The Commonwealth Government is currently consulting with the public in relation to potentially broad changes to Australia’s key piece of privacy legislation, the Privacy Act 1988 (Cth) (Act). Any changes to the manner in which personal information can be handled will be relevant to businesses with health or medical information; however there is also the potential for amendments with respect to specific health matters.
The current review of the Act has arisen as part of the Government’s response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. Although that Inquiry was focussed primarily on the dominance of Google and Facebook in digital advertising markets, the recommendations made by the ACCC were wide reaching, including suggesting specific changes to the Act as well as a recommendation for ‘Broader reform of Australian privacy regime to ensure it continues to effectively protect consumers’ personal information in light of the increasing volume and scope of data collection in the digital economy‘.
In response, the Government released an Issues Paper in October 2020 (Paper), seeking feedback on a broad range of possible changes to the Act. The Paper suggests an appetite for potentially significant change, with the only matters expressly out of scope being the highly specialised credit reporting regime, and data generated by the COVIDsafe app.
Amongst the questions put forward in the Paper are a number that specifically relate to health matters.
Under section 16B of the Act as it currently exists, there are a list of ‘permitted health situations’, in which the collection, use or disclosure may be allowed where this would not otherwise be the case. These include circumstances such as:
- collection of certain information from patients where necessary to provide health services;
- incapacity of a patient receiving a health service;
- providing information to genetic relatives where relevant to a serious threat to their health; and
- certain public health research.
A similar provision at 16A of the Act includes similar ‘permitted general situations’, some of which allow use or disclosure of personal information where reasonably believed to be necessary to lessen or prevent a serious threat to the health of any individual, or to public health.
The Paper asks whether ‘the current general permitted situations and general health situations’ are ‘appropriate and fit-for-purpose‘, and invites suggestions as to whether ‘any additional situations be included‘. In its submission, for example, the Commonwealth Department of Health proposes changes to permitted general situations, noting that exceptions which rely on a ‘serious threat’ to an individual’s health still leave scope for adverse health outcomes that fall short of this high threshold.
A wide range of other proposals put forward in the Paper also have scope to significantly impact upon the manner in which health information is handled, including:
- higher standards when handling personal information about children;
- more explicit protections for information (especially sensitive information) which can be inferred from other data held;
- a potential right for individuals to seek erasure of their personal information;
- whether individuals should have direct rights of action to enforce their rights under the Act, and/or under a new statutory tort for serious invasions of privacy; and
- possibly seeking to align the Act more closely with the European Union’s General Data Protection Regulation (GDPR).
The Paper also solicits feedback on the interaction between the Act and other regulatory schemes, including the protections associated with the My Health Record system.
The Attorney-General’s Department is currently reviewing submissions received in response to the Paper, with a view to releasing a further discussion paper later this year.
This article was written by Luke Dale, Partner and Daniel Kiley, Special Counsel.