For Your Information: Australian Privacy Law and Practice – key

recommendations for health information privacy reform

Professor Rosalind CroucherPresident, ALRC

1

Time line

• 1982 – FOI Act (Cth)• 1983 – Archives Act (Cth)• 1988 – Privacy Act (Cth)• 2000 – Privacy (Private Sector)

2

Time line

• 2004 – Privacy Commissioner review of private sector provisions

• 2005 – Senate Legal and Constitutional Affairs Committee inquiry into Privacy Act

• 2006 – Privacy Act amendments to include ‘genetic information’

3

Time line

• 2006 – January referral to ALRC• 2006 – COAG agrees to national approach• 2008 – May, ALRC report• 2009 – October, Government response• 2009 – Dec, COAG agreement re e-health

4

Time line

• 2010 – Privacy Commissioner into Office of the Australian Information Commissioner

• 2010 – Health Identifiers Bill• 2011 – June, Draft Australian Privacy

Principles

5

6

Terms of Reference

• the effectiveness of privacy laws in Australia given:– rapid advances in information,

communication, storage, surveillance and other technology

– possible changing community perceptions around privacy

– expansion of state & territory activity in this area

Terms of Reference

8

The need of individuals for privacy protection in an evolving technological environment

The desirability of minimising the regulatory burden on business in this area

Competing tensions

9

autonomy public interests

Spectrum

protection openness

10

Secrecy obligations?

11

Federal interest in privacy

12

Part A – Introduction Part B – Developing Technology Part C – Interaction, Inconsistency

and Fragmentation Part D – The Privacy Principles Part E – Exemptions Part F – Office of the Privacy

Commissioner Part G – Credit Reporting Provisions Part H – Health Services and

Research Part I – Children, Young People and

Adults Requiring Assistance

Part J – Telecommunications Part K – Protecting a Right to Personal

Privacy3 volumes, 74 chapters, 295 recommendations

Key Recommendations

• Rationalisation of the Privacy Principles

• Greater national harmonisation – same privacy principles to apply across Australia

• Fewer exemptions

• Greater enforcement powers for the OPC

• Mandatory data breach notification

• Cause of action for serious invasions of privacy

Health information

15

Privacy of health information and e-health strategies

Ensuring that the Privacy Act is not an impediment to appropriate information sharing among health care professionals

What constitutes appropriate consent in particular contexts

Development of nationally consistent rules for handling all health information

New Regulatory FrameworkOne Set of (High Level) Privacy Principles

1 Anonymity and Pseudonymity2 Collection3 Notification4 Openness5 Use and Disclosure6 Direct Marketing (org only)7 Data Quality8 Data Security9 Access and Correction10 Identifiers (org only)11 Cross-border Data Flows

Regulations- can impose more specific - and more or

less stringent - requirements

Industry codes - to deal with operational matters

OPCGuidance

Achieving National Consistency

Privacy Act 1988 (Cth) – apply to Cth public sector and private sector

State and territory privacy laws - not apply to private sector organisations

Major impact on health privacy legislation by excluding state and territory privacy laws applying to organisations - eg:

- Health Records and Information Privacy Act 2002 (NSW)

- Health Records Act 2001 (Vic)

- Health Records (Privacy and Access Act) 1997 (ACT)

Government response• Stage 1 (legislation within 12 to 18 mths of 11 Aug 08)

– one set of privacy principles – credit reporting and health regulations– Education/legislation concerning issues of new technology– work with states and territories towards harmonisation

• Stage 2– removal of exemptions– data breach notification– statutory cause of action

• Concurrent– Powers of OPC– OPC guidance

Health Identifiers

• National shared system• Underpinned by enabling legislation• Build on Medicare infrastructure• Consent of individual not required to

assign UHI (unique healthcare identifier)

19

Health Identifiers

• Control use • Subject to privacy principles• Sanctions – criminal offences• Purpose – sharing of healthcare info for

management of patients

20

For information about ALRC work, copies of speeches and presentations

ALRC website – all papers available online (free):

www.alrc.gov.au

Email: info@alrc.gov.au

GPO Box 3708, Sydney 2001

21