|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. The Office submits that the existing provisions of the Privacy Act have generally met individuals' expectations regarding the handling of their health information. As well as this, the Office believes the existing provisions afford appropriate regard to the needs of health service delivery and medical research.
2. However, the Office notes in this chapter that there is a strong need to clarify the application of the Privacy Act to private sector health service providers. Section 3 of the Privacy Act should be amended to make clear that the National Privacy Principles 'cover the field' for the regulation of private sector health service providers. This would address a key source of uncertainty and potential fragmentation in health privacy regulation in Australia.
3. The Office also notes that the proposed National Health Privacy Code (NHPC) has not been adopted by the relevant jurisdictions since the Office's Private Sector Review was released. In light of changed circumstances, the Office considers that the objectives of national consistency and higher privacy protection for health information can be best achieved through certain amendments to the NPPs, or the adoption of a single set of principles as discussed in Chapter 4.
4. While comfortable that the existing principles work well, the Office makes a number of recommendations regarding areas of health privacy regulation where the law could be enhanced. These include in regard to access, including the role of intermediaries, as well as information handling obligations where a health service closes or where an individual wishes their records transferred. The Office has also suggested that, among other things, the principle regulating the collection of health information without consent and where 'necessary to provide a health service' could be usefully amended.
5. In regard to health and medical research, the Office submits that the existing regulatory framework affords individuals with an appropriate degree of assurance that their personal health information will not be misused, particularly where it is handled without their consent. The Office draws attention to provisions where regulatory complexity could be reduced, particularly by harmonizing the enabling provisions for the section 95 and 95A mechanisms.
6. Consistent with the second reading speech for the Privacy Amendment (Private Sector) Bill 2000, the community expects that health information will be afforded privacy protections that are in addition to those applying to non-health information.
7. In that speech, the then Attorney-General, the Hon Daryl Williams QC, said:
'The government recognises that the Australian public considers their health records to be particularly sensitive. ...The bill provides additional protections in relation to the use and disclosure of health information, as such information is clearly considered by the community to be particularly sensitive.' 280
8. The Office's own community attitude research, conducted in 2001 and 2004,281 supports the view that many individuals feel that their personal health information is particularly intimate and should be handled with sensitivity.
9. The justifications for this view on the importance of health privacy are well established, including that such information could, if handled inappropriately, lead to individuals being discriminated against, including for employment, housing and insurance purposes. Similarly, individuals may suffer hurt and embarrassment where their personal health information leads to marginalisation or stigmatisation. Personal and familial relationship could be damaged by the disclosure of health information that the individual understood would remain confidential.
10. As a consequence, if individuals do not believe that their personal health information will be treated privately, they may avoid treatment or withhold information that may be crucial to their clinical care. As well as affecting the health of the individual, this absence of trust could also have broader public health consequences, particularly where a condition is contagious or could be linked to causal environmental factors that may otherwise be able to be mitigated. Similarly, the efficient delivery of health services may be hindered where individuals are hesitant to seek treatment at early stages of their condition before their symptoms require more intensive or chronic care.
11. The strong tradition in the health sector of confidentiality and adherence to ethical values reflects the underlying importance placed on the appropriate handling of individuals' personal health information. The role for health privacy regulation is to build upon such values to ensure that evolving community expectations remain fulfilled, particularly in an environment where information is increasingly and routinely collected and stored in electronic form.
12. While recognising the importance of additional privacy protections applying to health information, the Office submits that such protections are likely to be able to be accommodated within the existing regulatory framework of the Privacy Act.
13. In responding to Chapter 8 of ALRC Issue Paper 31 (IP31), the Office proposes a number of measures, detailed in later questions, that would enhance health privacy regulation. The Office is, however, of the view that such measures could be accommodated within the principle-based framework already existing (or equally, within the unified principle-based framework proposed earlier in this submission in response to questions 4-34 and 4-35).
14. Accordingly, the Office submits that health privacy regulation could be enhanced by building upon existing provisions, without the necessity of an additional instrument or an entirely new set of principles. In the event that the Office's proposal for a single set of principles is adopted, these enhancements could be incorporated into the new set of principles.
15. The Office understands that other stakeholders may hold differing views on this matter and would prefer a separate regulatory instrument specifically for the health sector. The Office submits that a uniform and coherent approach to privacy regulation is best served by incorporating privacy protections into a single body of regulation.
16. A single body of regulation is also likely to reduce regulatory complexity for those agencies and organisations that handle both health and non-health information. The existence of separate sets of principles may create confusion by requiring agencies and organisations to refer to different instruments, depending on the type of personal information they are handling at any given time.
17. The Office believes that, overall, health service providers have achieved a high level of compliance with and understanding of the NPPs. While some specific issues remain, it is the Office's view that a number of these could be effectively addressed through enhanced communication and education campaigns by the Office. In its Private Sector Review, the Office committed to providing such guidance on a number of specific areas, including those addressed later in response to questions 8-9, 8-17 and 8-20.
18. Where specific amendments are likely to be appropriate, including as proposed in response to questions 8-13, 8-15, 8-21, 8-22 and 8-24 (amongst others), the Office submits that it could work with consumers and providers to implement these reforms while building upon the established body of understanding that has developed since the NPPs were introduced in 2001. In contrast, creating a new and separate set of privacy principles could risk undermining the awareness and understanding developed by the sector and the community since the NPPs were introduced.
19. The Office submits that an entirely new regulatory instrument for health privacy should only be pursued where there is a clear evidence of substantial manifest failings in how the existing principles have worked. As suggested above, the Office believes that the existing principles and regulatory framework have broadly functioned well since inception in 2001. While the current review provides an opportunity to refine and improve existing regulation, there does not appear to be a compelling reason that warrants the wholesale reform of the principles regulating health privacy. Such a process, even where pursued with care, would leave open the risk that extensive new and untested regulation may lead to unintended or undesirable consequences.
20. Further, substantial reform of health privacy regulation raises the risk, at least in the medium term, of undermining regulatory stability and promoting regulatory complexity. Investments made by stakeholders in developing compliance skills with the existing regime may be wasted.
21. Further, the Office notes the potential logical inconsistency that may emerge if the existing two sets of principles were unified (as the Office has advocated in response to questions 4-34 and 4-35), while at the same time a new and separate set of principles were being introduced for a specific sector.
22. Accordingly, in absence of a clear objective basis for pursing a separate regulatory instrument for health information, the Office submits that enhanced health privacy regulation should be given effect as part of a unified set of privacy principles.
23. The Office submits that if a separate instrument were pursued for health privacy regulation then it must be drafted on the basis that the protections offered will be at least equivalent to those already provided by the Privacy Act. This could be done by maintaining a single set of principles, though retaining the flexibility to make binding guidelines on matters of detail. Such guidelines should not derogate from the protections afforded in the principles. This 'equivalence' test is consistent with the existing s18BB of the Privacy Act, which requires that any industry privacy code must offer protections that are at least equivalent to those in the NPPs. As detailed below in response to questions 8-3 and 8-4, it is noted that the Office does not believe that the proposed National Health Privacy Code (NHPC) meets this test of affording equivalent protections.
24. The Office has previously stated that:
'The best advice available to the Office is that where an act or practice is regulated by the Commonwealth Privacy Act, then it is not regulated by a State or Territory Privacy Act. On this basis, the State and Territory health privacy Acts are restricted in their application to the relevant State or Territory public sector, and perhaps aspects of the private sector which are exempted from the Privacy Act 1988 (e.g. certain small businesses and certain acts or practices relating to employee records).'282
25. Equally though, the Office has recognised that the matter is not fully settled and that other parties may have differing advice. The Office has said that this lack of certainty:
'... creates a major potential obstacle to effective and consistent privacy regulation in the Australian federal system. This may result in consumers not knowing where they should go to resolve issues about their health information. It could also create problems for those covered by the legislation, as organisations will not understand their obligations and the standards they have to meet.'283
26. The Office submits that amending section 3 of the Privacy Act to make clear that its provisions 'cover the field' for the regulation of Australian Government agencies and private sector health service providers would be a significant step toward reducing possible uncertainty for those bodies.
27. The Office submits that inconsistency between how state and territory jurisdictions regulate their own agencies, while a significant issue, is less crucial than eliminating those circumstances where there is uncertainty in the private sector as to which jurisdiction applies. The Office suggests that the Privacy Act could serve as a useful model for jurisdictions in preparing their own legislation.
28. The Office supports the notion of consistent, and preferably uniform, health privacy regulation. However, such protection must be consistent with the Parliament's intention in passing the private sector amendments that health information be afforded 'additional protections in relation to the use and disclosure of health information, as such information is clearly considered by the community to be particularly sensitive.'
29. As noted in the Office's 2002-03 Annual Report284, the Office held observer status on the working group that negotiated the content of the proposed NHPC. Accordingly, and consistent with its observer status and with its role as a potential 'Code approver', the Office had limited input to the development of the content of the proposed code.285
30. The Office notes that in a number of significant areas, particularly concerning the collection, use and disclosure of health information, it is questionable whether the proposed NHPC would be likely to be equivalent to the protections of the NPPs. These areas are detailed below in response to questions 8-11, 8-15, 8-18 and 8-21.
31. In addition, in a number of areas, the proposed code seems unwieldy, complex and overly prescriptive and, hence, inconsistent with the established light-touch approach to privacy regulation.
32. The Office notes that a copy of a proposed code is available from an archived webpage maintained by the National Library of Australia.286 This version is marked as a 'proposed National Health Privacy Code' and dated August 2003. This archived webpage, originally created by the Department of Health and Ageing, explains that:
A revised version of the Code, draft mandatory guidelines for research, and draft explanatory notes for the use or disclosure of genetic information will be considered by Health Ministers in late 2004.
33. However, the Office is not aware that any subsequent agreed version is publicly available, or whether any further substantive progress has been undertaken toward implementing the instrument, nor toward finalising the various guidelines that are referred to in its provisions. Accordingly, it appears highly uncertain whether finalising and implementing the proposed NHPC remains a priority for jurisdictions. Incorporating it into the Privacy Act would, therefore, not resolve inconsistencies between the regulation of privacy in the public health systems and the private sector, but may instead reduce the protections currently applying to health information under the NPPs.
34. The Office also notes that national consistency may not, in itself, be adequate to address existing complexity. This is because consistency can be taken as merely providing that various regulatory regimes are not inconsistent, though they may still provide different obligations, whether substantive or on matters of detail. The ultimate value of any regulatory instrument agreed to and implemented by all jurisdictions is more likely to depend on uniformity, whereby the same obligations would apply in each jurisdiction.
35. In contrast, the Office submits that amendment to section 3 of the Privacy Act, as suggested in the response to question 8-2 would significantly reduce the degree of regulatory overlap and complexity for the private sector in those jurisdictions where local law purports to impose regulation. This would, by itself, be a significant step forward in reducing regulatory uncertainty and promoting national uniformity for the regulation of the Australian Government and private sectors.
36. Accordingly, the Office submits that the proposed NHPC, in its current form, would not be an appropriate or effective regime for the regulation of health information.
37. The proposed NHPC may, however, serve as a useful resource document by providing a range of options that could be adopted to enhance privacy regulation. This could include on matters about which the Privacy Act is currently silent (such as those discussed in questions 8-22 and 8-24).
38. As discussed in question 8-3 and detailed below in response to various questions, the proposed NHPC would be unlikely to afford overall protections that are equivalent to those offered by the existing NPPs. It would seem an undesirable outcome for reform of privacy law to result in a lessening of privacy protections for health information.
39. Further, as noted in question 8-3, the Office is not aware of substantive progress by the various jurisdictions, since 2003, toward implementing the proposed NHPC nor preparing the necessary guidelines referred to in its provisions. In the absence of evidence of such progress, the Office submits that the proposed NHPC should be set aside and health privacy reform progressed through amendment to the existing NPPs.
40. As also noted above in question 8-3, the proposed NHPC may still offer value as a resource describing a range of possible regulatory options for the Privacy Act.
41. As outlined below, the Office has previously advocated that electronic health information systems should be accompanied by specific legislative measures to ensure community confidence that personal health information will be handled privately.
42. The Office has previously noted the potential benefits that may accrue to individuals and the broader community through the use of shared electronic health records (SEHRs). Such systems have the potential to deliver financial savings to the health sector as well as facilitating improved electronic linking of health information for clinical and health research purposes in the public interest. They may also improve the efficiency for individual providers by reducing the amount of time they spend obtaining patient information. Most importantly, such systems may improve clinical treatment by enhancing information flows between health service providers.287
43. However, the Office has also noted that such systems have the potential to vastly increase the capacity to collect, store, copy, transmit, share and manipulate health information, including in ways not expected by individuals. There is greater potential for health information collected for one purpose, to be used or disclosed for other purposes increasingly unrelated to the reason for which it was initially collected (the 'function creep' phenomenon). This potential is enhanced by the IT-enabled ability to link data from disparate sources, including possibly from beyond the health sector.
44. Given these risks, and the importance of ensuring that SEHRs promote trust in the community and allow individuals to retain appropriate control over their personal health information, the Office has previously strongly argued that legislative protections are one important element toward building a robust privacy framework for such systems.
45. The Office has advocated the view that interaction with e-health records systems should operate on an 'opt-in' basis, wherein an individual's consent cannot be implied.288 Accordingly, for the purpose of such engagements, consent should be defined to be limited to express consent, where an individual makes an active decision to participate.289
46. More broadly, the Office has previously submitted that, in the context of the former HealthConnect initiative, the legislative privacy protections should include:
'specific establishing legislation for HealthConnect setting out primary uses of data, authority and processes for approval of secondary uses of data, consent processes, penalties and sanctions and complaints mechanisms'290
47. The Office notes that the national SEHR agenda has progressed since its previous engagement with the HealthConnect project office, with responsibility for the implementation of SEHR systems now primarily devolved to the states and territories. The Office notes the work of the National E-Health Transition Authority in seeking to develop national uniform standards on which SEHRs may be pursued.
48. If SEHRs are implemented by state and territory governments, then they will generally remain outside of the Privacy Act's existing jurisdiction. Significantly though, the Office notes that private sector health service providers that engage with such systems are required to comply with the NPPs. Accordingly, there is scope for reform of the Privacy Act to make a useful contribution to defining appropriate standards by which individual's health information may be disclosed to and collected from SEHR systems.
49. This question refers to those guidelines made under section 135AA of the National Health Act 1953. As well as being enabled under this section, making the guidelines is also a function of the Privacy Commissioner under section 27(pa) of the Privacy Act.
50. The Office submits that, in absence of evidence to the contrary, the underpinning policy settings on which section 135AA was enacted remain appropriate. In the Office's view, Parliament's decision to make the guidelines the responsibility of the Privacy Commissioner was a clear statement that privacy was to be a primary concern for any guidelines. Transferring the role of making these guidelines to another body may alter this emphasis in such a way that other interests are afforded greater prominence. The Office submits that, without a compelling argument to the contrary, it remains appropriate for the Privacy Commissioner to retain this role.
51. The Office also submits that health information dealt with by section 135AA is likely to warrant additional protections of the type required by that section.
52. The two databases maintained by Medicare Australia to hold Medicare and PBS claims information are close to universal, in that they contain personal and health information on almost all Australian residents. This is unique information which is generally not found in other large government data sources, such as those held by the Australian Electoral Commission, Centrelink or the Australian Taxation Office.
53. Because of their universality and the high sensitivity of the information they contain, the Medicare and PBS claims databases warrant special protective measures. The relevant section is intended to ensure that Guidelines are made that provide such measures.
54. In regard to the sensitivity of the information being held, the Office notes that, generally, it is not possible to identify an individual's specific condition from Medicare claims information, which indicates visits to a health provider, but does not identify the medical condition. In some cases, however, Medicare claims information could infer what an individual has received treatment for. For example, a Medicare claims classification exists for identifying mental health consultations.
55. Similarly, in many cases, it would not usually be possible to accurately determine from PBS claims information an individual's precise medical condition, as one pharmaceutical may be used for a range of different conditions. On the other hand, some medications may only have application for a particular type of disease or a specific condition. For example, the Office has previously received expert advice that some pharmaceuticals are uniquely identified on the PBS schedule and are only used for specific and highly sensitive conditions.291
56. The Office released a report of its review of the guidelines made under section 135AA (the 135AA Guidelines Review) in August 2006.292 While it was beyond the terms of reference of this review to examine the enabling legislation for the guidelines, the 135AA Guidelines Review report did note the legislative underpinning of the instrument and the importance placed on ensuring that the information was handled privately. Relevantly, the following is drawn from chapter 2 of the report at page 19.
57. In the second reading speech for the National Health Amendment Bill 1993, Dr Andrew Theophanous (then Parliamentary Secretary to the Minister for Health) explained that the function of the section is to require:
'...that information obtained from claims for medical benefits must be stored in a separate database from information obtained from claims for pharmaceutical benefits, and prohibits linkage of such information except in the way specified in the guidelines.'293
58. Given the terms of reference of the 135AA Guidelines Review, stakeholders were not specifically asked for comments on the enabling legislation, however, it is noteworthy that many (though not all) stakeholders expressed support for the underlying intent of the enabling legislation.294
59. The Office is generally comfortable with the existing definitions of health information and health service provided in section 6 of the Privacy Act.
60. The proposed NHPC expressly includes 'mental and psychological health' as categories of 'health information', though the existing definition of the Privacy Act would already appear to comfortably allow for such an interpretation. In the Office's view, a common sense interpretation of health information would include information relating to mental health.
61. It is also noted that the proposed NHPC definition of 'health service' includes a significant departure from the Privacy Act definition in that it defines a 'health service' as an activity '...performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual service provider or the organisation performing it...[emphasis added]' to meet various health related functions.
62. In contrast, the Privacy Act definition includes provision for the perspective of the individual, not just the provider, by listing various activities '...intended or claimed (expressly or otherwise) by the individual or the person performing it [emphasis added]'. Accordingly, the definition contained in the draft NHPC appears to remove the role of the individual's understanding and interpretation of whether or not they believed that a health service was being provided to them.
63. It is also noted that the proposed NHPC definition of 'health service' removes the word 'record' from (a)(i) such that an activity that is intended 'to record the individual's health' may no longer be covered by the definition. The Office is unsure of the consequences of such an amendment. In absence of clear justification, the Office submits that such an amendment not be made as it would seem to reduce the range of activities currently deemed to be health services and thus may lower protections.
64. The Office also notes that the word 'injury' is added in addition to illness and disability in (a)(ii) and (iii) of the proposed NHPC definition. The nature of an injury appears to be distinct from the inherent properties of an illness or a disability, and as such, the inclusion of this word may increase the clarity of the definition.
65. The Office notes that the definitions of health information and health service in the draft NHPC include provision for certain types of each, whether by specific instance or by class, to be made exempt from the definition '...in accordance with the Code'. It is not immediately clear what process is envisaged for considering and giving effect to such exemptions. These provisions would seem to have significant potential to reduce privacy protections by creating a mechanism whereby health information might not be afforded the additional protections usually expected.
66. If such provisions were adopted during the process of health privacy reform, the Office submits that the decision to exempt types of information or services should be subject to mandatory consultation and Parliamentary scrutiny.
67. It is also noted that a similar exemption is included in the definition of 'health service provider' in the proposed NHPC.
68. The Office is mindful that an amendment to the Privacy Act which required all organisations that collect, hold or use health information to comply with the Privacy Act may result in increased regulatory complexity, and may create a regulatory burden on small business operators. The Office notes that all private health service providers are required to comply with the NPPs. However, there may be other organisations which do not provide a health service, but do collect, hold or use health information, for which an existing exemption applies, such as the small business exemption. The Office has, in this submission, asked the ALRC to consider the merits of creating certain exceptions to the small business exemption, including for child care providers, which hold potentially sensitive information including health information. Further discussion on this proposal can be found in the response to Question 9.1.
69. Australian Government agencies are covered by the Privacy Act where they are included in the definition of 'agency' in section 6.
70. The ALRC issues paper raises the question of whether agencies which are currently excluded from regulation under the Privacy Act, but which may hold health information, should be subject to the Privacy Act. The Office submits that the public interest in excluding these agencies from regulation is likely to be unrelated to the type of personal information that they may handled. Accordingly, the Office does not advocate that such agencies should fall within the Privacy Act's coverage simply because they hold health information.
71. The Office also notes that health information held in an employee record by an organisation would be exempt from the coverage of the Privacy Act by virtue of section 7B(3). The appropriateness of the employee record exemption is discussed in detail in Chapter 3.
72. The Office submits that guidance remains the best response to clarify when organisations may disclose information for the purposes of health service management. The Privacy Act already provides for this activity. In the absence of clear evidence of a problem, an amendment is unwarranted and risks introducing complexity.
73. In the accompanying discussion to this question, IP31 introduces a number of matters primarily drawn from the National Health and Medical Research Council's (NHMRC) submission to the Office's Private Sector Review.295
74. The Office recognises that management activities are an essential part of providing health services to the community. In its submission to the Private Sector Review, the NHMRC suggests a range of activities involved in managing health services, including quality assurance, quality improvement, policy development, planning, evaluation and cost-benefit analysis.296 The Office agrees with IP31 and the NHRMC's submission that it may, on occasion, be difficult to distinguish some of these management functions, such as quality assurance, from medical research.
75. Disclosures for health-management purposes are already provided for by the Privacy Act. Because these activities are integral to health services, disclosures of this kind will generally fall within NPP 2.1(a)(i), that is, they are directly related to the primary purpose of collection, and will usually fall within individuals' reasonable expectations, thus satisfying NPP 2.1(a)(ii).
76. The above position has already been expressed in the Office's guidance material. The Guidelines on Privacy in the Private Health Sector state that, provided it is within the individual's reasonable expectations, no extra steps need to be taken when using or disclosing personal information in circumstances such as:
an organisation's management, funding, service-monitoring, complaint handling, planning, evaluation and accreditation activities - for example, activities to assess the cost effectiveness of a particular treatment or service.297
77. This issue is also addressed in Information Sheet 11: Handling Health Information for Research and Management.298
78. The Office is not convinced that the circumstances warrant amending legislation, given the complexity that process may introduce. If, for example, a specific provision was introduced permitting disclosures, confusion would arise as to how this provision interacted with NPP 2.1(a): such an amendment would risk redundancy. An organisation engaging in health management may find it difficult to determine which section applied to them: the more general provisions of NPP 2.1(a), or the new provision. Difficulties also attend the prospect of introducing binding Guidelines, as organisations would be faced with the prospect of complying both with this new instrument, and with the NPPs.
79. The most effective response to uncertainty in this area is for the Office to issue guidance clarifying the position. In recommendation 61 of the Private Sector Review, the Office committed to this process, which it is currently implementing.
80. The Office recognises that there is a difference between how NPP 2 interacts with health service management, as compared with the collection of sensitive information provisions contained in NPP 10. NPP 2 does not refer to health service management. Instead, this class of activities is captured as one of the many forms of disclosures within the terms of the provision. By contrast, NPP 10 addresses collection for health service management explicitly, and subjects this activity to the Health Research Ethics Committee (HREC) oversight.
81. The NHMRC's submission to the Private Sector summarised the resulting difference in process:
Health information may be disclosed by an organisation in circumstances where compliance with the Privacy Act can be achieved without recourse to the Section 95A Guidelines, yet the legality of collection by the receiving organisation of the same health information depends on approval by an HREC under the Section 95A Guidelines.299
82. The Office submits that this difference is appropriate. NPP 2 provides organisations such as health-service providers with a degree of confidence to use information internally as necessary for management purposes where consistent with the individual's reasonable expectations, or subject to the individual's consent.
83. Conversely, the collection provisions (and associated HREC approval requirements) regulate information which has left the control of the health service provider and where there may be heightened privacy risks. Since the quality assurance will be conducted by the collecting organisation, it is reasonable that the obligations attach to this point in the information flow.
84. The individual's interest in how their personal information is handled requires that, where such collection occurs, consent should be sought, or the use of de-identified information be considered as an alternative. Where this is not practicable, ethics oversight is appropriate.
85. The ALRC IP31 expresses reservations about subjecting management processes to HREC oversight where these activities do not amount to research.300
86. The Office submits that the legislative framework is sound on this point, but would see merit in addressing the issue through institutional reforms.
87. At the legislative level, it is difficult to adequately distinguish all management activity from research. As the NHMRC itself acknowledges, it may be very difficult to differentiate some forms of health service management (such as quality assurance) from research. The two activities exist along a continuum.301 At opposite poles, the two forms of activity are quite distinct, but a grey area exists in particular around quality assurance, which in some cases could arguably be classed as both research and health service management.
88. The difficulty of distinguishing the two activities poses problems for legislation which attempts a separation. The risk is that expressly excluding health service management from HREC oversight will also exclude some activities which may be considered forms of research, notably quality assurance activities. This could amount to a lessening of current ethical safeguards and controls.
89. Concerns about the appropriateness of the HREC process are better addressed at the institutional level. The Office notes that section 95A allows the Commissioner to approve guidelines for the collection of health information for:
90. The two provisions are presented as alternatives. Therefore, the Privacy Act does not require that collections for health service management are to be subjected to an identical process as is used for research. The legislation already permits HREC processes to be tailored for management-related collection, should the sector wish to pursue this avenue.
91. The Office also notes that individual institutions are able to address this issue through their internal processes. As the NHMRC notes in its publication When Does Quality Assurance in Health Care Require Independent Ethical Review, institutions should encourage HRECs to:
'establish policies that allow efficient review of low risk quality assurance proposals. Delegates of HRECs could approve these proposals and this may avoid creating impractical and/or unnecessarily large workloads or delays.'302
92. The ALRC identifies a perceived gap in the NPPs in that they refer to 'management, funding and monitoring of a health service' and 'research relevant to public health or public safety.' They do not, however, refer to the management of research.303
93. This may be an overly precise reading of the NPPs. It is important here to note that NPP 2.1(d) refers to uses or disclosures necessary for research. This would comprehend the actual investigation itself, as well as the management structures and processes which are needed to support this activity.
94. Given that the Office has recognised the public interest in health research (see 8-29) the provisions would be given an enabling construction.
95. The alternative - introducing further provisions specifically permitting management, funding and monitoring of a research project - may introduce unnecessary complexity to the Act.
96. In the absence of evidence that this aspect of the Privacy Act presents difficulties for researchers, the Office does not see a need for reform.
97. In considering the application of the IPPs to the management, funding and monitoring of a health service, the Office notes that the provision of health services in Australia primarily falls on state and territory government agencies, or the private sector, rather than on Australian Government agencies bound by the IPPs.
98. At present, the IPPs do not explicitly provide for health service management - it is necessary to rely on basic principles. IPP 10(e) permits secondary uses which are directly related to the purpose of collection. As discussed in relation to NPP 2.1, this would cover health service management. IPP 11(a) states that disclosures are not permitted unless:
The individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency.
99. The best course of action is for the patient to be adequately informed of the likely information flows, and to seek their consent.
100. It is also useful to note that section 95, which provides a framework for the use of information held by Commonwealth agencies, does not refer to health service management. Section 95(1) reads:
The CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy in the conduct of medical research.
This omission creates a gap in the legislation.
101. In addressing question 8-32, the Office proposes that the public and private-sector provisions for health and medical research be merged. A new provision should make explicit provision for health service management to address this gap.
102. The Office is not aware of evidence that regulation by the Privacy Act, where correctly understood and applied, impedes the provision of health care. For example, the Office does not consider that the Privacy Act prevents the collection, use or disclosure of health information where appropriate for an individual's health care.
103. The Office believes that the NPPs sit comfortably with good treatment practices and promote appropriate information flows within the health sector. Application of the NPPs is consistent with professional ethical standards, the principle of patient autonomy, and the collaborative relationship of trust between doctor and patient.
104. It appears that that there are some areas where the health service providers' understanding of NPP obligations could be improved. In some instances, uncertainty or confusion in the health sector as to how patients' health information should be handled may lead to unnecessarily conservative interpretations of the NPPs.
105. For example, the Office is aware of a case where a specialist refused to provide information to a referring general practitioner regarding a patient, without that patient's consent, purportedly because of the 'Privacy Act'. However, such disclosures would likely be consistent with the Office's understanding of NPP 2, which emphasises the important role of the individual's reasonable expectations in determining how their personal health information may be handled (the application of NPP 2 is discussed further in response to question 8-17). This example illustrates that incorrect perceptions regarding the regulation of personal health information may impede the provision of health services to individuals. This Office does not consider that the NPPs, when correctly interpreted and applied, create impediments to health services delivery.
106. As discussed in response to questions 8-1 and 8-2, in the Office's view a primary source of uncertainty in the health sector about privacy law obligations is likely to be the existence, in some jurisdictions, of multiple privacy instruments that purport to regulate private sector health service providers. Jurisdictional overlap of this type is likely to promote regulatory complexity and uncertainty, making it difficult for health service providers to understand and implement efficient and workable information handling policies.
107. In the Office's view, the requirement (whether real or perceived) to comply with multiple instruments at different jurisdictional levels is the most likely challenge faced by health service providers when seeking a degree of confidence that they are compliant with privacy regulation. However, in the Office's view, it would seem a further and exaggerated step to suggest that privacy provisions obstruct the provision of good healthcare.
108. As suggested in question 8-3, a key outcome of the ALRC's review process could usefully be to clarify which privacy principles apply uniformly and exclusively across the private health care sector.
109. The Office suggests that the prospect of achieving uniformity (or at least consistency) in health privacy regulation was a key reason why the concept of a NHPC received support from jurisdictions. Given that implementation of the proposed NHPC does not appear to have progressed, the Office submits that the Australian Government should act, as far as is possible, to unify organisations' obligations for the handling of health information.
110. As noted in response to question 8-2, the Office recommends that section 3 of the Privacy Act be amended to ensure the Privacy Act 'covers the field' for personal health information privacy in the private sector.
111. This would remove the ambiguity for private sector doctors, pharmacists and other private health sector organisations which may currently face uncertainty in determining their obligations under various privacy regimes.
112. The question of impaired capacity is discussed in greater detail in Chapter 9.
113. The Office submits that the Privacy Act is generally adequate, though there may be merit in the ALRC considering whether NPP 6 (on access) could be enhanced.
114. The proposed NHPC appears to go further, in some instances, in allowing more third parties to exercise access rights than would seem appropriate. The NHPC includes a definition of authorised representative, who can act on behalf of an individual with limited capacity, and outlines the powers of the authorised representative. Generally, it recognises formal legal representatives such as guardians and those acting under a power of attorney, or otherwise legally empowered. The Office considers that these arrangements are also implicitly recognised under the Privacy Act.
115. The NHPC also includes in its definition of authorised representatives a parent of an individual who is a child. 'Child' is not defined in the NHPC. The Office does not consider that this provides more clarity on when a parent may act on behalf of a child than does the Privacy Act, which relies on a common law test of capacity.
116. The NHPC provides a statement for the threshold test that should apply when determining whether an individual is incapable of giving consent. It establishes a different standard than current Office guidance material. The NHP prescribes that an individual has capacity if they understand 'the general nature and effect of giving consent in contrast the office's Guidelines on Privacy in the Private Health Sector stipulate that for consent to be valid, the individual 'must be capable of understanding the issues related to the decision and forming a view based on reasoned judgment'.
117. Additional clarity may be achieved if principles, other than NPP 2 (dealing with use and disclosure) and NPP 10 (dealing with collection of sensitive information), provided more explicit reference to dealing with representatives when an individual has impaired capacity or a decision making disability. In particular, measures in NPP 6 (dealing with access to information) could allow an individual to obtain access through a representative.
118. The Office has no other issues concerning consent to deal with health information, though would welcome the opportunity to examine other matters that may be raised with the ALRC by other submitters and incorporated in a future discussion paper for this review.
119. The Office supports amending the Privacy Act to give statutory effect to Public Interest Determinations 9 and 9A.
120. The combined effect of PIDs 9 and 9A is that health service providers may conduct acts or practices that would otherwise breach NPP 10.1, without being determined to have interfered with an individual's privacy. In summary, under PIDs 9 and 9A, a health service provider may collect health information from a health consumer about a third party without the consent of the third party when both of the following circumstances are met:
121. The Office acknowledges that relevant third party health information, such as family medical history, is an extremely important resource for clinicians. Submissions received during consultations for PIDs 9 and 9A emphasised that health care would be severely compromised if family history and other similar third party information were not available to practitioners.304
122. The Office also notes that it is often impractical to seek consent from third-parties, such as relatives. As has been noted elsewhere:
It is often not possible to directly assess individual relatives. This occurs because the relative cannot be traced, lives too far away to be interviewed, or is ill, deceased, or otherwise not available.305
123. The PIDs will expire on 11 December 2007, with a review due to take place before this date.
124. No submissions to the Private Sector Review criticised the content of the PIDs. A number of submissions were strongly supportive of the substance of the PIDs being incorporated into the NPPs, and described the crucial role of social and family histories in providing effective medical treatment.306
125. The Private Sector Review profferred two models for legislative reform, both of which would see the substance of the PIDs incorporated into the NPPs:
126. The review observed that since 10.2(b) already deals with providing a health service to the individual, the second option may be preferable.307 This could be given effect by inserting a new subclause 10.2(b)(iii), with two parts to accommodate the two criteria set out above. It is noted that the current drafting of NPP 10.2 assumes collection from the individual about which the information relates.
127. It should also be noted that, in response to a number of submissions, the Private Sector Review raised the possibility of limiting the scope of such a new amendment, particularly to exclude genetic information and information contained in an electronic health record. Given the potential breadth of detail that may be contained in such sources, which may go beyond that which has traditionally been obtained by collecting family history information, the Office submits that such limitations merit further consideration in this review.
128. IP31 has sought views on whether NHPP 1.1(i) offers a more appropriate and effective framework to that established by PIDs 9 and 9A. NHPP 1(i) provides that health information may be collected without consent where:
The information is a family medical history, social medical history or other relevant information about an individual that is collected for the purpose of providing a person (including the individual) with a health service, and is collected by a health service provider:
129. The Office submits that enacting the relevant provisions of the PIDs may be preferable to adopting NHPP 1.1(i). The Office believes that the sector has had over 4 years experience with the existing terms of the PIDs and that this affords the benefits of continuity and efficiency. In absence of compelling arguments to the contrary, it would not seem useful to change established regulation.
130. However, the Office notes that there may be value in considering the merit of allowing family, household or social histories to be obtained by a relative or carer where the individual is incapacitated. In this regard, the Office accepts that the provision of health care to an incapacitated individual may be assisted by the provision of such third-party information from another individual.
131. The Office notes that the forms of information prescribed in NHPP 1.1(e) diverge from the PIDs, though the full implications are these distinctions are unclear.
132. The Office submits that a PID is not required for insurance companies to collect health information about third parties without their consent.
133. The Office understands that family history information may be used in insurance underwriting to assess the probability that the applicant will suffer hereditary disease. In this context, family history information could be used to either deny coverage or to adjust premiums based on perceived risk.
134. As discussed in the Office's response to question 8-13, it is generally unlawful to collect health information (for example, family history information) about an individual without their consent.
135. The Office notes that insurers have collected family history information for over a hundred years.308
136. At the same time, the Office notes substantial community opposition to this practice. In research conducted by the Investment and Financial Services Association, 62% of respondents opposed the use of family history information by life insurance companies:
'The most prevalent view is that lifestyle factors must also be considered, and that a family history of a particular ailment does not predestine the offspring to inherit the affliction - effectively, the view is that 'the sins of the father should not be visited upon the son.'309
137. The Office also notes the debate about family history information's actuarial relevance. The usefulness of family history information as a predictor of an individual's prospective health may be quite limited. Due to the complex interplay of causal factors, '...correct actuarial determination of risk for a given individual may currently only be possible for a few cancer-related (and other) genetic conditions.'310
138. However, these concerns do not detract from the fact that family history information does have some relevance for underwriting. It may be effective, for instance, as a negative indicator, where family history information can indicate that an individual is not at high risk of a given condition.311
139. IP31 discusses whether PID 9A (collecting family history and other third-party information for the purpose of providing medical treatment) could provide a useful analogy for considering the practice. However, as the ALRC has recognised, this practice raises a very different set of policy issues to those addressed in PID 9 and 9A.
140. First, family history information is often vital to providing health care to the individual, whereas it is only a useful, but not integral part of insurance underwriting.
141. Secondly, the nature of the interests involved differ considerably. Determination 9A concerns the preservation of life and health, while the provision of insurance involves actuarial decision-making and loss-distribution. While important, the latter arguably lacks the compelling policy considerations necessary to warrant potentially lessening privacy protections.
142. The ALRC has previously recommended that insurers apply for a PID to make the practice lawful (ALRC Report 96). The Office notes that for a PID to be made, the Privacy Commissioner must be satisfied that the public interest in the act or practice occurring outweighs to a 'substantial degree'312 the public interest in adhering to the relevant IPP, NPP or approved privacy code.
143. Further, the Office's Public Interest Determination Procedure Guidelines explain that in making an application of a PID, an agency or organisation should identify:
Alternative courses of action that have been considered that would not lead to a breach of an IPP, NPP or an approved privacy code, with explanations as to why such alternatives are not feasible.313
144. Investment and Financial Services Association Standard 16 provides a practical solution to compliance with the Privacy Act by stating that insurers should collect family histories in a non-identifiable format.314 The Office supports this solution, which allows the industry to collect useful information in a format which respects individual privacy. Further, the presence of an alternative course of action that does not undermine compliance with the Privacy Act would tend throw further doubt on the appropriateness of a PID.
145. In regard to the first part of question 8-15, in the Office's view, NPP 10 generally functions well. However, the Office does note that there are some structural inconsistencies between NPPs 2 and 10, in that the permitted disclosures provided by the former do not align perfectly with permitted collections under the latter. For example, it is the Office's view that disclosures are generally likely to be permitted between members of a treatment team (discussed in greater detail in response to question 8-17). However, it is less clear which prescribed exception to NPP 10 could be relied upon by treatment team members to collect that information. In some circumstances it is likely that consent may be able to be implied. The Office recognises that this may not always be an exception upon which providers could confidently rely.
146. NPP 10.2 recognises the need of health service providers to collect health information without consent in certain circumstances. NPP 10.2(b)(i) allows such collection where it is necessary to provide a health service, and is required or authorised by law (this should be contrasted with 10.1(b) where collection must be required by law).
147. NPP 10.2(b)(ii) is intended to provide a mechanism to allow collection by health service providers where necessary to provide a health service, and in accordance with binding rules of professional confidentiality. However, it is the Office's view that no current rules fit the terms of 10.2(b)(ii) in such a way that it could be confidently relied upon. The Office considers in detail below the various options for addressing this.
148. In regard to the second part of question 8-15, the Office submits that NHPP 1 could lessen privacy protections in several areas, including allowing collection where 'required, authorised or permitted, whether expressly or impliedly, by or under law' (1.1(b)). It also allows collection of health information for research 'in the public interest' (1.1(e)), which is broad and difficult to assess. Nevertheless, the Office seems some merit in the underlying policy intent of certain other provisions, including those which allow collection of family history information (NHPP 1.1(i)), genetic information and deceased persons' information (parts of 1.1(d)).
149. These matters are discussed in greater detail below.
150. The first element of question 8-15 goes to the clarity of NPP 10.
151. The Office submits that NPP 10 appears to function adequately for most stakeholders; the need for its amendment was not a significant issue in submissions to the Office's Private Sector Review.315 The Office also notes the very small number of complaints it has received in regard to NPP 10 since inception of the private sector provisions.
152. Nevertheless, there would appear to be some misalignment between disclosures allowed under NPP 2, and the equivalent collection under NPP 10.316 For structural consistency and regulatory certainty, the Office believes NPP 10 would benefit from some clarification, particularly around the utility of 10.2(b)(ii).
153. NPP 10.2(b)(ii) is intended to allow collection of health information from a basis that recognises the longstanding tradition of professional ethics and duties of confidentiality in the health sector. NPP 10.2(b)(ii) permits collection without consent where necessary to provide a health service to an individual and where that collection is done 'in accordance with rules established by competent health or medical bodies that deal with professional confidentiality which bind the organisation.'
154. Both the Office's Private Sector Review and the ALRC's IP 31 note the ambiguity of 10.2(b)(ii), in that no existing rules appear to fit the provision's requirements.317
155. In the Office's view, rules envisaged by the current 10.2(b)(ii) provision would need to:
156. The Office is not aware of existing binding rules in the health sector that would meet each of these criteria. However, it should be noted that the Office has had few compliance issues with this issue, conceivably on the grounds that relevant complaints would seem more likely to go to the act of disclosure, rather than subsequent collection.
157. As discussed in response to question 8-17, the Office believes that it is appropriate for the health sector to be able to exchange health information for the purpose of treating an individual where such exchanges are within the individual's reasonable expectations. The Office does not believe that consent need always be obtained when using, disclosing or collecting health information in the context of providing care. Addressing the current anomaly in NPP 10.2(b)(ii) could allow for the appropriate collection of health information that is necessary for a health service, where the equivalent disclosure is within reasonable expectations. Examples of where such a mechanism could be valuable include:
158. The Office sees three alternatives for reform of NPP 10.2(b)(ii):
159. In the Office's view, option 3 would appear to be offer an appropriate and transparent mechanism for reforming NPP 10.2(b)(ii), and would cause the least interference with current good practice in the health sector. This option would provide greater alignment between the disclosure and collection provisions of the NPPs, and resolves the possible uncertainty surrounding collection by members of a treating team and other similar scenarios.
160. By way of contrast, the proposed NHPP appears to address collection by a treating team (and others) by way of NHPP 1.1(d). This draft provision effectively offers a 'catch-all' authority allowing collection of health information wherever the equivalent disclosure is authorised under certain provisions of NHPP 2. This includes where the disclosure is directly related to the primary purpose of collection, and within the individual's reasonable expectations. However, the Office is concerned that, in the pursuit of this consistency, NHPP 1.1(d) lowers existing privacy protections in other areas.
161. The Office recommends that the ALRC's current review give further consideration to the operation of 10.2(b)(ii) and possible solutions.
162. IP31 questions why 10.1(b) differs from 10.2(b)(i) (collection 'required by law' compared with 'required or authorised by law'), following the 2006 amendment to the Privacy Act.318
163. As a consequence of the 2006 amendment,319 NPP 10.2(b)(i) permits collection of health information without consent, if the collection is necessary to provide a health service and is required or authorised by law (the amendment introduced the word 'authorised' to NPP 10.2(b)(i)).
164. If the collection of health information is not necessary to provide a health service, the collection would need to be required by law under 10.1(b), not merely authorised. While the test of 'required or authorised' in 10.2(b)(i) effectively establishes a lower threshold than the 'required by law' test of 10.1(b), it must be read in conjunction with the joint-test established by 10.2(a). This establishes a regulatory obligation specific to health service delivery, which is quite distinct from that provided by 10.1(b).
165. The underlying intent of this distinction between NPPs 10.1(b) and 10.2 is that the latter is intended to recognise the special role of health service providers, which at times must collect personal information without consent where it is necessary for individual health care. Prior to the 2006 amendments, the Office's Private Sector Review noted that 'the more restrictive provisions of NPP 10.2(b)(i) ... [could] have the potential to unduly impede the effective delivery of services.'320 The Private Sector Review report also noted that:
'The restrictive character of this sub-paragraph may be inconsistent with the Privacy Act's general reliance upon the ethical traditions, including recognition of the duty of confidentiality, of health service providers.'321
166. The Prescription Shopping Information Service (PSIS), provided by Medicare Australia,322 provides an example of where a 'required by law' test does not work in the health care context. Prior to its amendment, NPP 10.2(b)(i) was too narrow to permit general practitioners to collect health information from the PSIS. This was because a relevant legal authority existed that only authorised, but did not require, the collection323 (even though use of the PSIS is predicated on the collection being necessary to provide a health service to individuals suspected of using medicines beyond their therapeutic needs).
167. In contrast to the intent of NPP 10.2(b)(i), where an organisation seeks to rely on a legal authority to collect personal health information without an individual's consent for a purpose other than the provision of a health service, the Office submits that it is appropriate that such law expressly require the collection, as provided for in NPP 10.1(b).
168. Accordingly, the Office submits that the distinction between NPPs 10.1(b) and NPP 10.2 is significant and appropriate.
169. Not all disclosures of health information under NPP 2 involve a collection under NPP 10. For example, a disclosure may be to an individual (such as a relative) or an entity that is not bound by the Privacy Act (such as a small business that does not provide a health service or to a state police force). Also, a disclosure could simply be verbal, whereas a collection involves holding information in a record.324
170. IP 31 provides an example of where disclosure and collection principles may not align - where a health service provider pre-emptively discloses a patient's health information to a medical defence insurer 'where there is not and may never be a legal claim'.325
171. In regard to this example, the Office is not convinced that a collection by the insurer would be necessary if a legal claim is not 'on foot'. The provider could, for example, de-identify information if they felt it necessary to report the incident to their insurer in anticipation of potential future legal action.
172. The second element of 8-16 seeks views on the adequacy of NHPP 1.
173. The Office believes NHPP 1 would afford lesser privacy protection to health information in several areas. Particular differences are outlined below.
174. NHPP 1.1(b) would permit collection of health information without an individual's consent where 'required, authorised or permitted, whether expressly or impliedly, by or under law'. The Office notes that the inclusion of 'permitted' and 'whether expressly or impliedly' appears to leave open the prospect of wider legal permissions than the current exceptions under NPP 10.1(b) ('required by law') and NPP 10.2 ('necessary to provide a health service to the individual' and 'as required or authorised by or under law (other than this Act)').
175. The Office is particularly concerned, for example, as to what may constitute an 'implied permission' to collect health information without consent. The Office understands that the word 'permit' can be interpreted in such a way that a permission may '...sometimes even be inferred from an unfettered handing over for use without a knowledge of that particular use'.326 Put another way, 'permit' could be interpreted as allowing by inference something to occur on the grounds that it is not specifically prohibited.
176. In the Office's view, the sensitivity of health information and community expectations regarding its appropriate handling should require that a legal authority to collect it, without the individual's consent, should be relatively narrow, transparent and subject to a clear statement from a Parliament.
177. NHPP 1.1(c) provides that health information may be collected without the individual's consent where:
178. This provision combines elements of NPPs 10.1(c) (where there is a 'serious threat and imminent threat to life or health' and incapacity) and 10.2 (collection necessary for a health service). While the Office recognises that such a provision may be helpful toward ensuring that individuals lacking capacity are afforded health care, it is noted that this principle removes from consideration any role for the individual's reasonable expectations. For this reason, the Office submits that its proposed amendment to NPP 10.2, incorporating a reasonable expectations test, is a preferable alternative.
179. NHPP 1.1(d) provides that information may be collected without consent where:
180. This provision is designed to promote consistency between collection and disclosure principles. While this has some intuitive appeal and offers a simple approach to reconciling collection and disclosure exceptions, it is necessary to consider the potential effects of such a provision and whether it would afford equivalent protections to the existing structure of the NPPs.
181. In this regard, the Office notes that NHPP 1.1(d) allows collection of health information, without consent, as a result of a disclosure made in accordance with NHPP 2.2(a), that is, directly related to the primary purpose of collection and within the individual's reasonable expectations. This would provide a lower test than NPP 10.2, as the information need not be necessary to provide a health service. NPP 10.2 is deliberately narrow in focus, requiring that personal health information may only be collected without consent where it is necessary to provide a health service (unless an alternate exception to NPP 10 is available).
182. The Office refers to its earlier proposal in response to this question that NPP 10.2 be amended such that a test of an individual's reasonable expectations be adopted, though only in conjunction with the existing test that the collection be necessary to provide a health service. This would provide a principle that more effectively balances the needs of providers to collect information in a care context, with the need to ensure that privacy protections are maintained, including by giving due regard to the expectations of individuals.
183. Collection for some other purposes in NHPP1.1(d), such as management of a health service and law enforcement purposes, are likely to be encompassed within existing NPP and IPP collection provisions (or would be outside of the Privacy Act's jurisdiction, such as in regard to collections by state police).
184. NHPP 1.1(e) would permit the collection of health information for research or statistical purposes 'in the public interest'. This appears to go beyond the existing exception provided in NPP 10.3, which provides a mechanism allowing such collection for narrower and more easily definable purposes - 'relevant to public health or public safety'.
185. In this regard, it should be noted that the Office has considered the scope of any research exceptions in greater detail in responding to question 4-13 and 4-32, as well as in questions 8-29 through to 8-32. While proposing some amendments to these arrangements, the Office is informed by a body of community attitude research that suggests that many individuals would be uncomfortable with such a broad exception allowing collection of health information without their consent. The Office notes that this position would not cause a halt to such research, but would require researchers to either seek individuals' consent (whether express or implied) or conduct their research using de-identified information.
186. Additionally, where there is a compelling public interest, any Parliament may choose to enact law requiring the collection for that purpose. A number of Parliaments have enacted such laws, including for the purpose of various health registers.
187. NHPP 1.1(f) would permit the collection of an individuals' health information without consent to prevent or lessen a 'serious and imminent threat to life, health, safety or welfare of any individual', and is mirrored in NHPP 2.2(h) to allow disclosure in the same situations (see the Office's response to question 8-18).
188. The existing NPP 10.1(c) is limited to permitting collections without consent for the purpose of addressing threats to 'life or health'. The Office believes 'safety', as included in NHPP 1.1(f), would be likely to be encompassed within 'life or health'. Perhaps of more concern, the Office submits that the inclusion of threat to any individual's 'welfare' would be difficult to define and would potentially significantly expand the current exception.
189. NPP 10.1(c) also limits collection to situations where the individual cannot consent, while NHPP 1.1(f) does not (instead, it requires collection be 'in accordance with [issued] guidelines, if any...'). Requirements for collection under NPP 10.1(c) do however appear inconsistent with disclosure allowed by NPP 2.1(e), because the latter does not require incapacity to consent.
190. NHPP 1.1(g) would allow the collection of health information without the individual's consent by or on behalf of a law enforcement agency that the organisation reasonably believes is necessary for a 'law enforcement function'. Although it aims at consistency with use and disclosure provisions, this is a broad exception when compared with NPP 10. The latter holds that such a collection must be required by law (10.1(b)), or to prevent or lessen a serious and imminent threat to life or health, where the individual whose information is being collected cannot consent.
191. NPP 10.3 facilitates the collection of health information that has been disclosed under NPP2.1(d). In responding to question 8-32 and as part of harmonising the research mechanisms under sections 95 and 95A, the Office has recommended that NPP 2.1(d) be amended to allow the disclosure of personal information (that is, not restricted to health information) where it is relevant to 'health and medical research', rather than 'public health or public safety'. If that recommendation is adopted, NPP 10.3 would need to be amended to apply to all sensitive information.
192. In addition, the Office notes that 10.3(d)(ii) is expressed in the same terms as the (currently ineffective) 10.2(b)(ii), and may need amendment as discussed above in question 8-15.
193. The Office recognises that some health sector stakeholders hold the view that the current application of 'primary purpose' under NPP 2 restricts health service providers from disclosing information appropriately within an individual's treating team, which in turn impedes healthcare.
194. However, the Office believes that NPP 2 sits comfortably with the relationships of trust and good communication that are the hallmark of good practice in the health sector. The Office does not believe that it is always, or even usually, necessary for a health service provider to seek the consent of an individual before using or disclosing their health information to provide healthcare.
195. The operative elements to applying NPP 2.1(a) to the provision of health services are that the use or disclosure be for a directly related secondary purpose within the individual's reasonable expectations. In the healthcare context, an individual's reasonable expectations are likely to be formed by, amongst other things, what they are told may happen to their health information during the course of usual consultations. The Office believes that the health sector has a strong awareness of the importance of communicating with patients regarding how their information will be used and disclosed in the course of treatment. Such communication should greatly increases doctors' confidence that they may share health information with other providers, without necessarily seeking the patient's consent.
196. Consistent with Private Sector Review recommendations 77 and 78, the Office believes further guidance on appropriate use and disclosure for the primary purpose of collection, and directly related purposes, would clarify for health service providers the degree to which existing good communication facilitates compliance with NPP 2.
197. Issues concerning NPP 2 and the construction of primary purpose are discussed in greater detail below.
198. NPP 2 establishes the general rule that organisations, such as private sector health service providers, may only use or disclose personal information for the purpose for which it was initially collected (that is, the 'primary purpose'). In the health care context, the Office has consistently interpreted a health service provider's primary purpose for collecting health information as the 'main or dominant reason the individual is seeking assessment, treatment or care.'328
199. However, there are a number of exceptions to this general rule. These exceptions provide that personal information may be used or disclosed for another or 'secondary' purpose if, for example, the individual consents (NPP 2.1(b) or where the use or disclosure is necessary to respond to a serious or imminent threat to any person's life, health or safety (2.1(e)(i)).
200. Relevantly for the health sector, NPP 2.1(a) provides that health service providers may use or disclose health information for a secondary purpose if:
201. The Office believes that NPP 2.1(a) provides an appropriate mechanism for regulating how health information may be used and disclosed, without the individual's consent, in the health context. It does not require providers to routinely and unnecessarily seek consent from individuals for the sharing of their health information for treatment.
202. The Office submits that this application is consistent with community expectations regarding how health information should be handled. Attitudinal research from Australia and overseas has found that many individuals have strong views on the handling of their health information, including the extent to which it should be shared. These views are likely to be more relevant as clinical care moves toward greater use of electronic health records, which may facilitate the sharing of information on a vastly greater scale than paper-based records.329
203. Research conducted by the UK National Health Services summarised some of these concerns as:
If this information is inappropriately shared outside the NHS, it may prejudice people's ability to get jobs, life insurance or mortgages. Information shared inappropriately within the NHS could affect the way people are treated by health and other public services (eg. about terminations of pregnancy, debt, literacy, or mental health problems).330
204. This same research found that the degree to which individuals felt health information should be shared depending on the purpose for which it would be used. While a majority of individuals supported it being shared to treat a specific health problem, individuals viewed sharing for other purposes, including managing a health service, as far less important. A majority of individuals believed that sharing for any purpose other than clinical care should be with consent or by using de-identified information. Additionally, this research found that even for clinical care, at least some types of information, such as termination details, sexual health or mental health, should not be routinely shared.331
205. Many of these themes are supported in other research. In addition, research has found that individuals may have sensitivities about health information being shared without consent even across a treatment team332 and distinguish between different types of health professional.333
206. As discussed in the Office's Guidelines on Privacy in the Private Health Sector, an individual's reasonable expectations are what a reasonable individual with no special knowledge of the health sector would expect to happen to their health information in the given circumstances.
207. Such expectations are closely linked to what the patient is told and how they react. In this regard, it should be noted that practitioners must comply with obligations under NPP 1.3 to provide notice to individuals as to how their personal information will be handled. Therefore, compliance with NPP 1.3 notice requirements will enhance practitioners' ability to rely on patients' 'reasonable expectations' for appropriate disclosures.334
208. Moreover, the type of communication that would normally be entered into by practitioners and individuals in the course of consultation and treatment is likely to be a key determinant of an individual's reasonable expectations of how their health information may be handled. As is discussed in greater detail below, the Office submits that the long-standing importance placed by the health sector on effective practitioner-patient communication promotes an environment whereby a mutual understanding can be established as to how health information will be handled.
209. In addition, reasonable expectations may be influenced by the degree of awareness in the general community about how the health system may provide care to individuals. In some cases, community education campaigns may contribute significantly to framing an individual's reasonable expectations.
210. The Office understands that some health stakeholders believe existing distinctions between disclosures for a 'primary purpose' and 'directly related secondary purposes' may interfere with holistic care, conflict with doctors' legal and professional obligations, and hinder necessary and appropriate use and disclosure within a patient's treating team. Some have called for 'primary purpose' to be applied broadly in the health care context, such as to encapsulate 'the health care and well being of the patient', unless otherwise agreed.335
211. In addition, some health sector stakeholders believe that a consequence of a applying a narrow interpretation to primary purpose is that providers must always obtain a patient's consent, whether express or implied, before sharing health information with other health service providers.
212. As discussed in greater detail below, the Office believes that these concerns can be assuaged by recognising the high degree to which existing good clinical practice facilitates compliance with NPP 2.1.
213. The Office notes that contemporary approaches to health service delivery increasingly emphasise an 'holistic' rather than episodic approach to health care. The Office acknowledges the potential health benefits of such an approach.336 Equally though, the Office submits that effective communication and patient autonomy regarding information-handling remain essential to ensuring that individual's privacy expectations are met.337
214. In a health care context, episodes of care provided as part of an holistic approach to treatment will often be directly related to the primary purpose of collection. The Office has recognised that an holistic approach to the provision of health care can be comfortably accommodated within the 'directly related, within reasonable expectations' test of NPP 2.1(a). Specifically, in the Guidelines on Privacy in the Private Health Care Sector the Office has explained:
'The concept of holistic health care recognises that a health service provider can treat an individual for a number of different complaints or ailments at a single time. In these circumstances, the primary purpose is linked to each of these conditions or ailments.
This principle also allows personal information to be used or disclosed without further consent if this occurs for reasons directly related to the primary purpose and these are within the reasonable expectations of the individual. These are uses and disclosures for directly related secondary purposes.'338
215. The Office acknowledges the importance of communication to the fiduciary relationship of trust between health service providers and patients, and is confident that this strong tradition of effective communication in the health sector does much to promote providers' compliance with NPP 2 when sharing health information for treatment.
216. As the then President noted in the AMA's Privacy Resource Handbook (2002):
'Aligning patient and doctor expectations better will reduce red tape and the costs of complying with the privacy legislation while maintaining quality patient care.'339
217. Similarly, the O