Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

What should health service providers consider before taking a photo of a patient on a mobile phone?

Most, if not all, smartphones and tablets incorporate a digital camera and sufficient memory to save and store thousands of images. Some mobile device applications (apps) have been developed and optimised specifically for the purpose of storing and sharing patient photos. Health service providers need to be careful when using photo-sharing apps. To ensure compliance with the Privacy Act 1988 (Privacy Act), providers need to take several things into account before taking and sharing photos of patients:

Is the patient identifiable from the image?

Uploading a photograph would involve personal information under the Privacy Act if a patient is reasonably identifiable from that information. If the image includes health information about the person or is collected to provide a health service it is ‘sensitive information’ for the purposes of the Privacy Act and there are stricter requirements around its collection, use and disclosure. See the Australian Privacy Principles guidelines (Chapter B, Key Concepts) for more information on personal information and sensitive information.

De-identified information is not considered to be ‘personal information’ under the Privacy Act. An image can be de-identified by removing any information that might allow the individual to be identified, including rare characteristics or a combination of unique characteristics. This might include facial features and other distinctive physical details like a rare visible medical condition, physical marking or tattoo. Many photo-sharing apps have a feature that allows health care providers to conceal a patient’s face or distinctive markings. Health care providers should consider carefully whether these features sufficiently de-identify the person before the image is used or disclosed. Even if a patient is not identifiable, it would be good practice to obtain consent before collecting, using or disclosing the image.

Back to Contents

Health service providers using devices to take images of patients involving personal information will usually need to ensure that they have the appropriate consent to collect the image (for example, when they take the photograph) and to use or disclose that image (for example, when sharing it with other health professionals or including it in a presentation or journal article). There are limited exceptions to the need to obtain consent outlined in the Australian Privacy Principles in the Privacy Act, such as where there is a serious threat to life or health.

When seeking the patient’s consent, health service providers should ensure the patient has all the information the patient needs to make an informed decision, including how the image might be used and disclosed in the future (as outlined in the privacy policy for the app). See the Australian Privacy Principles guidelines (Chapter B, Key Concepts) for more information on consent.

Back to Contents

Is the image kept secure?

Health service providers must take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. What constitutes ‘reasonable steps’ will depend on the circumstances and further detail can be found in the OAIC’s Guide to securing personal information. Health service providers who store photos involving personal information on a mobile phone or tablet will need to make sure that their security settings are adequate to protect the information.

Images of patients showing medical conditions are likely to be highly sensitive and there could be difficulties in controlling how images are used and disclosed once they are shared over a photo-sharing app. Health service providers should carefully consider whether they are able to maintain control of images when using photo-sharing apps. In particular, health service providers should consider the privacy policy for any photo-sharing app that they plan to use to ensure they understand how images they take will be used, disclosed and stored.  Where disclosing to an overseas entity, health service providers also need to consider whether they comply with the requirements in APP 8 regarding cross-border disclosure. See the Australian Privacy Principles guidelines (Chapter 8) for more information.

Back to Contents