research provided certain conditions are met; and |
| • | make a written note of any use or disclosure with regard to a law enforcement body, under NPP2.1(h). |
| The principle also deals with other matters, including when a health service provider can disclose health information to a 'person responsible' for an individual who cannot give or communicate their consent. | |
This principle provides a framework for how a health service provider can use or disclose personal information. A use refers to the handling of information within an organisation while a disclosure refers to the transfer of information outside the organisation.
The importance of health service providers sharing personal information in many circumstances, during the provision of health services, is widely accepted by the community. In the health sector, the flow of personal information usually occurs in accordance with concepts such as sharing within the 'treating team' or 'on a need to know basis'. For many health service providers, the use and disclosure of personal information is already bound by the codes of practice or rules of confidentiality of their professions.
The Privacy Act provides for the continuation of necessary information handling practices in the health sector, within the new privacy scheme, through the combination of the primary purpose of collection, directly related secondary purposes, and consent to other uses and disclosures of health information. This combination is explained in more detail below.
The key to making this principle easy to meet is ensuring alignment between the expectations and understanding of the health service provider and those of the individual about what will be done with personal information collected. Providers need to pay most attention to those circumstances where expectations are not shared.
|
Tip for compliance Is there alignment between the health service provider's intentions and expectations for the use and disclosure of the information and those of the individual? If uncertain, the health service provider should check with the individual. |
2.1 The Primary Purpose and Directly Related Secondary Purposes
NPP 2.1(a)
This principle allows health service providers to use and disclose personal information in relation to the primary purpose for which it was collected, and directly related secondary purposes within the individual's reasonable expectations. These uses and disclosures can proceed without further consent from the individual. However, there will ordinarily be a strong link between what an individual has been told (about the proposed uses and disclosures) or has given consent to, and their 'reasonable expectations'.
The primary purpose is the main or dominant reason a health service provider collects information from an individual. Having a carefully determined primary purpose is part of privacy-sensitive, holistic health care.
Determining the primary purpose of collection should always be possible. When an individual provides, and a health service provider collects, personal information, they usually do so for a particular purpose; this is the primary purpose of collection - even if the health service provider has other additional purposes in mind.
When a health service provider collects personal information directly from an individual, the context in which collection occurs will assist in settling the primary purpose. When a health service provider collects personal information about an individual from someone else, the provider will often need to use or disclose it soon afterward. This use or disclosure offers a guide to the primary purpose of collection.
The concept of holistic health care recognises that a health service provider can treat an individual for a number of different complaints or ailments at a single time. In these circumstances, the primary purpose is linked to each of these conditions or ailments.
This principle also allows personal information to be used or disclosed without further consent if this occurs for reasons directly related to the primary purpose and these are within the reasonable expectations of the individual. These are uses and disclosures for directly related secondary purposes.
A reasonable expectation in these circumstances is what a reasonable individual
with no special knowledge of the health sector would expect to happen to their
health information. When an individual talks about the types of uses and disclosures
they expect regarding their personal information, this will generally need to
be taken into account when determining 'reasonable expectations'.
Implications for health service providers
In general, then, health service providers can proceed as usual, but need to
take care not to go beyond the expectations of the individual. If a provider
is uncertain, they could try to make sure the individual understands and expects
the proposed uses and disclosures or they could explicitly seek consent.
In most situations, an individual's expectations will be apparent through normal communication. Where the individual's expectations are reasonably clear, and the health service provider works within them, there are likely to be less privacy problems.
In the course of open communication between the provider and the individual, consent to collect health information is often implied, the expectations of the individual are better understood, and the individual may give consent to a range of other uses and disclosures necessary for further health care.
|
Tips for compliance When determining the primary purpose, health service providers should recognise that some individuals want to use health services in particular and limited ways. For example, the individual who goes to a sexual health centre seeking assistance in relation only to specific sexual health issues. When determining 'reasonable expectations', considerations for health service providers include the individual's age, gender or cultural, linguistic and socio-economic background. Expectation is more than awareness - telling someone about proposed secondary uses or disclosures may not necessarily create a reasonable expectation. A health service provider should consider the kind of person they are talking to, what their understanding is likely to be and therefore what they may reasonably expect. Indeed, if an individual expresses negative views, when made aware of a proposed secondary use or disclosure of their personal information, this would ordinarily indicate that they would not reasonably expect that use or disclosure to occur. |
Sharing information with other health service providers: primary purpose,
directly related secondary purposes or with consent
The multi-disciplinary team approach to health care is common to the Australian
health system. Under this approach practitioners work together and share necessary
information, usually in accordance with codes of practice, to deliver optimum
patient care.
Health service providers involved in care and treatment for the primary purpose and/or directly related secondary purposes would usually not need to seek further consent for necessary uses and disclosures. This will, however, depend on the circumstances of the case and the needs and wishes of the individual.
Other examples of necessary information sharing, which would usually fall within reasonable expectations are:
Some individuals want or need to use health services in specific ways. For instance, someone may seek care and treatment through a particular health service provider, wanting to tell certain information only to that provider. Therefore, it is likely there will be circumstances where a health service provider needs to seek consent before sharing information with another provider. This may include some second opinions.
When collecting information, it may be advisable to discuss with the individual how the team-based approach to treatment will affect the handling of personal information.
Information on other directly related secondary purposes in the health sector
Directly related secondary purposes may include many activities or processes
necessary to the functioning of the health sector.
Where the use or disclosure of de-identified data will not suffice, and provided
it is within the reasonable expectations of the individual, no extra steps need
be taken when using or disclosing relevant personal information in circumstances,
such as:
|
Tip for compliance Good privacy would include referring to these types of activities in
the health service provider's information handling statements or brochures. |
2.2 Other Secondary Uses and Disclosures, not directly related
Many other secondary uses and disclosures will best be authorised by consent
(whether express or implied). However, the principle also allows for some uses
and disclosures, without consent, in limited circumstances. These are discussed
in the sections below.
| Note: | NPP2 provides for the disclosure of health
information with or without consent, in particular circumstances, as listed
in the exceptions to the principle. However, in the absence of a legal requirement
to do so, nothing in NPP 2.1 obliges a health service provider to disclose
personal information. Professional codes of practice will generally offer
guidance in these circumstances. |
2.3 Uses and Disclosures with Consent
NPP 2.1(b)
A health service provider can use or disclose personal information for almost any purpose if they have the consent of the individual.
This section discusses some of the uses and disclosures for which consent is
most likely to be necessary.
Training and Education
It is important for health service providers to be able to train in 'real life'
environments. Training and education, in some cases, may be as effective by
using de-identified case studies, or in the case of IT training through using
simulated data. If a health service provider uses de-identified information
for training, consent is not required.
Where the use of health information is necessary for training purposes, the sensitivity of such information needs recognition as some individuals seeking health care may not want their information disclosed any more widely than is necessary to receive care. These individuals may not want their information used for training or education activities.
The use of information for training and education will therefore usually require the individual's consent.
|
Tips for compliance Whether consent is needed may depend on the nature of the training activity and the expectations and wishes of the individuals involved. Intrusive training activities, or those less closely linked with service provision, are more likely to require express consent. For instance, videotaping a family therapy session, when the identities of participants will be revealed, is highly likely to require express consent. Where consent is sought, the individual should have a genuine choice and not be pressured to participate. The individual should be told about the specific nature of the activity and the student group involved. |
Media
Ordinarily, the disclosure of personal information to the media by a health
service provider is not permitted without consent.
Examples of media requests to health service providers include:
· an accident or suspected crime, where the media is interested in the
extent or nature of the injuries sustained by those involved, particularly if
a person of public notoriety may be involved; or
· where there is a negligence claim against a health service provider
and the media seeks a public interest story.
|
Tip for compliance Information could be released to the media if it would not identify any individual, and not allow them to be identified from details about the incident or surrounding circumstances. However, even generic statements may identify a person in some circumstances. |
Fundraising
Ordinarily, information collected by a health service provider during the provision
of health services cannot be used for fundraising without consent
A health service provider could only use personal information for fundraising, if it was collected primarily for that purpose.
For example, a fund raising section of a private hospital may want to write
to former patients asking for donations. The section wishes to use only names
and addresses to do so. However, an individual's name and address, collected
in the course of providing a health service, is regarded as 'health information'.
Seeking donations using this information would not be a directly related secondary
purpose, nor within reasonable expectations. The hospital would need consent
to use the information in this way.
Direct marketing
NPP2.1(c) provides for the use or disclosure of personal information, for direct
marketing without consent, in certain circumstances. This provision does not
apply in relation to sensitive information including health information, and
therefore is not open to health service providers.
Ordinarily, direct marketing using health information would not fall within the reasonable expectations of most individuals.
|
Tip for compliance Care should be exercised with uses and disclosures that may be seen as direct marketing, and consent sought if the nature of the circumstances is unclear. |
Transferring records to another health service provider on request
If an individual wants to transfer their care to another health service provider,
they can authorise the disclosure of health information from the original provider
to the new provider. A copy of this information could be transferred in this
way.
However, if the original provider declines to transfer the information, then under NPP 6 the individual may request access to the health information and seek a copy. Unless an exception under NPP6 applies, the provider is obliged to give a copy of the record to the individual, who can then take it to the new health service provider.
2.4 Use and disclosure necessary for research and statistics relevant to
public health or public safety
NPP 2.1(d)
In limited circumstances, this provision allows uses or disclosures of health information for research purposes, or for the compilation or analysis of statistics without consent, where these activities are relevant to public health or public safety. That is, the research must be about, or the statistics related to, public health or safety.
Health information may be used or disclosed without consent for these purposes,
only if:
When deciding whether a use or disclosure is 'necessary' for research or statistics, a health service provider must consider whether employing de-identified information would be sufficient. If de-identified information would suffice, the provider cannot use this principle to justify using identified information.
Whether it is impracticable to seek consent will depend on the particular circumstances
of the case. Simply incurring some expense, or having to exercise some effort
to seek the consent of individuals whose information is to be used or disclosed,
would not ordinarily make it 'impracticable' to seek consent. Circumstances
where it may be impracticable to seek consent could include where there are
no current contact details for the individuals in question and where there is
insufficient information to get up-to-date contact details. This might occur
in longitudinal studies of old records.
|
Tip for compliance It is advisable to include some information in the health service provider's information handling policies or patient brochures if the provider is regularly involved in these kinds of research projects. This may assist in advising individuals who use the service about how their data may be used or disclosed for research activities. |
For further information on this topic see Information Sheet 9 - 2001 Handling
Health Information for Research and Management.
2.5 Serious threats to life, health or safety
NPP 2.1(e)
In limited circumstances, a health service provider may need to use or disclose
personal information to lessen or prevent:
This exception allows for such uses and disclosures and generally relates to emergencies. Depending on the circumstances, this exception can allow disclosures to the police service or other government authorities, such as a community services department or mental health crisis team. The exception also allows for disclosure to an individual whose life, health or safety is threatened.
A 'serious and imminent' threat to an individual's life, health or safety relates to harm that could be done to any person (including the individual seeking treatment and care).
A 'serious' threat must reflect significant danger, and could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness. Alternatively, it could include the threat of infecting a person with a disease that may result in death or disability. A threat could also relate to an emergency, following an accident, when an individual's life or health would be in danger without timely decision and action.
A threat is 'imminent' if it is about to occur. This test could also include a threat posed that may result in harm within a few days or weeks. It is much less likely to apply to situations where the risk may not eventuate for some months or longer.
A 'serious' threat to public health or public safety relates to broader safety
concerns affecting a number of people. This could include the potential spread
of a communicable disease, harm caused by an environmental disaster or harm
to a group of people due to a serious, but unspecified, threat.
2.6 Use and disclosure regarding suspected unlawful activity
NPP 2.1(f)
This provision recognises the legitimate function of an organisation, including a health service provider, in investigating (internally) and reporting suspected unlawful activity. Usually, but not in all cases, the suspected unlawful activity would relate to the operations of the health service provider.
Such investigations may include the internal handling of complaints or allegations regarding professional misconduct, sexual harassment or assault and the reporting of them to the police or another relevant person or authority.
For further guidance on this topic see Information Sheet 7 - 2001 Unlawful
Activity and Law Enforcement.
2.7 Use or disclosure required or authorised by law
NPP 2.1(g)
The Privacy Act recognises other legal obligations to use or disclose personal information. 'Law' in this context includes Commonwealth, State and Territory legislation, and the common law.
If the law requires that a health service provider use or disclose information, the provider must do so. Examples of such requirements include the mandatory reporting of child abuse (under care and protection laws) or the notification of diagnoses of certain communicable diseases (under public health laws).
Disclosure must occur if there is a warrant or law requiring the health service provider to do so.
If the law authorises the use or disclosure of information, the health service provider can decide whether to do so or not - the legal authority exists, but the provider has discretion.
|
Tips for compliance The Privacy Act does not compel a health service provider to use or disclose personal information, but other law may do so. Where a use or disclosure is authorised by law, health service providers' professional codes of practice and ethics may offer relevant guidance. Other disclosures in the health and welfare sectors, under this provision, would include those to guardians or administrators (depending on the decision-making powers conferred upon them) and to guardianship, administration and mental health tribunals. |
For further guidance on this topic see Information Sheet 7 - 2001 Unlawful
Activity and Law Enforcement.
Courts and legal proceedings
At times, health service providers may be called to disclose health information
to Courts or Tribunals.
If served with a subpoena or other form of Court order requiring the production of documents to the Court, a health service provider is generally required by law to provide the documents identified in the order.
However, Court orders may be challenged and may not require production of all documents held by a health service provider (such as those for which legal professional privilege may be claimed by the provider). If a health service provider has concerns about the information required to be produced by a Court order, or is unsure how to proceed, they could seek advice via the Registrar of the Court or Tribunal which issued the order, a legal adviser or their professional body.
2.8 Use and disclosure and enforcement bodies
NPP 2.1(h)
This provision permits a health service provider to use or disclose personal
information, where they have a reasonable belief that this is reasonably necessary
for a range of functions or activities carried out by, or on behalf of, an enforcement
body. An enforcement body in this context includes the National Crime Authority,
the Australian Customs Service and other Commonwealth, State or Territory authorities
established under law to conduct criminal investigations or inquiries.
Permitted uses and disclosures could relate to suspected unlawful activity,
criminal offences or other breaches of law, suspected improper conduct or preparation
for and conduct of Court or Tribunal proceedings. This is not an exhaustive
list; refer to NPP2.1 (h) for more information.
The Privacy Act does not intend to interfere with health service providers' legal obligations, which might already affect the use and disclosure of personal information. For example, this provision does not override the duty of confidentiality between a medical practitioner and an individual. A health service provider is entitled not to disclose personal information if there is no law that requires it.
However, the Privacy Act does not intend to deter health service providers from lawfully co-operating with agencies performing law enforcement functions. Police and other enforcement bodies are generally reliant on voluntary co-operation to provide information.
Many health service providers, including mental health or drug and alcohol workers, general practitioners and counsellors, treat people who engage in unlawful activity. These individuals need to have access to health services in confidence, particularly for treatment of health issues intrinsically linked to unlawful behaviour. Usually, this approach sits at the core of the 'harm minimisation' model in dealing with a range of 'at risk' behaviours.
When considering a request for such a disclosure, the importance of maintaining the individual's confidentiality must be balanced with the public interest in the investigation and enforcement of the criminal law.
|
Tips for compliance Before deciding to use or disclose health information under this provision,
health service providers should consider:
· the risks associated with a disclosure without the individual's consent or knowledge, balanced against the implications of non-disclosure; · their relevant professional and ethical obligations; and · whether the circumstances indicate a serious and imminent threat to the health, life or safety of any person. |
If a health service provider discloses information under this provision, the
Privacy Act requires that a written record be kept.
The NPP Information Sheet on Law Enforcement and Regulatory Activity has more
information on this issue.
2.9 Disclosure of health information to a responsible person
NPP 2.4, 2.5 and 2.6
These provisions allow for the disclosure of health information by a health service provider to a 'person responsible' for an individual (including a partner, family member, carer, guardian or close friend), if that individual is incapable of giving or communicating consent.
Disclosure can occur:
The disclosure should be limited to the information that is reasonable and necessary to achieve either of the above purposes.
Disclosure cannot occur if this is contrary to wishes expressed by the individual before losing the ability to give or communicate consent, and the health service provider is aware, or could reasonably be expected to be aware, of these wishes.
A disclosure for compassionate reasons could include a doctor telling an individual's partner about the extent of the individual's injuries and their prognosis following a car accident.
The Privacy Act defines a 'person responsible' as:
|
Tips for compliance Professional judgement will assist when deciding if someone is a 'person responsible' - considerations will include the nature of the relationship between the person and the individual. Depending on the circumstances, 'a person who has an intimate personal relationship with the individual' may include a same-sex partner, someone in a close relationship or friendship with the individual, or a companion or carer of the individual. The Privacy Act does not specify that a parent must be a 'custodial parent'. This allows flexibility in judgement when determining to whom to disclose information. In determining whether to disclose information to a 'person responsible', a provider will need to consider whether this would be contrary to any known wishes of the individual (previously expressed), whether it is necessary for care and treatment or is for compassionate reasons. Disclosure of information to a 'person responsible' does not, in itself, represent an entitlement for that person to make health care or medical treatment decisions for the individual. |
Where an individual has no one to act on their behalf, a health service provider may need to decide how best to use and disclose the individual's health information, to ensure they gain necessary treatment, care and services. Health service providers' professional and ethical obligations and standards of accepted practice are likely to offer guidance in these circumstances.
However, this principle does not provide the basis for disclosure to other service providers, organisations or professional carers. Section 2.1, The Primary Purpose and Directly Related Secondary Purposes: Sharing information with other health service providers, includes further information about these sorts of disclosures.
Disclosure and the records of children and young people
This provision recognises that, where a child or young person is not competent to make their own privacy decisions, a health service provider can discuss the young person's health information with a parent. Where the health service provider considers it appropriate, this may include showing the child or young person's health record to a parent.
However, in circumstances where a young person is capable of making their own decisions regarding their privacy, they should be allowed to do so.
Determining competence can be complex, and will lead to the health service provider having regard to the young person's maturity and their understanding of the relevant circumstances. There will be younger persons, in certain circumstances, who have attained sufficient competence (maturity and understanding) to make their own decisions. Conversely, there may be older teenagers who lack such competence. Health service providers will need to deal with each case subject to its circumstances.
|
Tips for compliance Judgements about a young person's competence could involve consideration of their ability to understand the current issues and circumstances, their maturity and degree of autonomy, and the type and sensitivity of the information to be disclosed. Existing laws covering health service providers' obligations in relation to children or young people and their confidentiality vary between States and Territories. These laws may offer further guidance in determining a young person's competence. If the young person is not competent, their views should still be considered; so too, the risks and benefits of disclosure in the circumstances. A parent will not necessarily have a right to their child's information. |
Complexities arise when a parent seeks information about their child, but the child explicitly asks that certain health information not be disclosed to that parent. For instance, a child may reasonably be seeking health services in confidence, to address drug and alcohol, sexuality, suicide, depression and other mental illness or pregnancy issues. The provider may consider it appropriate, in the circumstances, to keep such a confidence.
In exceptional cases, a health service provider may also decide not to disclose health information collected from a much younger child. This would generally relate to a risk of serious and imminent harm posed to the child, or others, if disclosure took place. For example, if a parent is abusive toward a child or other family members, a health service provider may decide there are reasonable grounds to believe a disclosure of the child's health information would result in greater danger.
|
Part A/ Part B/ Section
1/ Section 2/ Section 3/ Section
4/ Section 5/ Section 6/ |
|
National Privacy Principle 3 Under this principle health service providers must take reasonable steps to ensure that the personal information they collect, use or disclose is accurate, complete and up-to-date. |
Health service providers need to take reasonable steps to ensure the integrity of personal information when they collect, use or disclose it. However, providers are not required to check all data continually.
Benefits in maintaining quality health information can include its reliability in supporting informed decisions about health care and treatment and its role in facilitating the continuity of care when a new health service provider becomes involved, whether temporarily or permanently. Risks relating to poor data integrity can include the misrepresentation of an individual's health condition.
|
Tips for compliance Health service providers are encouraged to think about where inaccuracy, incompleteness and lack of currency of personal information will most likely detrimentally affect individuals. Factors to consider when determining 'reasonable steps' to ensuring data
quality may include:
· whether the information changes over time; · how recently it was collected; · how reliable it is likely to be - this may include professional judgements about whether, or what, clinical information requires verification; · who provided the information; and · how it will be used. If a health service provider uses information soon after collecting it from the individual, it probably does not need to be checked. If the information is collected from another source, the need to confirm its integrity may increase. |
Where information is not in use (for instance, if it is stored in archives), it would generally be reasonable to take no action in relation to the standards in this principle.
|
Part A/ Part B/ Section
1/ Section 2/ Section 3/ Section
4/ Section 5/ Section 6/ |
|
National Privacy Principle 4 This principle requires that a health service provider take reasonable
steps to:
· destroy or permanently de-identify health information that is no longer needed. |
4.1 Data security
This principle requires a health service provider to have security safeguards
in place to protect health information. These safeguards apply to personal information
held in paper form, electronically, as film (such as x-rays) or photographs,
and on audio or videotape (perhaps collected via tele-medicine).
If personal information is not securely stored and managed there is an increased risk of privacy breaches. Therefore, the principle requires that steps be taken to protect information against both accidental loss and intentional breach.
Practices that may lead to breaches of security include:
|
Tips for compliance Determining reasonable security measures will depend on the circumstances.
Relevant factors to consider could include:
· the harm likely to result if there is a breach of security; · the form in which the information is stored (on paper, electronically or video), processed and transmitted; and · the size of the organisation and the cost-effectiveness of the options available. |
Examples of reasonable steps could include:
|
Tip for Compliance Health service providers can get additional assistance and information on data security from a range of sources. For example, providers could refer to relevant national standards such as AS/NZS ISO/IEC 17799:2001 and AS/NZS 7799.2:2000 developed by Standards Australia (more information can be found at www.standards.com.au). |
For further guidance on this topic see Information Sheet 6 - 2001 Security and Personal Information.
4.2 Destruction or permanent de-identification of health information
This principle requires that information no longer needed for further uses or
disclosures be destroyed or permanently de-identified. This information could
include records no longer required for treatment and care, or for health service
management, monitoring or evaluation, or for legal reasons.
Health information is highly valuable for many reasons, most importantly for an individual's on-going health care, but sometimes also for wider public health and safety reasons. Some State and Territory legislation, or guidelines issued by health professional organisations, require or recommend the retention of health information by health service providers for varying periods of time. Where there is a legal requirement to retain health information, this must be followed.
There is a need to balance, amongst other things, benefits to health care with privacy when deciding how to proceed with the destruction of health information. However, health service providers will need to consider the risks in keeping health information for longer than is necessary, as this may increase the risk of privacy breaches.
|
Tips for Compliance Considerations regarding the retention or destruction of health information
might include:
· the benefits and risks of keeping the information; · the likely significance of the information for the individual's future care or for future public health knowledge or research; and · its possible importance in relation to new reproductive and genetic technologies. |
Alternatives to destroying health information could be considered and may include, archiving data securely or keeping summary or statistical information, where this is sufficient.
|
Part A/ Part B/ Section
1/ Section 2/ Section 3/ Section
4/ Section 5/ Section 6/ |
|
National Privacy Principle 5 Under this principle, a health service provider must have a document that clearly sets out its policies on handling personal information. It must make this document available to anyone who asks for it. On request, a health service provider must also take reasonable steps to let a person know what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. |
5.1 A privacy policy
An organisation is required to develop a document explaining its policies on
handling personal information. This document is often referred to as a Privacy
Policy.
The detail and length of the policy will depend on the size of the organisation.
The Privacy Policy can be made available in a number of ways, depending on
what is most effective in the circumstances. For example, it could be:
When deciding how best to make the policy available, a key factor will b