2 August 2017

Our reference: D2017/005512

Mr Craig Purdon
Project Manager
Communications Alliance Ltd

Via email: c.purdon@commsalliance.com.au

Dear Mr Purdon

Priority Assistance for Life Threatening Medical Conditions Guideline (DR G609:2017)

Thank you for the opportunity to comment on the proposed Priority Assistance for Life Threatening Medical Conditions Guideline (DR G609:2017) (the Guideline).

I understand that the Guideline is intended to replace the Priority Assistance for Life Threatening Medical Conditions Code (ACIF C609:2007) (the Code), in order to provide flexibility around how telecommunications service providers (Suppliers) might offer priority assistance to customers with life threatening medical conditions.

From a privacy perspective, I consider that the Guideline can serve as a reminder and practical tool to assist Suppliers in meeting their obligations to protect personal information under the Privacy Act 1988 (Privacy Act). This in turn may help to improve customer trust regarding the way that Suppliers handle their sensitive information when applying for or taking advantage of priority assistance services.

I make some general suggestions and comments below that are intended to assist Suppliers to understand their responsibilities under the Privacy Act.

Requirements when collecting and handling health information

While I appreciate that paragraph 4.11 provides an overview of Suppliers’ Privacy Act obligations, these could be made clearer by aligning the terms used in the paragraph with those used in the Act. In particular, we suggest that references to ‘information’ are changed to ‘personal information’, and that a definition of ‘personal information’ and ‘sensitive information’, consistent with s 6(1) of the Privacy Act, be included in the Guideline’s definitions section.

Given that Suppliers will handle health information about customers who apply for and use priority assistance services, I also welcome the reminder (under boxed ‘Note’ in paragraph 4.11 of the Guideline) about the higher protections for health information under the Privacy Act. I note that in general terms, Australian Privacy Principle (APP) 3.3 requires entities to only collect sensitive information (including health information) with the individual’s consent and for this information to be reasonably necessary for one or more of the entity’s functions (some exceptions apply). I suggest that some additional detail could be included in the Guideline to minimise the risk of inadvertent collection of unnecessary health information about customers.

For instance, it may be useful for paragraph 4.11 to include a similar statement to the note in Appendix B, to the effect that:

‘The Guideline does not authorise Suppliers to collect information regarding the customer’s medical condition. Suppliers must obtain customer consent to collect certification from their medical practitioner that the individual’s medical condition is covered by the generic Eligibility Criteria’.

In addition, the risk of unsolicited collection of sensitive information, including from customers, may be further minimised by drawing Suppliers’ attention to their obligations under APP 5, to notify customers about the collection of their personal information. As a matter of good privacy practice, paragraph 4.11 of the Guideline could remind Suppliers to notify customers that Suppliers only require a general certificate of eligibility, and that customers are not required to provide any details about their medical condition.

I also understand that the Guideline does not refer to external complaint handling bodies and suggest that this may be a useful reference to include in the Guideline.

Small business exemption

While the Privacy Act generally applies to Suppliers of priority assistance services, I note that some Suppliers may be exempt if they are defined as a ‘small business operator’ under s 6D of the Privacy Act[1]. To encourage privacy best practice for small business Suppliers, we suggest that the Guideline could include a broader obligation on all Suppliers to handle personal information in accordance with the APPs. It may also be useful to draw attention to the ability for service providers not otherwise covered by the Privacy Act to ‘Opt-in’ to coverage, under s6EA of that Act[2].

Deregistration of the current Code

While the Telecommunications Act 1997 (s 119A) requires consultation with the Australian Information Commissioner on variations to industry codes where there are privacy impacts (s 113(3)(f)), it is my understanding that such consultation is not required for industry guidelines. Should the Code be deregistered, and given that the Priority Assistance Guideline deals with processes for handling sensitive information by Suppliers, I would welcome the opportunity to be consulted on future variations of the Guideline.

If you would like to discuss any of these comments or have any questions, please contact Sophie Higgins on [contact details removed].

Yours sincerely

Andrew Solomon
Acting Deputy Commissioner

2 August 2017

Footnotes

[1] For more information about the circumstances in which the small business exemption applies, see Privacy business resource 10: Does my small business need to comply with the Privacy Act? (available at www.oaic.gov.au)

[2] Further information can be found on the Opt-in register page, available at https://www.oaic.gov.au/privacy-law/privacy-registers/opt-in-register

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia