New privacy laws: Is your practice ready and compliant?
This article was published in the March 2014 edition of vicdoc
AMA Victoria Solicitor, Melanie Earles
On 12 March 2014 the new privacy law regime brought in under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 will commence. The reforms are the most significant changes to Australia’s privacy laws since the implementation of the Privacy Act 1980 (Cth) (Privacy Act).
Some of the key points health professionals must keep in mind to ensure their practice complies with the new laws are set out below.
What are the changes?
The Act will replace the existing nine Information Privacy Principles (IPPs) that apply to the public sector; the nine National Privacy Principles (NPPs) that apply to the private sector; along with 13 Australian Privacy Principles (APPs) that will apply to the public and private sector alike.
Health practitioners fall within the definition of an ‘organisation’ that handles ‘personal information’ so the APPs apply to them.
Personal information means information or an opinion – whether true or not – about an individual whose identity is apparent or can be reasonably ascertained.
In Victoria, health practitioners are also subject to the Health Records Act 2001 (Vic), which requires organisations dealing with health information to comply with the 11 Health Privacy Principles (HPPs).
The new APPs will apply in addition to the Victorian HPPs. The APPs are more similar to the existing HPPs than the federal principles they are replacing. This is good news for Victorian doctors because it means minimal changes will be required regarding the way health practitioners handle their patients’ personal information.
The most relevant (but not all) of the 13 APPs have been set out below. Health practitioners should check their current practices meet with the federal APP obligations.
APP 1 – Open and transparent management of personal information
Reasonable steps to ensure compliance includes:
• training staff about the organisation’s policies and practices
• establishing procedures to receive and respond to complaints and enquiries
• establishing procedures to identify and manage privacy risks.
APP 3 – Collection of personal and sensitive information
• Organisations must only collect sensitive information (a subset of personal information, which includes health information) with an individual’s consent, and where the collection is also reasonably necessary for one or more of the organisations’ functions or activities. There are some exceptions that apply in certain circumstances (for example, where a patient is unable to consent due to a medical emergency, or permitting the collection of family, social and medical histories).
APP 3 is much the same as existing HPP requirements. Ensuring patients sign an appropriately drafted consent form prior to collection of sensitive information sufficient to discharge this obligation.
APP 4 – Dealing with unsolicited personal information
This is a new requirement that applies to situations where organisations receive personal information they haven’t asked for. If this occurs – first, the organisation must determine whether the information could have been collected under APP 3 (for example, if they have a signed consent from the individual). If so, they must deal with the information as they would other personal information – that is, in accordance with privacy law. If not, the organisation must either destroy or de-identify the information as soon as possible, assuming it is legal and practical to do so.
APP 5 – Notification of collection
APP 6 – use and disclosure
This is much the same as the existing HPP obligation, and requires that personal information may only be used or disclosed for the primary purpose for which is was collected, or a secondary purpose directly related to the primary purpose.
Certain exceptions that apply to health information, permitting use and disclosure are:
• where there is a serious and imminent threat to the health and safety of an individual or the public
• for health and medical research if certain conditions are met
• of genetic information to lessen or prevent a serious threat to a genetic relative
• to carers for compassionate reasons.
APP 7 – Direct Marketing
Organisations must not use personal information for direct marketing unless the individual has given specific consent for this. Alternatively, direct marketing is permitted if the individual has a reasonable expectation this would occur and they can easily opt out.
APP 10 – Quality
Organisations must take reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up to date, complete and relevant.
APP 11 – Security
Organisations must take reasonable steps to protect the personal information it hold from misuse, interference and loss and from unauthorised access, modification or disclosure. In a health setting, this means having computer databases password protected, storing patient files in a lockable area, and training staff about the appropriate handling of personal information.
APP 12 – Access
Organisations are required to respond to requests for access of personal information from individuals within a reasonable time. If an organisation decides not to give access, written reasons must be provided. There are certain exceptions where access is not required; for example, where it may cause harm to the individual.
APP 13 – Corrections
An organisation must take reasonable steps to ensure the personal information it holds is up to date, accurate, complete, relevant and not misleading. There is a positive obligation to correct information where it is wrong. This differs from the old requirement that necessitated an individual to establish an error before any obligation to correct arose.
What happens in the event of a breach of an APP?
Where a breach of an APP occurs, the individual concerned may lodge a complaint with the Federal Privacy Commissioner (free of charge) and the Commissioner may apply to the Federal Court or the Federal Magistrates Court for an order that the entity pay a penalty of up to $1.1 million for corporations (and up to $220, 000 for individuals).
It is not necessary for the individual to prove loss or damage as a result of the breach of confidentiality – they may obtain compensation even if they have suffered no injury or loss.
Key points to remember