Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consideration of application for a Public Interest Determination – Collection of family, social and medical histories: Consultation Paper

(PDF)

Closing date for comment Friday 11th November 2011

 

Purpose

The Australian Privacy Commissioner has received an application from Dr Steve Hambleton, President of the Australian Medical Association (AMA) for a Public Interest Determination (PID) under s. 73 of the Privacy Act 1988 (Cth) (Privacy Act). The application concerns the collection by health service providers of third party health information that is relevant to a patient's family or social medical histories, without the third party's consent. In the absence of a determination, such acts or practices may be in breach of the Privacy Act.

Public interest determinations 10 & 10A currently permit the collection by health service providers of third party health information that is relevant to a patient's family or social medical histories, without the third party's consent.  These determinations expire on 10 December 2011.

The Office of the Australian Information Commissioner (OAIC) has issued this paper to assist interested parties in preparing comments as part of the Australian Privacy Commissioner's consideration of the application and the making of a determination.

This Consultation Paper, the application, the draft determinations, the existing public interest determinations, the reasons for making those determinations and other relevant information are available from the OAIC's web site at http://www.oaic.gov.au/ or in hard copy on request.

How to make comments

The Australian Privacy Commissioner invites your comments on the issues rasied by the application and the scope and nature of the draft determinations. The closing date for comment is Friday 11 November 2011.

Submissions can be made to consultation@oaic.gov.au, GPO Box 5218 Sydney NSW 2001 or TTY 1800 620 241 (no voice calls).

Note: The OAIC intends to make all submissions publicly available.  Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).

While submissions may be lodged electronically or by post, electronic lodgment is preferred. It would also be appreciated if your submission could be provided to us in a web accessible format or alternatively in a format that would allow us to easily convert to HTML code eg; Rich Text Format (.rtf) or Microsoft Word (.doc).

Privacy collection statement

The OAIC will use the personal information it collects in the course of this consultation only for the purpose of considering the making of a PID.

Background and legislation overview

Provisions for Public Interest Determinations

In limited circumstances, the Privacy Act enables the Australian Privacy Commissioner to examine a matter and, if appropriate, to issue a PID that permits certain activities that may otherwise breach a National Privacy Principle (NPP).

The Australian Privacy Commissioner may make a PID under s 72 of the Privacy Act by declaring that a specific act or practice of the organisation will not be a breach of the NPPs, where they are satisfied that the public interest in doing so substantially outweighs the public interest in adhering to the NPP in question.

Where a PID is issued the Australian Privacy Commissioner may also decide to issue a determination under s 72(4) of the Privacy Act giving general effect to the PID. A generalising determination has the effect of permitting other organisations (not just the applicant) to undertake the act or practice that is the subject of the PID, without breaching the Privacy Act.

PIDs 10 & 10A

PIDs 10 and 10A were made in response to an application made by Dr Hobbs, then Chair of the Australian General Practice Network Limited (AGPN), to the former Office of the Privacy Commissioner on 21 August 2007. They replaced PIDs 9 and 9A which expired on 10 December 2007. Dr Hobbs application sought a determination from the Privacy Commissioner allowing health service providers to collect third party health information that is relevant to a patient's family or social medical histories, without the third party's consent.

In the absence of a determination, the collection of third-party health information for family or social medical histories would breach National Privacy Principle (NPP) 10, which regulates the collection of sensitive information (including health information) under the Privacy Act 1988 (Cth) (Privacy Act). This principle establishes a prohibition against collecting sensitive information, unless a prescribed exception applies, such as where the individual consents.

PID 10 relates directly to the PID application Dr Hobbs made in 2007. In brief, it enables Dr Hobbs to collect the personal information of a third party that is relevant to a patient's family or social medical histories, without breaching NPP 10. PID 10A gives general effect to PID 10 by permitting all health service providers to lawfully collect medical histories in the same way. PIDs 10 and 10A are available on FRLI at: http://www.comlaw.gov.au/.

During the consultation process for PIDs 10 and 10A an additional substantive issue was raised, namely that good clinical practice may require the collection of the relevant third party health information from a 'person responsible' for a health consumer when the consumer is incapable of providing that information themselves. Examples of where this need may arise include in the treatment and care of patients living with dementia or intellectual disabilities.

The Privacy Commissioner wrote to 14 key privacy, health professional and health consumer stakeholders seeking views on this issue. Attendees at the conference offered the view that PIDs 10 and 10A should provide a mechanism for permitting collection of third-parties' health information from a 'person responsible' where the health consumer is not capable of providing that information themselves. The Commissioner was satisfied that the public interest in addressing this issue substantially outweighed the public interest in protecting privacy in compliance with the NPPs. Accordingly, PIDs 10 and 10A make provision for this type of collection.

Expiration of PIDs 10 & 10A

PIDs 10 and 10A expire on 10 December 2011. Accordingly, new PIDs will have to be made before this date in order for health service providers to continue to lawfully collect third party health information that is relevant to a patient's family or social medical histories.

Privacy law reform

The former Office of the Privacy Commissioner (OPC) publicly acknowledged the clinical value of family and social medical history information, and recognised the widespread support for the activity in the health sector in its submissions to the Australian Law Reform Commission (ALRC) review of Australian privacy law and practice. In its submissions to the ALRC the OPC recommended that the Privacy Act be amended to allow health service providers to collect third party health information that is relevant to a patient's family or social medical histories, without the third party's consent.[1]

The ALRC released its Final Report 108 ‘For your Information: Australian Privacy Law and Practice' in August 2008.[2] In this report the ALRC recommended that new health regulations should include provisions based upon PIDs 10 and 10A.[3] The Australian Government in its First Stage Response to the ALRC Report accepted that an amendment should be made to overcome the need to issue PIDs in relation to this matter, although it indicated this should be achieved by way of amending the Privacy Act.[4] The Senate Finance and Public Administration Committee is currently considering Exposure Drafts of Australian Privacy Amendment Legislation, however, it is unlikely that any legislative reforms to the Privacy Act will be completed by December 2011.

Application for a Public Interest Determination

On 14 October 2011, the Australian Privacy Commissioner received an application from Dr Steve Hambleton, President of the AMA for a PID under s 73 of the Privacy Act. Dr Steve Hambleton, the applicant, is an ‘organisation' for the purposes of s. 6C of the Privacy Act.

In the application, Dr Hambleton states he is seeking a new PID, consistent with PIDs 10 & 10A, as he considers the effect of the PID to be of critical importance for health service providers in providing best practice assessment, diagnosis and care to patients. Dr Hambleton states that in conducting the clinical assessment and treatment of patients he is required to engage in the act or practice of collecting health information about a third party (family members) to inform an accurate diagnosis and treatment plan.

Dr Hambleton notes there is a large body of evidence supporting the collection of third party health information, such as family history, as a fundamental part of the diagnosis and treatment regime for health service providers. Further, he submits it is common practice for medical practitioners, when considering a diagnosis, to ask the patient if there is any family history of the disease.

Dr Hambleton expresses the view that there remains a clear public interest in issuing a new PID to permit health service providers to continue collecting health information about another individual as part of a clinician's consultation with a patient. In particular, he maintains the matters of public interest addressed in the application made by Adelaide Community Healthcare Alliance Incorporated (ACHA Health) for previous PIDs 9 and 9A remain highly relevant. Specifically, the public interest is served by the efficient and accurate diagnosis of patients by health service providers.

Dr Hambleton notes that without a PID on this issue health service providers would be required to obtain the consent of third parties to collect personal and health information on these persons, and notify third parties of the collection of their information. Dr Hambleton asserts this is clearly impractical and could compromise the health care of patients.  In addition, if a patient's social, family or medical history is not sought, this could require increased investigation procedures and possibly result in litigation in relation to medical negligence claims.  Further, Dr Hambleton is of the view, as stated by ACHA Health in its application, the absence of a PID to exempt health care providers from NPP 10, would result in significant inefficiencies and impracticalities, which would have a detrimental effect on the provision of quality health care.

Dr Hambleton states that he considers it important to highlight the comments made in submissions during the previous consultation process, which noted that standards for the accreditation of general practitioners include the collection of current and accurate health summaries, including pertinent medical or social history information for patient care. Indeed, this practice is considered best-practice clinical care.  He submits a patient's social, family or medical history information is collected in an environment of maximum consumer privacy (governed by professional codes of privacy and confidentiality) and clinicians are bound to treat personal information collected in the course of providing a health service as confidential, regardless of the person to whom the particular facts or opinions relate.

Dr Hambleton asserts the collection of a patient's full medical history, including social and family history, is considered best practice and in his experience the majority of patients have an expectation that questions of this nature will be asked. There is also a level of understanding among the general public of the importance of this history in informing their diagnosis and treatment.

Collection of third party health information

The application raises an issue relating to NPP 10. NPP 10 prohibits ‘organisations' from collecting ‘sensitive information' (which is defined to include ‘health information') unless a prescribed exception applies.  These exceptions include where the collection is required by law and, most relevantly, where the individual chooses to consent to the collection. 

If the determination sought by the applicant is granted health service providers will be allowed to collect third party health information from an individual, without the third party's consent, for inclusion in the individual's family, social or medical history where that information is necessary to provide a health service to the individual.  It will also clarify that third party health information can also be collected from ‘a person responsible' for an individual where the individual lacks the capacity to provide that informational themselves. In the absence of the determination, health service providers engaging in this practice could be in breach of NPP 10.1.  Accordingly, the likely effect of the determination will be to permit the established and widely supported healthcare practice of medical history-taking to continue. 

Preliminary View

Subject to the result of this consultation, the OAIC proposes that the determination at Attachment A and the generalising determination at Attachment B would be made for a period of 5 years. 

The right to privacy is not absolute and in some circumstances, privacy rights will necessarily give way where there is a compelling public interest reason to do so. In these instances, it is necessary to ensure that the solution implemented minimises the intrusion to the fullest extent possible in the circumstances. In making the determination it is important to get the balance right between protecting individual privacy and providing effective health services to all Australians.

The present application is substantially similar to previous applications received by the OPC which led to the making of PIDs 9 and 9A and PIDs 10 and 10A. In assessing the public interest for PIDs 10 & 10A the OPC considered a number of factors including:

  • the important role the collection of social, family or medical histories from health consumers across all clinical settings and by all clinicians plays in delivering best practice health care;
  • the extent to which the practice of collecting health consumers' family, social and medical histories for diagnosis, treatment and care - without the need to obtain third parties' consent - is widespread, considered best clinical practice and generally known and accepted in the community;
  • the way in which the risk of harm to individuals through inappropriate use or disclosure of their sensitive information is reduced through the confidential setting and existing ethical protocols which exist for the collection of relevant information about both health consumers themselves and other relevant third parties; and
  • the fact that third parties' information, once collected, will continue to be protected under NPPs 1 to 9 and 10.2 to 10.3. For example, NPPs 1.1 and 1.2 ensure that information that is collected should be confined to that necessary to an organisation's functions or activities, be collected only by lawful and fair means and in a way that is not unreasonably intrusive. Further, NPP 4.1 protects the security of personal information by providing thatan organisation ‘must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'.

The OAIC notes that when considering PID applications 9, 9A, 10 & 10A, the then OPC conducted thorough stakeholder consultations. There was no opposition to the making of these PIDs.

Submissions

The Australian Privacy Commissioner invites your comments on the issues raised by the application and the scope and nature of the draft determination.

Written submissions could usefully address matters such as:

  • the potential for the proposed act or practice to harm the interests of individuals
  • the extent to which the proposed act or practice is inconsistent with an individual's reasonable expectation of privacy
  • the nature of the public interest objectives served by the proposed interference with privacy
  • the impact on the public interest if the proposed act or practice is not permitted.

The Australian Privacy Commissioner would also welcome comments on the appropriateness of making a determination that gives general effect to the PID. That is, to allow other health service providers to perform the permitted act or practice in the same circumstances as the applicant.

Expressions of interest for a conference on draft determinations

Under ss 75 and 76 of the Privacy Act, the Australian Privacy Commissioner is required, under certain circumstances, to hold a conference on a draft determination made in response to an application for a PID.

Accordingly, interested parties are invited to consider whether a conference should be held to discuss the draft determinations. If you consider that a conference should be held please advise the OAIC by Friday 11 November2011 via consultation@oaic.gov.au, GPO Box 5218 Sydney NSW 2001 or TTY 1800 620 241 (no voice calls).

If held, the conference must take place within 30 days after the last day on which interested parties can make a request for a conference. It is proposed that if a conference is requested, it will take place in Sydney in the week commencing 21 November 2011.

If no request for a conference is received the Australian Privacy Commissioner will proceed to make the determination in accordance with the Privacy Act.


Attachment A

Draft Public Interest Determination

Collection of Family, Social and Medical Histories

Privacy Act 1988, Part VI

In relation to National Privacy Principle 10.1

Effective: 11 December 2011 to 10 December 2016

Under s.72(2) of the Privacy Act 1988 (Cth) (Privacy Act) I, Timothy Pilgrim, Australian Privacy Commissioner, determine that I am satisfied that:

  1. Dr Steve Hambleton (the applicant) is an organisation for the purposes of s.6C of the Privacy Act. The applicant has applied under s.73 of the Privacy Act for a Public Interest Determination in relation to the acts and practices set out in (2) below; and
  2. The applicant collects health information from an individual (a 'health consumer'), or from a person responsible* for the health consumer, about another individual (a ‘third party') in circumstances where:
    1. the collection of the third party's information into the health consumer's family, social or medical history is necessary for the applicant to provide a health service directly to the health consumer; and
    2. the third party's information is relevant to the health consumer's family, social or medical history; and
    3. the applicant collects the third party's information without obtaining the consent of the third party; and
    4. the third party's information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.
  1. the acts and practices set out in (2) above breach or may breach National Privacy Principle 10.1 in relation to the collection of the third party's information; and
  2. the public interest in the applicant doing the acts, or engaging in the practices, set out in (2) above substantially outweighs the public interest in adhering to National Privacy Principle 10.1 in those circumstances; and
  3. this determination should remain in force for a period not exceeding 5 years from 11 December 2011 to 10 December 2016 (inclusive).

* ‘person responsible' has the same meaning as defined in National Privacy Principle 2.5 and 2.6.  

 

Timothy Pilgrim

Australian Privacy Commissioner

XX December 2011


Attachment B

General Effect Draft Public Interest Determination

Collection of Family, Social and Medical Histories

Privacy Act 1988, Part VI

 

In relation to National Privacy Principle 10.1

Effective:     11 December 2011 to 10 December 2016

Under s.72(4) of the Privacy Act 1988 (Cth) (Privacy Act) I, Timothy Pilgrim, Australian Privacy Commissioner, determine that:

No organisation providing a health service is taken to contravene s.16A of the Privacy Act if, while Public Interest Determination No.X is in force, the organisation does an act, or engages in a practice, that is the subject of Public Interest Determination No. X.

 

Timothy Pilgrim

Australian Privacy Commissioner

XX December 2011

 


[1] See pages 301-303 of the OPC's Submission to the ALRC's Review of Privacy Issues Paper 31 and pages 664-666 of the OPC's Submission to the ALRC's Review of Privacy Discussion Paper 72. These submissions are available at http://www.privacy.gov.au/.

[2]http://www.austlii.edu.au/au/other/alrc/publications/reports/108/.

[3] ALRC recommendation 63-1.

[4] See page 133 of the Australian Government's First Stage Response to ALRC Report 108 available at http://www.dpmc.gov.au/privacy/reforms.cfm.