Upload
alrc
View
1.483
Download
3
Embed Size (px)
DESCRIPTION
Speech by Professor Rosalind Croucher* at the Managing Patient Confidentiality & Information Governance Forum, 22 August 2011, Melbourne.
Citation preview
For Your Information: Australian Privacy Law and Practice – key
recommendations for health information privacy reform
Professor Rosalind CroucherPresident, ALRC
1
Time line
• 1982 – FOI Act (Cth)• 1983 – Archives Act (Cth)• 1988 – Privacy Act (Cth)• 2000 – Privacy (Private Sector)
2
Time line
• 2004 – Privacy Commissioner review of private sector provisions
• 2005 – Senate Legal and Constitutional Affairs Committee inquiry into Privacy Act
• 2006 – Privacy Act amendments to include ‘genetic information’
3
Time line
• 2006 – January referral to ALRC• 2006 – COAG agrees to national approach• 2008 – May, ALRC report• 2009 – October, Government response• 2009 – Dec, COAG agreement re e-health
4
Time line
• 2010 – Privacy Commissioner into Office of the Australian Information Commissioner
• 2010 – Health Identifiers Bill• 2011 – June, Draft Australian Privacy
Principles
5
6
Terms of Reference
• the effectiveness of privacy laws in Australia given:– rapid advances in information,
communication, storage, surveillance and other technology
– possible changing community perceptions around privacy
– expansion of state & territory activity in this area
Terms of Reference
8
The need of individuals for privacy protection in an evolving technological environment
The desirability of minimising the regulatory burden on business in this area
Competing tensions
9
autonomy public interests
Spectrum
protection openness
10
Secrecy obligations?
11
Federal interest in privacy
12
Part A – Introduction Part B – Developing Technology Part C – Interaction, Inconsistency
and Fragmentation Part D – The Privacy Principles Part E – Exemptions Part F – Office of the Privacy
Commissioner Part G – Credit Reporting Provisions Part H – Health Services and
Research Part I – Children, Young People and
Adults Requiring Assistance
Part J – Telecommunications Part K – Protecting a Right to Personal
Privacy3 volumes, 74 chapters, 295 recommendations
Key Recommendations
• Rationalisation of the Privacy Principles
• Greater national harmonisation – same privacy principles to apply across Australia
• Fewer exemptions
• Greater enforcement powers for the OPC
• Mandatory data breach notification
• Cause of action for serious invasions of privacy
Health information
15
Privacy of health information and e-health strategies
Ensuring that the Privacy Act is not an impediment to appropriate information sharing among health care professionals
What constitutes appropriate consent in particular contexts
Development of nationally consistent rules for handling all health information
New Regulatory FrameworkOne Set of (High Level) Privacy Principles
1 Anonymity and Pseudonymity2 Collection3 Notification4 Openness5 Use and Disclosure6 Direct Marketing (org only)7 Data Quality8 Data Security9 Access and Correction10 Identifiers (org only)11 Cross-border Data Flows
Regulations- can impose more specific - and more or
less stringent - requirements
Industry codes - to deal with operational matters
OPCGuidance
Achieving National Consistency
Privacy Act 1988 (Cth) – apply to Cth public sector and private sector
State and territory privacy laws - not apply to private sector organisations
Major impact on health privacy legislation by excluding state and territory privacy laws applying to organisations - eg:
- Health Records and Information Privacy Act 2002 (NSW)
- Health Records Act 2001 (Vic)
- Health Records (Privacy and Access Act) 1997 (ACT)
Government response• Stage 1 (legislation within 12 to 18 mths of 11 Aug 08)
– one set of privacy principles – credit reporting and health regulations– Education/legislation concerning issues of new technology– work with states and territories towards harmonisation
• Stage 2– removal of exemptions– data breach notification– statutory cause of action
• Concurrent– Powers of OPC– OPC guidance
Health Identifiers
• National shared system• Underpinned by enabling legislation• Build on Medicare infrastructure• Consent of individual not required to
assign UHI (unique healthcare identifier)
19
Health Identifiers
• Control use • Subject to privacy principles• Sanctions – criminal offences• Purpose – sharing of healthcare info for
management of patients
20
For information about ALRC work, copies of speeches and presentations
ALRC website – all papers available online (free):
www.alrc.gov.au
Email: [email protected]
GPO Box 3708, Sydney 2001
21