Federal Register of Legislation - Australian Government

Primary content

Determinations/Other as made
This Determination permits a specific health service provider to collect third party health information from an individual (or a person 'responsible' for an individual) without the third party's consent, for inclusion in the individual's family, social or medical history.
Administered by: Attorney-General's
Registered 07 Dec 2011
Tabling HistoryDate
Tabled Senate07-Feb-2012
Tabled HR07-Feb-2012
Date ceased to have effect 11 Dec 2016
Ceased by Self Ceasing

 

 

 

Explanatory Statement

 

Public Interest Determinations 12 and 12A

Legislative Instruments Act 2003 (Cth), s26

 

 

 

 

 

 

 

 

 

 

 

December 2011


Explanatory Statement
Public Interest DeterminationsNo.s 12 and 12A

Collection of Family, Social and Medical Histories

Legislative Instruments Act 2003 (Cth), s26

 

1.      Purpose and authority

1.1      Public Interest Determinations 12and 12A

This explanatory statement has been drafted for the purpose of fulfilling the Privacy Commissioner’s obligations under s26(1) of the Legislative Instruments Act 2003 (Cth)[1].

This explanatory statement refers to two public interest determinations (PIDs) issued under s72 of the Privacy Act 1988 (Cth)[2] (the Privacy Act):

·                PID 12, and

·                PID 12A

1.2      Purpose

The purpose of PID 12 is to exempt the applicant, Dr SteveHambleton, a general practitioner, a ‘health service’ provider and ‘organisation’ for the purposes of the Privacy Act, from the obligation to comply with National Privacy Principle (NPP) 10.1 in certain circumstances.[3]  NPP 10.1 prohibits the collection of ‘sensitive information’ (including health information) unless a prescribed exception applies, such as where the individual consents.  PID 12 permits the applicant to collect health information from an individual (a ‘health consumer’), or from a person responsible for the health consumer, about another individual (a ‘third party’) in circumstances where:

(a)   the collection of the third party’s information into the health consumer’s family, social or medical history is necessary for the applicant to provide a health service directly to the health consumer; and

(b)   the third party’s information is relevant to the health consumer’s family, social or medical history; and

(c)    the applicant collects the third party’s information without obtaining the consent of the third party; and

(d)   the third party’s information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.[4]

Consistent with s 72(4) of the Privacy Act, PID 12A gives general effect to PID 12 for other health service providers in the same circumstances.

1.3      Provisions for Public Interest Determinations

The Privacy Act provides a mechanism for dealing with matters where the public interest in protecting the privacy of individuals needs to be considered in the context of other public interests, and where in some circumstances the protection of privacy should be set aside to some degree. 

This mechanism is given effect through the Information Commissioner’s power to make a PID on the basis of an application made under s73 of the Privacy Act for such a determination.  The Commissioner may make a PID setting aside the protection of the privacy of individuals by declaring that a specific act or practice of the organisation will not be a breach of certainNPPs.  Alternatively, the Commissioner may make a PID dismissing the application thereby not setting aside the protection of the privacy of individuals. 

1.4      Authority for making these determinations

The authority for the Privacy Commissioner to make PIDs rests in:

·                s12 of the Australian Information Commissioner Act 2010 (Cth)[5] (AIC Act), and

·                s72(2) of the Privacy Act. 

The Privacy Act provides that the Information Commissioner has certain functions and powers.

Section 12 of the AIC Act relevantly provides that the Privacy Commissioner may exercise the ‘privacy functions’, including functions conferred upon the Information Commissioner by an Act that relate to the privacy of an individual.  The privacy functions include functions conferred on the Information Commissioner by the Privacy Act.

Section 72(2) of the Privacy Actprovidesthat the Information Commissioner may make a written determination about an organisation’s acts and practices if the Commissioner is satisfied that:

(a)        an act or practice of an organisation breaches, or may breach, an approved privacy code, or a National Privacy Principle, that binds the organisation; but

(b)        the public interest in the organisation doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that code or Principle.

Public Interest Determination 12A is made pursuant to s72(4) of the Privacy Act, which states that:

The Information Commissioner may make a written determination that no organisation is taken to contravene section 16A if, while that determination is in force, an organisation does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that organisation or any other organisation.

All requirements under Part VI of the Privacy Act, including notice of receipt and consultation requirements, have been met.

1.5      Application for a Public Interest Determination

On 14 October 2011, an application was made to the Privacy Commissioner under s73 of the Privacy Act for a PID that would, in effect, replace the existing PIDs 10 and 10A.  PIDs 10 and 10A have been in effect since December 2007 and are due to expire on 10 December 2011.  PIDs 9 and 9A, which hadsimilar effect to PIDs 10 and 10A, were previouslyin place between December 2002 and December 2007.

The previous Public Interest Determinations that dealt with medical history collection are available as follows:

·                PID 9: www.comlaw.gov.au/Details/F2008B00573

·                PID 9A:www.comlaw.gov.au/Details/F2008B00574

·                PID 10: www.comlaw.gov.au/Details/F2007L04670

·                PID 10A:www.comlaw.gov.au/Details/F2007L04669

1.6      Relevant National Privacy Principle

TheNPPs, set out in Schedule 3 to the Privacy Act, govern the collection, use, disclosure and other handling of personal information by private sector ‘organisations’.[6]

The application raised an issue relating to NPP 10, which prohibits an organisation from collecting ‘sensitive information’ (which is defined to include ‘health information’) unless a listedexception applies.  Those exceptions include where the collection is required by law and, most relevantly, where the individual consents to the collection.  The definitions for the relevant terms are provided in s6 of the Privacy Act and included inAttachment A.

The effect of NPP 10 would be to prohibit the applicant and other health service providers from collecting health information about a thirdparty for the purpose of compiling a health consumer’s medical history, unless consent could be obtained from the thirdparty.

1.7      Documents incorporated by reference

NPP 10.1 (contained inSchedule 3 of the Privacy Act), to which PIDs 12 and 12A relate, is incorporated by reference and available at Attachment A.

NPP 2.5 and 2.6 (under Schedule 3 of the Privacy Act), which determine the meaning of person ‘responsible’ for the purpose of PIDs 10 and 10A, are also incorporated by reference and can also be found at Attachment A.

The application that led to the making of PIDs 12 and 12A is available at:www.oaic.gov.au/publications/papers/consultation_paper_PID_application_dr_steve_hambleton.html#application

The Information Commissioner's notice of receipt of the application (required by s 74(1) of the Privacy Act) is available at: www.oaic.gov.au/publications/papers/consultation_paper_PID_application_dr_steve_hambleton.html

2.      Reasons for making determinations

2.1      Issues raised by the applicant

In applying for a PID, the applicant submittedthat PIDs 12 and 12A, like their predecessors PIDs 9 and 9A, and 10 and 10A, would support the well-established clinical practice of collecting health information about third parties (such as family or household members) from an individual, where that information is directly relevant to the diagnosis, treatment or care of that individual.  The practice is commonly referred to as ‘medical history taking’ and is one of the factors used as an aid in medical assessment, diagnosis and treatment.  The practice is also necessary for the provision of quality health services to health consumers in allied health settings such as counselling and therapeutic health services, and residential and community aged care services.  However, in the absence of a PID expressly permitting the practice, the practice would be a breach of NPP 10.1, which states that an organisation must not collect sensitive information about an individual unless a prescribed exception to this general rule applies. 

2.2      Operation of Public Interest Determinations 9 and 9A, and 10 and 10A

In approving the original PIDs 9 and 9A, a thorough stakeholder consultation process was undertaken.Details of that process are set out in the statement of reasons for those PIDs.  No concerns regarding the operation of PIDs 9 and 9A were raised with the then Privacy Commissioner when those PIDs were in effect, nor with any of the stakeholder organisations and agencies thatparticipated in the consultation process for the extension of the PIDs.

Similarly, in approving PIDs 10 and 10A, the then Privacy Commissioner again undertook a thorough stakeholder consultation process. Details of that process are set out in the statement of reasons for those PIDs. No concerns regarding the operation of PIDs 10 and 10A have been raised with the Privacy Commissioner or the Information Commissioner since those PIDs came into effect in December 2007, nor with any of the stakeholder organisations and agencies that participated in the consultation process for the extension of the existing PIDs.

PIDs 12 and 12A allow health service providers to collect health information about a third party from an individual, without the third party’s consent, for inclusion in the individual’s family, social or medical history, where that information is necessary to provide a health service to the individual.  In the absence of PIDs 12 and 12A, health service providers engaging in this practice could be in breach of NPP 10.1.  Accordingly, the effect of PIDs 12 and 12A is to permit the established and widely supported healthcare practice of medical history-taking to continue. 

In addition, PIDs 12 and 12A clarify that third party health information can also be collected from ‘a person responsible’ for an individual where the individual lacks the capacity to provide that informational themselves. The phrase‘responsible person’ has the same meaning as in the Privacy Act (see Attachment A).  This is discussed further below under ‘2.5 Inclusion of provision for collection from a ‘person responsible’’.

2.3      Public interest considerations

In issuing PIDs 12 and 12A, the Privacy Commissioner took account of the matters raised in the application and the written submissions.  The Privacy Commissioner found that permitting the relevant practice accords with widely accepted healthcare practices that contribute to continuing, comprehensive and quality health care for individual consumers and better public health outcomes.  Importantly, the practice is generally known and accepted in the community, and is therefore likely to be consistent with individuals’ reasonable expectations of privacy.

Based on the available evidence presented by the applicant and submitters, the Privacy Commissioner considered that:

·                individual health assessment, diagnosis, treatment and care could be compromised if the proposed act is not permitted

·                requiring health and medical professionals to seek third party consent for the collection of relevant health information in these circumstances would be impractical and would delay the healthcare delivery process in individual cases

·                requiring a consent-based mechanism in these circumstance may have an unreasonably burdensome impact on the efficient and effective running of medical businesses, which may in turn reduce capacity to provide adequate and timely health services to the public.

The applicant submitted that the effect of PIDs 10 and 10A ‘continues to be of critical importance for health service providers in providing best practice assessment, diagnosis and care to patients’.  In particular, the applicant noted that collection of this type of information is used to inform efficient and accurate patient diagnoses and treatment plans. 

The key issue of continuing to support best practice in patient care was echoed in almost all of the submissions.  For example, one submitter stated that ‘being able to collect and store details of family medical histories is an essential public health measure which allows accurate preventative care, diagnosis, and treatment of individuals and their families’. Similarly, another submitterstated that the effect of PIDs 10 and 10A is ‘of great significance to the safety and quality of healthcare’

Several submissions supported the application on the basis that there is ‘a clear public interest in relation to the early diagnosis and treatment of inherited genetic conditions’.

One submitter also asserted that there is aclear public interest in continuing to enable the collection of the health information of a third party from ‘persons responsible’ for the individual, where theindividual is incapacitated.

In assessing the public interest, the Privacy Commissioner also considered the extent to which the proposed act or practice is inconsistent with an individual’s reasonable expectation of privacy.  The practice of collecting health consumers’ family, social and medical histories for diagnosis, treatment and care – without the need to obtain third parties’ consent – is widespread, considered best clinical practice, and generally known and accepted in the community.  Several submissions made specific reference to the high degree of consumer awareness regarding the importance of family, social and medical history information in facilitating accurate diagnosis and treatment.  The proposition that this practice is consistent with individuals’ reasonable expectations is further supported by the lack of complaints about the operation of PIDs 9 and 9A, and 10 and 10A, over the past ten years, and by the absence of any submissions opposing Dr Hambleton’s application.

The potential harm to individuals’ privacy was also a factor considered by the Privacy Commissioner.  The confidential setting in which medical and allied health consultations occur,provides reasonable safeguards to protect the information collected about both the patients themselves and other relevant third parties.  Existing ethical protocols in these settings mean that all health information is collected in an environment of, using the applicant’s words, ‘maximum consumer privacy (governed by professional codes of practice relating to confidentiality)’.  The context in which the information is collected therefore reduces the risk of harm to individuals through inappropriate use or disclosure of their sensitive information.

In addition to ethical clinical practice, the third parties’ information, once collected, will continue to be protected under NPPs 1 to 9 and 10.2 to 10.3.  For example, NPPs 1.1 and 1.2 ensure that information that is collected should be confined to that necessary to an organisation’s functions or activities, be collected only by lawful and fair means and in a way that is not unreasonably intrusive. 

NPP 2 provides protection regarding the use and disclosure of the information collected under PIDs 10 and 10A.  Under NPP 2, information collected may generally only be used or disclosed for the primary purpose of collection, such as establishing an individual’s family, social or medical history in order to provide a health service directly to the individual.  Exceptions do apply.  For example, under NPP 2.1(a), information may be used or disclosed for a directly related secondary purpose within the reasonable expectations of the person to whom the information relates.  Other limited exceptions are set out in NPP2.1(b), and 2.1(d) to 2.1(h).  Overall, the remaining NPPs appear to provide adequately for the protection of information that may be collected under PIDs 12 and 12A.

Accordingly, the Privacy Commissioner found that the public interest in permitting the practice in the circumstances specified in PID 12 substantially outweighed the public interest in maintaining the privacy protections of NPP 10.1 in those circumstances.

3.        Operation of Public Interest Determinations 12and 12A

PID 12 applies directly to the applicant, Dr Steve Hambleton, in his capacity as the provider of a ‘health service’ and hence an ‘organisation’ under the Privacy Act.

PID 12A applies to all other organisations that provide a ‘health service’ within the meaning of the Privacy Act (health service providers) where those organisations collect third party information in the circumstances specified byPID 12.

Under s6 of the Privacy Act, ‘health service’ means:

(a)                an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(i)            to assess, record, maintain or improve the individual’s health; or

(ii)          to diagnose the individual’s illness or disability; or

(iii)        to treat the individual’s illness or disability or suspected illness or disability; or

(b)                the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

Accordingly, the Privacy Act and these PIDs apply to all private sector organisations that deliver these types of services and hold health information, including small health service providers.[7]  The types of health services covered include traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals, such as counsellors, as well as complementary therapists, gyms, weight loss clinics and many others.

4.        Consultation process

Part VI of the Privacy Act requires the Commissioner to conduct consultation before making a PID. 

Section 74 of the Privacy Act requires the Commissioner to publish, in such manner as they think fit, notice of the receipt of an application for a PID.

Pursuant to s74, on 20 October 2011, the Privacy Commissioner published on the website of the Office of the Australian Information Commissioner (the OAIC):

·                a copy of Dr Hambleton’s application, and

·                a consultation paper that included supporting information regarding Dr Hambleton’s application, the existing PIDs 10 and 10A, the issues raised by Dr Hambleton’s application, the Commissioner’s preliminary views, and how to make a submission regarding the application and proposed PIDs.[8]

All material was published in accessible and downloadable formats, and was available in hard copy on request.

The consultation was publicised:

·         by notation on the OAIC’s website

·         on the OAIC’s Twitter feed

·         through the OAIC email list, OAICnet, and

·         through the OAIC’s RDF Site Summary (RSS) feed.

In addition, the OAIC directly contacted (by letter or email) the following individuals and entities to notify them of Dr Hambleton’s application, and to invite submissions:

·                the members of the OAIC’s Privacy Advisory Committee,

·                the members of the Privacy Authorities Australia network, and

·                34 key privacy, health professional and health consumer stakeholder organisations.

The process resulted in 5 written submissions from a range of sectors, including state and territory health departments, health and privacy regulators, academia, and consumer groups. 


Attachment A

Relevant provisions in the Privacy Act 1988 (Cth)

‘Health information’is defined in s6 of the Privacy Act as:

(a)   information or an opinion about:

(i)    the health or a disability (at any time) of an individual; or

(ii)   an individual’s expressed wishes about the future provision of health services to him or her; or

(iii)  a health service provided, or to be provided, to an individual; that is also personal information; or

(b)   other personal information collected to provide, or in providing, a health service; or

(c)   other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d)   genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

‘Sensitive information’is defined in s6 of the Privacy Act as:

(a)   information or an opinion about an individual’s:

(i)    racial or ethnic origin; or

(ii)   political opinions; or

(iii)  membership of a political association; or

(iv)  religious beliefs or affiliations; or

(v)   philosophical beliefs; or

(vi)  membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii)          sexual preferences or practices; or

(ix)  criminal record; that is also personal information; or

(b)   health information about an individual; or

(c)   genetic information about an individual that is not otherwise health information.

Person responsible’ is defined in NPP 2.5 as a person who is:

(a)   a parent of the individual; or

(b)   a child or sibling of the individual and at least 18 years old; or

(c)   a spouse or de facto spouse of the individual; or

(d)   a relative of the individual, at least 18 years old and a member of the individual’s household; or

(e)   a guardian of the individual; or

(f)    exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

(g)   a person who has an intimate personal relationship with the individual; or

(h)   a person nominated by the individual to be contacted in case of emergency.

NPP 2.6 providesthat, in NPP 2.5:

childof an individual includes an adopted child, a step-child and a foster-child, of the individual.

parentof an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.

relativeof an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

siblingof an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

NPP 10.1 states:

10.1     An organisation must not collect sensitive information about an individual unless:

(a)   the individual has consented; or

(b)   the collection is required by law; or

(c)   the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i)    is physically or legally incapable of giving consent to the collection; or

(ii)   physically cannot communicate consent to the collection; or

(d)   if the information is collected in the course of the activities of a non-profit organisation – the following conditions are satisfied:

(i)    the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii)   at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual's consent; or

(e)   the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

 



[3]       See the definitions of ‘health service’ and ‘organisation’ in s6 of the Privacy Act, extracted at Annexure A.  See also s6D(4)(b) of the Privacy Act: www.comlaw.gov.au/Series/C2004A03712

[4]       ‘Person responsible’ has the same meaning as defined in NPP 2.5 and 2.6; see Attachment A.

[6] See s6C of the Privacy Act.

[7]       Section 6D of the Privacy Act exempts ‘small business operators’, from the operation of the Act.  However, the definition of ‘small business operator’ excludes an entity that ‘provides a health service to another individual and holds any health information except in an employee record’ (s6D(4)(b)).

[8]     www.oaic.gov.au/news/consultations.html#dr_hambleton