Privacy Law Reforms

The impact on medical practices

The changes are not expected to add major obligations on medical practices; however, the following issues should be considered:¹

• A medical practice must have a privacy policy clearly specifying what information will be collected, how it will be used, and a process for individuals wishing to complain about privacy breaches. This requirement is more prescriptive than the previous NPP requirements.
• Where practicable, the privacy policy must be provided in the format requested by the individual, e.g. by email.
• If a medical practice uses an overseas transcription service, it should ensure that the overseas recipient has the same or similar levels of privacy protection as specified under the APPs. Where the overseas recipient does not have the same level of protection, the practice must obtain the individual’s consent to transfer the information. Prior to this, the practice must inform the individual of what countries the information is going to and how to complain about a privacy breach in that country.
• In limited circumstances, a medical practitioner is permitted to use or disclose information about a patient to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety (note the word “imminent” has been removed in the APPs).

Who oversees compliance with the changes?

The Office of the Australian Information Commissioner (OAIC) is now responsible for this and the Information Commissioner has significantly greater powers to encourage and enforce compliance. These powers include investigation and audit, making determinations and commencing legal proceedings. The Information Commissioner may also impose a fine on an organisation (up to $1.7 million) or individual (up to $340,000) for a breach of the legislative requirements. However, it is unlikely that a medical practice, doctor or their staff will be fined unless their conduct represents a serious and/or repeated breach.

What actions are recommended before March 2014?

It is recommended that medical practices audit existing policies and procedures to identify any areas of concern. The findings can be used to facilitate a revision of the practice’s privacy policy to ensure compliance with the APPs.

An ideal tool to assess existing policies and processes against the APPs is the OAIC’s Privacy Act reforms – Checklist for APP entities (agencies) available on the OAIC website.

What should a privacy policy cover?²

A privacy policy should cover:

• the kind of information collected
• how and for what purpose it is collected, held, and used
• disclosure to any other persons or agencies, the identity of those agencies, what is disclosed and for what purpose/s
• the process for an individual to access the information, for what purpose and why
• where access by the individual is withheld, why, and how the individual is notified
• consent process for the collection of information and situations where consent is not required
• complaint process for individuals who wish to complain about a breach of privacy or confidentiality
• whether information may be disclosed to overseas recipients and to what countries.

Although not required under privacy law, it is also recommended that the practice’s privacy policy addresses:

• staff training and confidentiality agreements
• policy review timeframes
• processes for dealing with unauthorised access to individuals’ health information, including who must be notified in the event of a breach.

Allyson Alker, MDA National Risk Adviser

1. Office of the Australian Information Commissioner website at oaic.gov.au/privacy/privacy-act/privacy-law-reform accessed on 27 Sept 2013.
2. Office of the Australian Information Commissioner. Australian Privacy Principles: Privacy Fact Sheet 17. Canberra: OAIC, 2013.