Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Healthcare identifiers and privacy: Discussion paper on proposals for legislative support; Submission to the Australian Health Ministers’ Conference (August 2009)

Healthcare identifiers and privacy: Discussion paper on proposals for legislative support Submission to the Australian Health Ministers’ Conference August 2009

pdfsub_healthcare_identifiers_privacy

Submission to the Australian Health Ministers’ Conference
August 2009

 

Key recommendations

1. The Office welcomes the opportunity to provide a submission on the Healthcare identifiers and privacy: Discussion paper on proposals for legislative support.

Part A

2. In relation to Part A of the discussion paper, dealing with the Health Identifier (HI) Service and the issuing and use of health identifiers, the Office has made a number of key recommendations:

3. The enabling legislation for the HI Service should cover:

  1. provisions setting out the clearly defined healthcare-related purposes for which a provider can access the HI service to obtain an individual’s IHI and establishing that the IHI can only be accessed where the provider has a healthcare relationship with the individual
  2. prohibitions on use or disclosure of the IHI or associated personal information outside of the healthcare sector across all jurisdictions
  3. provisions which underpin the legislative status of participation agreements or provision for mandatory guidelines (see A.5.2 )
  4. requirements relating to independent auditing and mandatory reporting of breaches of HI Service policies
  5. sanctions and complaint mechanisms (including a right of recourse to a relevant statutory officer like the Privacy Commissioner for the private sector and Australian Government agencies where appropriate), and
  6. provisions to ensure that any future expansion of uses of the HI Service is subject to a Privacy Impact Assessment and parliamentary scrutiny.

4. Obligations additional to those contained in the privacy principles should be established through a second-tier legislative instrument such as mandatory guidelines, and cover, amongst other things secondary uses and data security.

5. Clarification may be required in relation to whether administrative staff of healthcare providers will be able to access information in the IHI and Healthcare Provider Individual Identifier (HPI-I) databases, and if so how their use of those databases will be audited.

6. All jurisdictions provide for a common set of legislated obligations in relation to the collection and handling of health identifiers prior to the introduction of a wider common health privacy framework.


Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, all private sector health service providers and some small businesses.

Preliminary

2. The Office welcomes the opportunity to provide a submission on the Healthcare identifiers and privacy: Discussion paper on proposals for legislative support (the ‘discussion paper’) . [1]

3. The discussion paper outlines and seeks comment on legislative proposals on two health information privacy issues:

  • a proposed legislative framework to support the establishment and implementation of a national Health Identifier (HI) Service
  • proposed arrangements for national regulation of the privacy of health information.

4. The Office understands that the principle policy objective underpinning the HI Service is to enable accurate identification of healthcare consumers and providers in healthcare settings, to enable reliable communication between healthcare individuals and providers. [2]

5. The Office has previously acknowledged the potentially important role of a unique identifier specifically for the health sector. For example, in its submission to the Australian Law Reform Commission’s Review of Privacy (‘the ALRC Inquiry’) [3] , the Office specifically noted that health care may be one context in which a unique identifier could offer important benefits. [4]

6. This submission discusses a number of key privacy issues in relation to healthcare identifiers, sets out a framework that the Office considers helpful when considering privacy protections for major new government initiatives handling personal information, and then follows the structure of the discussion paper.

7. The Office believes that the framework for the HI Service outlined in the discussion paper raises two main privacy issues: the potential privacy risks in relation to the HI Service database and the risks associated with linking data using IHIs.

The Health Identifier Service database

8. A key element of the proposal is for an HI Service Operator to assign the identifiers and maintain the databases managing the creation and distribution of the identifiers.

9. As we understand it, initially the HI Service will use Medicare Australia’s existing Consumer Directory Maintenance System (CDMS) database to create and store the IHI for each Australian and all foreign residents who obtain healthcare. Separately, the HI Service will maintain databases for all those who provide healthcare. [5] As we understand it, the CDMS database only holds demographic information about individuals, for example, names, dates of birth, gender and addresses, and no direct information about Medical Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) claims.

10. The Office notes that the incorporation of the IHI into the CDMS database will provide a new functionality separate from the existing Medicare functions managed by that database. [6] This raises several privacy issues that may have implications for Medicare business processes. It will be important that the system design of the added functionality and the business processes within Medicare for the HI Service appropriately separate these functions. An example of why this is important is that some individuals who do not presently use the Medicare system will now be included in Medicare’s CDMS database. It may be that these individuals do not need to or do not wish to use Medicare’s services and therefore it is important that the separation of business processes between the HI Service and other Medicare functions managed through the CDMS is clear.

11. While other large databases exist in Australia, such as those maintained by Medicare Australia and by the Australian Taxation Office, a very large number of users will interact with this repository whose access thus needs to be carefully handled with adequate legislative protections to minimise any potential for misuse.

12. This would appear to potentially create a gap in the protections available should access to the database be misused or abused. Any such misuse could harm the interests of healthcare consumers, and ultimately risk undermining trust and confidence both in the HI system and the health system more generally. In regard to privacy protections, users will interact with the database from all Australian jurisdictions, some of which currently have no privacy legislation in relation to their public sectors.

Linking of data using IHIs

13. The Office has noted previously that any unique personal identifier, especially where widely held in the community, can potentially raise significant privacy risks regarding linking of data and data-matching.

14. In its recent submission to the ALRC Inquiry, the Office has discussed these potential risks in detail. [7] The Office noted that, in most cases, data-matching or linking is extremely labour intensive, time consuming and costly. It requires specialist skills to undertake large-scale data-matching of disparate data sets not designed to be interlinked. Issuing each individual a unique identifier common across the range of systems is often the most efficient way to facilitate the linking of personal information in different databases.

15. However, enabling such easy and accurate linking off data could create an environment in which linking might be done excessively and sometimes without adequate justification. Such linkages may combine personal information that has been collected for different purposes and create data sets about individuals' interactions in society without the individuals’ knowledge or consent.

16. In its submission to the ALRC Inquiry, the Office commented on this issue in the context of an Individual Health Identifier. While noting the potentially important role of a unique identifier in the health context, the Office submitted that:

…the challenge is to ensure that such a highly reliable identifier is not usurped for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined. [8]

17. A Canadian Parliamentary Inquiry provides a cautionary example of this type of ‘function creep’ which was experienced in relation to Canada’s Social Insurance Number:

Mistakenly, the private sector began to look upon the SIN as a piece of identification and property owners asked for it on apartment rental applications, video stores required it as security for movie rentals, universities and colleges requested it on their application forms and pizza places even used it as a customer number for their delivery system. [9]

18. It is to address such risks that the Australian Parliament enacted restrictions on the use of individuals’ Tax File Numbers in the 1980s. Similarly, the policy intent of the restrictions relating to adoption of any Australian Government identifier in National Privacy Principle 7 is to respond to the potential of such identifiers becoming widely adopted.

19. It is to protect against such a potential in relation to the IHI that the Office has recommended a range of protections in this submission.

Necessity for a comprehensive privacy framework

20. The Office considers that a comprehensive framework for privacy protection for major new government initiatives that relate to the handling of personal information should be based on four key elements. These elements can be expressed as:

Design + Technology + Legislation + Oversight

21. These elements can be explained as:

  • Fundamental system design , including system architecture and the parameters governing what information is collected, information flows and consent mechanisms
  • Technological measures , including, but not limited to, data security initiatives
  • Legislative measures , including defining the extent of the functions of the HI system, proscribing purposes that fall outside those functions, and introducing sanctions for misusing any aspect of the HI system, and
  • Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

22. This submission will draw on this framework in responding to the issues raised by the discussion paper.

23. The Office also generally recommends that agencies and organisations undertake privacy impact assessments (PIAs) when planning new initiatives that may involve the handling of personal information. The Office views a PIA as an iterative process during the life of a project from initial conception to implementation and review. The Office understands that several such assessments have been undertaken by NEHTA in relation to health identifiers, with another iteration currently being progressed.

24. The Office encourages agencies and organisations to publish PIA findings at an appropriate stage of the project noting that some aspects may be commercially sensitive or have national security or law enforcement sensitivities that would need to be taken into account in any publication process.

25. However, publication should not be the primary goal of undertaking a PIA, rather the process itself assists agencies and organisations to manage privacy impacts by providing a thorough analysis of the effect of the project on individual privacy and helping to find potential solutions. The elements that make up a PIA (including identification, analysis and management of privacy impacts) help agencies and organisations to drive good privacy practice and underpin good public policy in their projects. In many cases, a PIA can help to make a significant difference to the privacy impact of the project whilst still achieving the project’s goals. [10]

Part A

A.3.1 Key design and implementation features of IHIs

26. In considering the proposed design of the HI system, it is important to keep in mind that the health identifiers are the building blocks for shared electronic health records. The structure of the HI system will influence how the national shared electronic health record system will operate. It is therefore necessary to be clear about the defined purposes for which the IHI can be accessed and used.

27. The Office notes that the Council of Australian Governments (COAG) has agreed to the assignment of an IHI as a universal identifier. An IHI will be created for all individuals who receive healthcare and will automatically be allocated to everyone who is currently enrolled with Medicare Australia. The creation of IHIs will be authorised by legislation and individual consent will not be sought for their creation. [11]

28. The discussion paper states that use of the IHI will not be a requirement to receive health services. [12] However, it is not clear how an individual will be able to exercise the option not to use their IHI. The Office understands that any provider with a Healthcare Provider Individual Identifier (HPI-I) and/or a Health Provider Organisation Identifier (HPI-O) will be able to obtain an individual’s IHI from the HI Service without the consent of the individual to whom the IHI has been assigned (if they have the required individual’s demographic information). Potentially, this could occur after treatment (when the individual is no longer present).

29. Further, as the Office understands it, potentially, a provider will be able to obtain an individual’s IHI from the HI Service in circumstances where they do not have a current or active healthcare relationship with the individual. For example, a hospital or medical practice may make a request of the HI Service for the IHI of all current and former patients.

30. The Privacy Act provides that where possible individuals should have control over their personal information, particularly in a health context. As the Council of Australian Governments (COAG) has decided that the IHI will be universally available to all health providers with an HPI-I or HPI-O, the Office considers that there should be specific limits on the purposes for which the provider can seek to access an IHI. The Office suggests the enabling legislation should provide that the IHI can only be accessed for clearly defined purposes relating to the provision of health care and where the provider has a healthcarerelationship with the individual. This will assist in establishing trust in the community that the HI system will be used for appropriate purposes.

31. The Office would welcome clarification of whether there will be any constraints on the circumstances in which a provider (who has the minimum demographic information required to search the database) will be able to access an individual’s IHI. For example, will a provider be able to access an individual’s IHI in situations where they do not have an active healthcare relationship with the individual and have not seen the person for a number of years?

32. The Office is also aware that many individuals may be particularly concerned about specific health information that they consider more highly sensitive and want to have tighter control over the use and disclosure of that information. The Office would welcome clarification on what options the individual may have in relation to how they can exercise control over whether or not their IHI is connected to that specific information.

A.5 Proposed legislative support

33. The Office welcomes the intention expressed in the discussion paper to introduce legislation containing specific provisions, including sanctions and remedies, governing the HI Service. [13] Gaining public trust and confidence in the HI system is vital to its success. Specific legislation to regulate the system is an important element in establishing and maintaining that confidence in the long term.

34. Dedicated legislation is also important to address the need for consistency of privacy protections. As the discussion paper acknowledges, Australia currently has an array of health privacy regulation across the nine jurisdictions. [14] Most jurisdictions have their own legislation or administrative policy arrangements applying to their public sectors and in some cases health privacy regulation purporting to apply to the private sector alongside the Privacy Act. Two states have no specific privacy legislation in relation to their public sector. [15]

35. Given the lack of uniform privacy regulation it is important that national projects involving personal information or potentially sensitive information of all Australians, such as the HI Service, have dedicated, project-specific legislation ensuring that consistent privacy protections apply regardless of jurisdiction.

36. As the Privacy Act is principle-based and technology neutral, on occasion additional privacy protections are warranted and necessary to regulate large-scale initiatives that involve the handling of personal information in new ways, such as with the Tax File Number, credit reporting information and MBS and PBS claims information. [16] The Office believes that the HI Service is one of these comparatively infrequent national initiatives requiring specific additional privacy regulation.

37. This is consistent with the ALRC’s view that legislation relating to shared electronic health systems ‘should deal with those issues that fall outside existing privacy regulation and provide more stringent rules where necessary’. [17]

38. In the Office’s view, specific legislation for the HI Service should contain:

  • provisions setting out the clearly defined healthcare-related purposes for which a provider can access the HI service to obtain an individual’s IHI and establishing that the IHI can only be accessed where the provider has a healthcare relationship with the individual
  • prohibitions on use or disclosure of the IHI or associated personal information outside of the healthcare sector across all jurisdictions
  • provisions which underpin the legislative status of participation agreements or provision for mandatory guidelines (see A.5.2 )
  • requirements relating to independent auditing and mandatory reporting of breaches of HI Service policies
  • sanctions and complaint mechanisms (including a right of recourse to a relevant statutory officer like the Privacy Commissioner for the private sector and Australian Government agencies where appropriate), and
  • provisions to ensure that any future expansion of uses of the HI Service is subject to a Privacy Impact Assessment and parliamentary scrutiny.

39. The Office would welcome the opportunity to comment upon draft legislation.

A.5.1 Health Identifier Service Operator

40. The Office understands that Medicare Australia will be the initial HI Service Operator, and that this decision will be reviewed by Health Ministers once the HI Service is fully operational and to take account of further national e-health developments.

41. The Office agrees that ‘to ensure sufficient protections and public confidence in the HI Service’ the operation of the Service should be undertaken under statutory arrangements that provide a similar level of accountability and scrutiny as apply to Medicare Australia. [18]

42. In relation to whether the functions to be conferred on the Medicare CEO are sufficient (question 1) [19] , the Office considers that the functions to be conferred on the CEO could also include power to conduct proactive audits of access to and use of the identifiers and associated personal information. Proposal 1 set out the functions to be conferred on the Medicare CEO as:

  • assigning, collecting and maintaining identifiers to individuals, individual healthcare providers and organisations including by using information it already holds for existing purposes
  • developing and maintaining mechanisms for users to access their own records and correct or update details
  • collecting information from individual and other data sources
  • use and disclosure of these identifiers and associated data, including personal information, for the purposes of operating the HI Service. [20]

A.5.2 Regulatory support for activities to be undertaken by the HI Service Operator and health sector participants

A.5.2.1 Application of general privacy and other laws

43. Question 2 asks whether regulation of the handling of healthcare identifiers by public and private health sector organisations through existing privacy and health information laws, with some additional regulatory support through specific enabling legislation for healthcare identifiers, raises significant issues. [21] In the Office’s view, the enabling legislation may need to contain provisions, which add to those provided in the privacy principles in some areas.

44. The discussion paper suggests that additional obligations might be set out in participation agreements. [22] The Office is unsure about the mechanism by which the status of such agreements would be underpinned by law, and would welcome clarification on this matter.

45. The Office suggests that, alternatively, consideration could be given to establishing additional obligations through mandatory guidelines. The guidelines could be a legislative instrument under the Privacy Act, breach of which could result in a complaint to the Privacy Commissioner for those areas where the Privacy Commissioner has jurisdiction.

46. The Office suggests that the mandatory guidelines or participation agreements should cover, amongst other things, privacy issues relating to secondary uses and data security.

47. Question 3 asks whether there are circumstances where penalties for misuse of a healthcare identifier and associated information held by a healthcare provider could be inadequate. [23] The Office considers that civil penalties are appropriate in circumstances where there is a breach of the legislation or rules relating to identifiers, based on intentional or reckless behaviour.

48. Section A.5.2 discusses the extent to which additional legislative support is required beyond that provided through existing health privacy laws and administrative arrangements in relation to each of the privacy principles. The Office notes that similar questions are asked in relation to each principle. The Office makes a number of specific comments below in relation to collection, use and disclosure, data quality, data security, identifiers and anonymity.

49. In relation to the remaining principles (openness, access and correction, and trans-border data flows), the Office agrees in principle that these principles should be regulated through existing health privacy laws and administrative arrangements. However, as discussed in sections A.6.2.3 and A.7, currently there are no specific legislative privacy protections for health information in the public sectors of two states (Western Australian and South Australia). The Office would welcome clarification of how this gap in privacy protections will be addressed.

A.5.2.2 Definitions

50. Proposal 3 provides for the inclusion of definitions of healthcare service and healthcare service provider in the legislation. [24] The Office agrees that it is appropriate that definitions of health service contained in privacy law be adopted (see comments on proposal 24 re definitions in Part B 1.5). It will also be important to ensure that the definitions remain consistent with the Privacy Act if it is amended as a result of the Australian Government’s response to ALRC Report 108.

A.5.2.3 Collection

51. Proposal 2 states:

Where an IHI or HPI-I is associated with health information about an individual, the collection, use and disclosure of an IHI or an HPI-I will be subject to the privacy and health information laws applicable to that health information. Misuses of an IHI or HPI-I by a healthcare provider will be able to be pursued as a breach of privacy in jurisdictions with privacy laws or will be subject to other penalties set out in relevant health records or health service legislation. [25]

52. The Office understands that in the majority of cases IHI numbers will be created using records containing demographic data held within Medicare Australia’s Consumer Directory Maintenance System (CDMS) without having to re-collect this demographic information or collect additional information from individuals. Collection of personal information to assign an IHI to an individual will only need to occur in limited circumstances where an individual’s personal information is not available from Medicare Australia’s CDMS (for example, because the individual is not enrolled in Medicare).

53. The Privacy Act generally requires agencies and organisations to inform individuals of certain matters, including how the information may be used or disclosed, at the time information is first collected. This requirement does not seem to be addressed in the discussion paper. However, the Office understands that Medicare Australia will be reviewing the notice that it provides to consumers to ensure that it continues to meet the requirements of IPP 2.

54. The discussion paper considers the collection principle in relation to the assignment of IHIs by Medicare Australia. However, the Office notes that when a provider obtains and records an individual’s IHI this will also constitute a collection of personal information.

55. Private sector providers will therefore need to ensure that they meet the requirements of National Privacy Principle 1. In particular, under NPP1.5, generally, organisations that collect personal information about an individual from someone other than the individual must take reasonable steps to ensure that the individual is or has been made aware of certain matters. [26] These matters include:

  • the identity of the organisation and how to contact it
  • the fact that he or she is able to gain access to the information
  • the purposes for which the information is collected
  • the organisations (or the types of organisations) to which the organisation usually discloses information of that kind
  • any law that requires the particular information to be collected.

56. The aim of NPP 1.5 is to ensure that an individual knows what happens to information about them regardless of whether the information is collected directly or indirectly. Where personal information is collected without consent, the NPPs still require reasonable steps to be taken to inform individuals that their personal information (in this case the IHI) has been collected and also how this personal information is to be handled. The Office believes this could be achieved through amendment to the general privacy notice that providers already provide to patients.

57. As well, the Office considers that if a state or territory does not have a current requirement to provide notice of collection then they could specifically adopt a provision in their legislative of administrative arrangements to require that a health provider within their jurisdiction (that is, public hospitals and other state public health services) gives notice of the matters covered in NPP1.5. This measure would ensure consistent requirements apply across jurisdictions until such time as there is a national health regulation framework.

A.5.2.4 Use and disclosure

58. The Office agrees with the requirements set out in proposal 4, that, ‘The HI Service Operator will only disclose an individual’s IHI and the minimum personal information required to identify an individual to an authorised healthcare provider. Requests for an IHI must be supported by a minimum set of personal information.’ [27]

59. Proposal 5 envisages that healthcare providers will be authorised to use or disclose an individual’s name, date of birth, sex and address details in order to request an IHI from the HI Service Operator. [28] The Office understands that health care providers will only need to use or disclose gender and address details in cases where an exact match cannot be obtained using the individual’s name and date of birth. Further, the HI Service Operator will not disclose these details in response to a request from a healthcare provider. The Office welcomes these measures as an important safeguard for data security and privacy.

60. The Office supports the intent of proposal 6, that is, that the HI Service Operator will disclose information held in the Service only to authorised users; and that the term ‘authorised user’ will be defined in the legislation. [29] The Office would welcome clarification of the scope of ‘authorised users’, particularly in relation to whether administrative staff of healthcare service providers will be able to search for an IHI or HPI-I (see A.5.2.6). It is important that the auditing process to determine who has actually accessed the service can adequately identify the actual individual who has performed the search. It is highly unlikely that a provider themselves will undertake the administrative work associated with accessing the HI Service, but rather that their administrative staff will be tasked with that responsibility.

61. The Office supports proposal 8, that secrecy provisions similar to those set out in the Health Insurance Act or the National Health Act would apply to the disclosure of information by staff undertaking the HI Service Operator function.

Secondary uses

62. The paper envisages that secondary uses and disclosures of HI Service information will be regulated by existing Commonwealth, state and territory health information regulations or administrative arrangements (proposal 9). [30]

63. As noted in section A.5, the Office considers that the enabling legislation for the HI Service should clearly prohibit secondary uses outside of the healthcare sector in all jurisdictions. As well, the Office’s view is that, since the IHI constitutes personal information, use of IHIs in health related research should comply with the existing guidelines under section 95 and section 95A of the Privacy Act (for entities falling within the Privacy Commissioner’s jurisdiction). The Office submits that further consideration could be given to the regulation of use of IHIs in health related research in the states and Northern Territory public sectors.

64. As discussed in section A.5.2.1, the Office submits that additional obligations relating to secondary uses (for health related purposes) should be established through a legislative instrument or through mandatory guidelines or legislatively supported participation agreements.

65. Mandatory guidelines or legislatively supported participation agreements could provide more detailed guidance on permitted secondary uses within the healthcare sector. The Office considers that it will be important to provide practitioners and consumers with greater certainty in relation to the scope of permitted secondary uses of their personal information in relation to use of health identifiers.

A.5.2.5 Data quality

66. The Office understands that IHIs will be added to Medicare Australia’s CDMS. The paper states ‘IHI numbers created using Medicare’s CDMS data will be deemed verified at the point of creation, providing data quality for the IHI.’ [31]

67. The Office notes the findings of a 2004 audit of Medicare enrolment data (following migration of this data to the CDMS) which found that ‘…the database is sufficiently complete, accurate and current to support the effective administration of Medicare’. [32] However, the audit also found that some significant inaccuracies, particularly in fields containing various dates. The audit found that up to half a million active Medicare enrolment records were probably for people who were deceased. The Office understands that considerable work has been undertaken by Medicare Australia since that audit to rectify this situation. However, the Office suggests that data cleansing (to remove or correct data that is incorrect or out-of-date) should be a significant element of the data quality framework for the IHI service. The Office encourages all agencies taking actions that might involve data-matching to follow the Office’s voluntary data-matching guidelines. [33]

A.5.2.6 Data security

68. Proposal 11 provides for ‘existing Commonwealth, state and territory health information regulation and administrative arrangements’ to apply in regard to data security’. [34] In relation to the data security principle (National Privacy Principle 4) the Office holds the view that the ‘reasonable steps’ required by organisations in relation to the security of health information should be additional to those that are reasonable for less sensitive forms of personal information. [35]

69. As noted in section A.5.2.1, the Office considers it appropriate that additional obligations relating to data security be established through mandatory guidelines or participation agreements (underpinned by law).

70. While security principles in the Privacy Act offer general protection against misuse, loss and unauthorised access, modification and disclosure, the specific information technology and architecture of the HI system may warrant specific and high level security protections and standards.

71. The discussion paper envisages that the HI Service will have a system log that stores all transactions and access attempts in relation to the IHI or HPI-I, and that mechanisms will be established to allow individuals access to relevant details in relation to their own personal information on the system log. [36]

72. Auditing staff access is a key accountability measure and safeguard, to ensure the HI Service is being used appropriately, and to enable deterrence and detection of breaches of HI Service policies. The Office welcomes the commitment to provide individuals with the ability to monitor access to relevant system log records. This measure is important in increasing transparency, and may help allay consumer fears and engender confidence in the HI system.

73. The discussion paper appears to envisage that only health practitioners who are issued with a HPI-I will be able to search for an IHI or HPI. [37] However, the NEHTA Blueprint on Unique Health Identifiers notes that administrative staff are likely to make use of the health identifier service as part of their employment. [38] Further, as noted above, in the Office’s view it is likely that a provider’s administrative staff will undertake the work associated with accessing the HI Service and obtaining IHIs, rather than providers themselves.

74. The Office has previously expressed concern that the inability to specifically identify individual non-health care providers (such as administrative staff) may reduce the value of system logs and auditing as an oversight mechanism. The Office would welcome clarification of how this issue will be addressed. [39]

75. Additionally, the Office notes that system logs and auditing are a mechanism for reviewing events that have already taken place. While they may provide a useful deterrent effect and may hold individuals accountable for the misuse of personal information, auditing and monitoring needs to be undertaken in conjunction with proactive privacy protection measures, including system design and technology measures.

A.5.2.9 Identifiers

76. Proposal 14 states:

It is proposed that Commonwealth legislation provide that NPP 7 does not apply to the adoption, use and disclosure of the IHI or the HPI-I by private sector healthcare provider organisations for the purposes of accurately and uniquely identifying individuals and individual healthcare providers respectively for health information management and to enable communication between individuals, healthcare providers and provider organisations.

Proposal 15 states:

It is proposed that Commonwealth legislation will provide that NPP7 does not apply to the use and disclosure of Medicare numbers to Medicare Australia by private sector healthcare provider organisations for the purposes of the retrieval of individual identifiers.

77. In relation to whether these proposals raise any significant issues in relation to the handling of identifiers (question 17) [40] , the Office agrees that suspension of NPP 7 for private health sector organisations in relation to the handling of the IHI and HPI-I is the only practical approach, noting that the proposal should be clearly limited to healthcare service provision. However, the Office further notes that NPP7 protections do not apply to state (and the Northern Territory) governments given that they are not covered by the Privacy Act. In the light of the significant role of state and territory governments in delivering health care in Australia, the IHI could become widely adopted by state (and the Northern Territory) agencies without being subject to appropriate regulation.

78. The Office suggests that restrictions on use of IHI and HPI-I identifiers outside healthcare settings should apply in all jurisdictions. This may have to be achieved through specific legislation enacted in each jurisdiction.

A.5.2.10 Anonymity

79. The paper states that the introduction of IHIs will not affect the ability of individuals to conduct health-related transactions with organisations and agencies anonymously where this is lawful and practical. [41] Although it appears from the statements in the discussion paper that it is theoretically true that individuals can choose to interact anonymously in a healthcare setting (by not using their IHI), in the Office’s view, this option may not be practicable for individuals, particularly once the identifier is linked to an individual’s health information by a provider.

80. The paper indicates that vulnerable individuals (such as victims of domestic violence) will be able to request that a pseudonym is used in conjunction with their IHI. In general, the Office supports the policy intent of providing consumers the option of using a pseudonym.

81. However, the Office is not entirely clear as to how the allocation and use of pseudonyms will work in practice. The Office would welcome clarification on this matter including:

  • is the use of a pseudonym intended to protect an individual’s identity from being known by a health practitioner and/or by staff of the HI Service Operator?
  • whether this feature will be available to any person enrolled in the HI Service, and if not, what criteria would determine entitlement?
  • what process would individuals have to complete in order to use this feature?

A.6 Governance arrangements

A.6.2.1 Strategic oversight

82. The Office notes that overall responsibility for the HI Service will rest with a Ministerial Council of Health Ministers, and that strategic oversight will be provided through meetings of the Australian Health Minister’s Conference (AHMC).

83. The Office agrees that the role of the Ministerial Council should be set out in an intergovernmental agreement, with key elements established in legislation, including any processes for future consideration by the Ministerial Council about the operation or expansion of functions of the HI Service (proposal 18). [42]

84. The Office agrees with proposal 19 that:

  • a process should be established for controlling the expansion of the future uses of the HI Service
  • guidelines for the steps to be taken should be set out in the enabling legislation and
  • the process should include a requirement for the Minister responsible for the legislation to determine future operation or expansion of the service subject to a Privacy Impact Assessment and with the agreement of all state and territory Health Ministers. [43]

However, in the Office’s view, any proposal for expansion of the uses of the HI Service should also be subject to parliamentary scrutiny.

85. To maximise community confidence in the HI Service, a process could be established to manage potential suggestions for future uses of the HI Service that is transparent, widely consultative and supported by legislation.

A.6.2.2 Management and operation

Participation agreements

86. The paper suggests that as part of operating the HI Service, participation agreements may be put in place between healthcare provider organisations and the HI Service Operator.

87. As discussed in section A.5.2.1, the Office is unsure about the mechanism by which the status of such agreements would be underpinned by law, and would welcome clarification on this matter.

88. The Office suggests that alternatively, consideration could be given to establishing additional obligations through mandatory guidelines. The Office suggests that the guidelines could be a legislative instrument under the Privacy Act, breach of which could result in a complaint to the Privacy Commissioner for those providers that are subject to the Privacy Act already (see A.5.2.1).

A.6.2.3 Independent regulation

89. Proposal 21 envisages that existing Commonwealth, state and territory privacy and/or health information regulatory arrangements will apply. [44] That is, in line with current responsibilities:

  • the Commonwealth Privacy Commissioner will provide independent oversight of the operation of the HI Service by the HI Service Operator and how healthcare identifiers are handled by private sector healthcare providers
  • existing state and territory health services or information regulators will have responsibilities in relation to how healthcare identifiers are used and disclosed within State/Territory public sector health services.

90. This proposal accords with the Office’s previously expressed view that external regulatory and complaint handling bodies should be mandated to investigate complaints and conduct (independent) audits to the extent that their jurisdiction provides. [45] Accordingly, the Office should retain jurisdiction for privacy complaints emerging from the HI service to the extent such matters fall within its jursidiction. To do otherwise could increase regulatory complexity, in that complaints relating to the private health sector would be investigated by different regulators depending on whether or not they occurred in a HI Service context.

91. In relation to independent audits, the Office has power to audit the compliance of Commonwealth and ACT government agencies with the Information Privacy Principles, but does not have general power to audit the privacy compliance of private sector organisations. [46] The ALRC has proposed that the Office should have power to conduct ‘privacy performance assessments’ of records kept by private sector organisations and the Government is currently considering this in relation to the ALRC report. [47] This matter may need further consideration in relation to the HI Service which may commence before the Government’s response to ALRC Report 108 is legislated.

92. In relation to state and territory jurisdictions, as the discussion paper outlines, privacy regulatory schemes vary significantly between states and territories. [48] These arrangements include the rules which apply, and also the powers available to regulatory bodies to investigate and resolve complaints and provide remedies, some of which may offer consumers varying protections depending on which jurisdiction covers the healthcare provider involved. In the absence of uniform complaint handling mechanisms, consumers should be informed that protections they are afforded may vary between jurisdictions.

A.7 Other issues

A.7.1 Implementation and transition arrangements

93. The Office understands that it is anticipated that enabling legislation for the HI Service will be introduced in early 2010, and subject to passage through Parliament, will be in place by mid 2010.

94. The discussion paper acknowledges that ‘Ideally, to support the use of healthcare identifiers by healthcare organisations on a national basis, common health privacy arrangements would be established by all jurisdictions as part of a national privacy framework.’ [49]

95. The discussion paper goes on to state that:

Until revised privacy arrangements are implemented it is proposed that existing health information regulation and administrative arrangements in all jurisdictions will apply to the handling of healthcare identifiers in addition to specific Commonwealth legislative proposals. Commonwealth privacy law will apply to private sector healthcare organisations. To ensure the HI Service can operate as intended within public health systems there may also be a need for some amendment to state and territory legislation. [50]

96. As noted above, there are a range of different legislative and administrative arrangements in place to regulate privacy and handling of health information across jurisdictions. Currently, there are no legislative privacy protections for health information in two states although South Australia and Western Australia have administrative instructions in relation to the handling of personal information.

97. The Office has suggested some matters specifically dealing with the collection and use of health identifiers that may be included in state legislation above. Given that there is no firm timetable for the introduction of a common health privacy framework across all jurisdictions the Office would encourage jurisdictions to provide for a common set of legislated obligations in relation to the collection and handling of health identifiers in the meantime.

Testing of the system

98. The paper notes that before the HI Service is fully implemented, NEHTA and Medicare Australia may need to undertake testing and evaluation of the service. The Office agrees with the proposal in the discussion paper that any testing or evaluation of the HI Service by Medicare Australia prior to introduction of enabling legislation should only be undertaken if it is authorised under a Ministerial Directive issues by the relevant Minister/s.


Part B

99. The Office notes that a number of the proposals in Part B raise issues already canvassed through the Australian Law Reform Commission’s (ALRC) review of the Privacy Act. The Office’s considered position on some of these matters is available on the Office’s website. However, for ease of reference, summaries of the Office’s views are stated against each proposal. [51] The Office has also commented on the matters of detail not previous dealt with through the ALRC inquiry.

B.1.3 Administration

Proposal 22 : National legislation include requirements such as: conciliation being a critical element in the approach to resolving complaints; an independent administrative or judicial mechanism; the length of time consumers have to lodge a complaint; powers of regulators; and sanctions for breaches of the law by agencies or organisations.

Guidelines including minimum standards be developed and agreed to by regulators to ensure that there is a consensus in the way in which privacy laws are to be applied across Australia.

Jurisdictional regulators be empowered to jointly determine a common approach to applying these minimum standards.

100. The Office supports the ALRC recommendations that the Privacy Commissioner have an express power to conciliate and that Administrative Appeals Tribunal merits review be available. [52]

101. In relation to the requirement for a length of time to lodge a complaint the Office notes that the Privacy Act currently provides the Privacy Commissioner with a discretion not to investigate a complaint where the complaint is made more than 12 months after the complainant became aware of the act or practice (which they assert breached their privacy). [53]

102. The Office agrees that state and territory privacy legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in that state or territories’ public sector. [54] The Office has also supported civil penalties in the Privacy Act. [55]

103. Regarding the issue of guidelines / minimum standards to be adopted by privacy regulators, the Office notes that these would need to be consistent with legislative requirements. In addition the Office believes that discussion among regulators about their approach to similar matters is a positive and productive exercise. The Office notes that common approaches could be discussed at the Privacy Authorities Australia forum. [56]

B.1.4 Coverage

Proposal 23 : Health information of deceased individuals should be subject to the same protection as other personal information about deceased persons whether this is through privacy law or other arrangements.

104. The Office supports an amendment to the Privacy Act to extend some privacy protections to the health information of people after their death. [57] The Office considers that the provisions relating to protection of deceased persons’ health information should include collection, in particular, those relating to collection for a purpose that is necessary for an organisation’s functions, and to lawful and fair collection. The Office also suggests that the organisation’s notice obligations could be directed to an authorised representative (such as an executor) of the deceased individual.

105. The Office also supports use and disclosure protections for the health information of a deceased individual, in particular, that ‘consent’ could remain a valid exception under a use or disclosure principle, to be exercised by an authorised representative of the deceased individual.

106. The Office has not supported creating a separate privacy related ‘access’ right to the personal information of deceased individuals. Under the current privacy principle regimes, ‘access’ is a concept widely understood and familiar to agencies and organisations as an action specific to the person who is the subject of the personal information.

107. Further, ‘access’ is constructed under the Privacy Act to create a positive right for individuals to know what information is held about them by organisations and agencies. Organisations and agencies may only deny it where such denial is specifically permitted by prescribed exceptions. This can be contrasted, for example, with the ‘use and disclosure’ principle which creates discretions for parties to use or disclose the information.

108. Accordingly, the provision of a deceased person’s information to a third party appears to sit more comfortably as an example of a ‘disclosure’, rather than the provision of ‘access’. Further, the Office submits that the mechanism should be discretionary and, therefore, fit neatly as an exception to the ‘disclosure’ principle. This discretionary disclosure of a deceased individual’s health information to a limited range of persons, such as relatives or persons ‘responsible’ for the individual (defined in NPPs 2.5 and 2.6)

B.1.5 Key definitions

Proposal 24 : Include a definition of ‘health service provider’ as ‘an organisation that provides a health service to the extent that it provides a health service’.

109. The Office submits that the intent of the proposed definition of health service provider is not clear. The definition has implications in relation to the range of entities that would be captured under the provision relating to collection of information necessary to provide a health service and regarding transfer of health records between health service providers The Office is concerned that the proposed definition may capture entities for which the proposed specific health privacy obligations may not be appropriate. For example, inclusion of this definition could mean that gyms would be obligated to transfer records in the event of a closure.

110. The Office suggests that consideration be given to allowing certain classes of organisations captured by the definition of ‘health service provider’ to be exempt from coverage. The Office would support dealing with the matter through legislative drafting. [58]

B.1.6 Unified Privacy Principles

Proposal 25 : Amendment of 2.5(c) to allow the collection of sensitive information where there is a serious threat to an individual’s welfare.

111. The Office did not support a similar proposal outlined in the ALRC’s Issues Paper 31. The Office submitted that the inclusion of ‘threat to any individual's welfare' would be difficult to define and would potentially significantly expand the current exceptions in the NPPs. [59]

112. As well, in response to a related suggestion in the ALRC’s Discussion Paper 72, the Office did not support a proposed exception permitting the collection of sensitive information in order to provide essential services to individuals incapable of giving consent. While the office recognised the difficulty of the situation it did not see that extending the current exemptions as a viable solution.

113. The Office found that it was difficult to forecast what unintended or undesirable consequences might arise from providing for a general exception in relatively vague terms such as these. The Office believes that this might lead to regulatory complexity and uncertainty due to difficulty in applying the exception consistently.

114. Instead the Office suggested that service providers consider applying for a Public Interest Determination as an interim measure to address the collection of sensitive information from persons lacking the capacity to give consent. The Office suggests that a public interest determination, if made, could be drafted more precisely than a general exception to the collection principle to ensure that its scope is more certain. Such precision allows for regulation that is narrow and focussed on addressing the specific matter at hand. [60]

Proposal 26 : Deletion or modification to 2.5(d) to exclude the right for non-profit organisations to collect health information about their members.

115. The Office understands that the proposed UPP 2.5(d) is intended to be interpreted narrowly with collection closely tied to an organisation’s purpose. The Office would support dealing with the matter through the legislative drafting process.

Proposal 27 : Amendment of 2.5(f) to provide that any guidance issued by the Privacy Commissioner in relation to the collection of sensitive information necessary for research purposes be required to be developed in conjunction with input from other appropriately qualified individuals or organisations in the field of research.

116. The Office considers that a single set of rules under the proposed exceptions to the Collection principle and the Use and Disclosure principle in the Unified Privacy Principles (UPPs) should replace the guidelines currently made under sections 95 and 95A of the Privacy Act.

117. The Office considers that the National Health and Medical Research Council would be best placed to develop and issue rules to replace the binding guidelines currently made under section 95 and 95A of the Privacy Act, possibly in conjunction with other bodies, and that the Privacy Commissioner should retain an approval and oversight role for the guidelines. [61]

Proposal 28 : Any rules or guidelines issued by the Privacy Commissioner in relation to the collection of identifying health information where it is necessary for the funding, management, planning, monitoring or evaluation of a health service be developed in conjunction with input from other appropriately qualified individuals or organisations in the health service management field.

118. The Office does not support amending the Privacy Act to empower the Privacy Commissioner to issue rules in relation to the handling of personal information for the funding, management, planning, monitoring, improvement or evaluation of a health service.

119. Instead, the Office considers that existing requirements (for example, those for s 95A of the Privacy Act), which make provision for the Privacy Commissioner approve guidelines that are issued by the CEO of the NHMRC or a prescribed authority are more appropriate. [62]

Proposal 29 : Amendment of 5.1(c) to allow the use or disclosure of sensitive information where there is a serious threat to an individual’s welfare.

120. See the Office’s views in relation to Proposal 25.

Proposal 30 : Amendment of 5.1(f) to provide that any guidance issued by the Privacy Commissioner, in relation to the use or disclosure of sensitive information necessary for research purposes, be required to be developed in conjunction with input from other appropriately qualified individuals or organisations in the field of research.

121. See the Office’s views in relation to Proposal 27.

Proposal 31 : Rules or guidelines issued by the Privacy Commissioner in relation to the collection of identifying health information where it is necessary for the funding, management, planning, monitoring or evaluation of a health service be developed in conjunction with input from other appropriately qualified individuals or organisations in the health service management field.

122. See the Office’s views in relation to Proposal 28.

Proposal 32 : An exception is proposed to allow personal information to be used or disclosed by an agency or organisation where an individual is known or suspected to be missing or deceased, subject to this not being contrary to any wishes expressed by the individual before they went missing or became incapable of consenting, with disclosure limited to a law enforcement officer for the purposes of ascertaining the whereabouts of the person.

123. The Office did not support a similar proposal put forward by the ALRC. [63] However, if such a proposal were to proceed, the Office would suggest that clear guidelines about the circumstances in which this exception could be used be developed.

Proposal 33 : It is proposed that the definition of a ‘person responsible for an individual’ be altered to provide for:

  • any person who has a personal relationship with the individual rather than only a person who has an intimate relationship, or
  • a person who is responsible for providing support or care to the individual rather than only the person who is primarily responsible.

Guidelines could identify the grounds on which a personal relationship exists or that a person is responsible. These would include such things as whether there is a sufficient degree of intimacy or level of responsibility. Another alternative would be to set the list up as an inclusive rather than an exclusive list.

124. The Office is supportive of the policy intent of proposal 33 but considers that the current proposal may result in a broad interpretation of the definition of a ‘person responsible for an individual’.

125. The Office has some concerns about how the current proposal would work in practice since it may be difficult for a health service provider to verify the status of a person claiming to be the ‘person who is responsible for providing support or care to the individual’. For this reason, the Office supports the issuing of guidance to clarify the scope of the term and to assist in specifying the grounds on which a personal relationship exists or on which a person is responsible for an individual.

Proposal 34 : The consent of individuals is required to the use or disclosure of health information for direct marketing purposes.

126. The Office has previously supported an opt-out model in relation to direct marketing. [64] In relation to health information, however, the Office supports the requirement for express consent from individuals and an opt-in model with regard to use of individuals’ personal information for the purposes of direct marketing, for example, the use of prescription information.

Proposal 35 : Guidelines be developed by the Privacy Commissioner outlining key requirements for retaining health information (e.g. minimum retention periods and obligations owed by a healthcare provider to an individual where a healthcare service has been sold, amalgamated or closed).

127. The Office agrees that, if there were to be a Data Security Principle, it would be appropriate for it to provide guidance about when it is appropriate for an agency or organisation to destroy or render non-identifiable personal information that is no longer needed for a purpose permitted under the UPPs. [65]

128. The Office supports the proposal that the Privacy Act should provide that where a health service practice or business is sold, amalgamated or closed down and a health service provider will not be providing health services in the new practice or business, or the provider dies, the provider, or the legal representative of the provider, must take all reasonable and appropriate steps to:

  • make individual users of the health service aware of the sale, amalgamation or closure of the health service or the death of the health service provider and
  • inform them about proposed arrangements for the transfer or storage of individuals' health information. [66]

Proposal 36 : It is proposed that the exception from providing access to health information where providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations does not include negotiations about provision of health services.

129. The Office does not consider that the proposed change to NPP 6.1(f) is necessary. The Office considers that the current exceptions to NPP 6 are sufficiently comprehensive to address the issue raised in this proposal.

Proposal 37 : A note be inserted into the Access and Correction Principle explaining that nothing in the principle compels an organisation to refuse to provide an individual with access to his or her health information.

130. The Office considers that the exceptions to the proposed UPP 9 stand on their own, and accordingly, it does not support proposal 37. The Office considers it would be preferable to deal with this matter in guidance or, if considered necessary, in the Explanatory Material rather than by inclusion of a note to the privacy principle.

Proposal 38 : Guidelines be developed by the Privacy Commissioner that include detailed information about the process which should be followed to gain access to personal information, including guidance on requests for access, responses to those requests, how information is provided and fees.

131. The Office notes that a detailed Information Sheet is already available on the Office’s website about the matter referred to in Proposal 38. [67] The Office notes that it would review the guidance to take account of any legislative changes.

Proposal 39 : The identifier principle should permit the use or disclosure of information that includes an identifier for funding, management, planning, monitoring, improvement or evaluation of health services and for research purposes in the public interest subject to the same limits that apply to health information being used or disclosed for those purposes.

132. The Office would need further information on the extent of this exception to the identifier principle before being able to form a considered view on whether it is appropriate. However, the Office notes that in response to the ALRC Issues Paper 31 the Office recommended that the Privacy Act continue to ensure that unique multi-purpose identifiers are handled in ways that do not unreasonably intrude on the privacy of individuals. [68]

Proposal 40 : An agency or organisation should be allowed to use or disclose information outside Australia to lessen or prevent a serious risk to life, health, safety or welfare without continuing to be accountable for any misuse.

133. In its submission to the ALRC review, the Office supported the new transborder data requirement under the proposed UPP 11 that an agency or organisation continue to be liable for any breaches of the UPPs, because it considers that the provision will encourage organisations and agencies to enhance privacy protections for the information that they transfer overseas. [69] For this reason, the Office does not support proposal 40.



[2] Discussion paper, p27

[3] The ALRC inquiry culminated in Report 108 - For your information: Australian Privacy Law and Practice available at: www.austlii.edu.au/au/other/alrc/publications/reports/108/

[4] See, for examples, “Benefits of unique identifiers” in Chapter 12 of the Office’s submission to ALRC Issues Paper 31: www.privacy.gov.au/materials/types/submissions/view/6757#Privacy6 #Privacy6

[5] The IHI approximately 20 million and the HPI-I approximately 600,000. Australian Institute of Health and Welfare Australia’s Health 2008 , 24 June 2008, Table 8.23, cited in discussion paper, p 21

[6] The CDMS has several separate areas managing Medicare, the Australian Organ Donor Registry and the Australian Childhood Immunisation Registry

[7] See, Chapter 12 concerning ‘Unique Multipurpose identifiers’ of the Office’s submission to Issues Paper 31, available at: www.privacy.gov.au/materials/types/submissions/view/6757 #Privacy6

[8] See Chapter 12 paragraphs 15 and 16 of the Office’s submission to the ALRC Inquiry, available at www.privacy.gov.au/materials/types/submissions/view/6757 #Privacy6

[9] Report of the Standing Committee on Human Resources Development and the
Status of Persons with Disabilities, Beyond the numbers: the future of the social insurance number system in Canada (May 1999), available at www.parl.gc.ca/InfoComDoc/36/1/HRPD/Studies/Reports/hrpdrp04/09-part1-e.htm

[11] Australian Health Minister’s Conference Communique,13 July 2009, www.health.gov.au/internet/main/publishing.nsf/Content/pacd-ehealth-consultation

[12] Discussion paper, pp 2 and 18

[13] Discussion paper, p20

[14] Discussion paper, p23

[15] That is, Western Australia and South Australia, although South Australia has an administrative policy applying to its public sector

[16] These are afforded additional protections by, respectively, section 17 of the Privacy Act, Part IIIA of the Privacy Act, and section 135AA of the National Health Act 1953 .

[17] ALRC Report 108, For Your Information: Australian Privacy Law and Practice, www.austlii.edu.au/au/other/alrc/publications/reports/108/index.html

[18] Discussion paper, p21

[19] Discussion paper, p22

[20] Discussion paper, p22

[21] Discussion paper, p23

[22] Discussion paper, p38

[23] Discussion paper, p23

[24] Discussion paper, p24

[25] Discussion paper p 23

[26] Except to the extent that making the individual aware of the matters would constitute a serious threat to the life or health of an individual

[27] Discussion paper, p 30

[28] Discussion paper, p 32

[29] Discussion paper, p32

[30] Discussion paper, p32

[31] Discussion paper, p 31

[32] See paragraph 23, page 15, ANAO Audit Report No.24 2004-05 Integrity of Medicare Enrolment Data available at www.anao.gov.au/uploads/documents/2004-05_Audit_Report_24.pdf .

[34] Discussion paper, p33

[35] Guidelines on Privacy in the Private Health Sector, www.privacy.gov.au/materials/types/download/8675/6517

[36] Discussion paper, p32

[37] Discussion paper, p31

[38] NEHTA (2006) Privacy Blueprint – Unique Healthcare Identifiers, p25.

[39] Submission to NEHTA on the Unique Health Identifiers Blueprint, March 2007, available at: www.privacy.gov.au/index.php?option=com_icedoc&view=types&element=submissions&fullsummary=6752&Itemid=1021

[40] Discussion paper, p35

[41] Discussion paper, p35

[42] Discussion paper, p 37

[43] Discussion paper, p 37

[44] Discussion paper, p39

[45] Submission to NEHTA on the Unique Health Identifiers Blueprint, March 2007, available at: www.privacy.gov.au/index.php?option=com_icedoc&view=types&element=submissions&fullsummary=6752&Itemid=1021

[46] Organisations are subject to audit by the Privacy Commissioner under functions associated with the Tax File Number and credit reporting provisions

[47] ALRC Report 108, For Your Information: Australian Privacy Law and Practice www.austlii.edu.au/au/other/alrc/publications/reports/108/47.html#Heading320 #Heading320

[48] Discussion paper, p 41

[49] Discussion paper, p40

[50] Op cit.

[51] See, for example, Part H of the Office’s submission to Discussion Paper 72, at: www.privacy.gov.au/materials/types/download/9111/6748

[52] See the Office’s submission to ALRC Discussion Paper 72, Part F, proposal 45-5, 45-7

[53] Section 41(1)(c).

[54] See the Office’s submission to ALRC Discussion Paper 72, Part A, Proposal 4-4

[55] See Part F, proposal 46?2

[56] The Privacy Authorities Australia (PAA) forum was formed in 2008 as a way to share information between state and federal privacy authorities. The forum meets approximately twice a year.

[57] See the Office’s submissions to ALRC Issues Paper 31, Chapter 3, [56] – [63], and to ALRC Discussion Paper 71, Part A, proposal 3-11

[58] See, for example, the approach taken by other jurisdictions such as Victoria, whereby ‘health service provider’ means an organisation that provides a health service to the extent that it provides such a service, but the term does not encompass health service providers that are prescribed as exempt.

[59] See the Office’s submission to ALRC Issue Paper 31, Chapter 8, [187] – [189]

[60] See the Office submission to the ALRC Discussion Paper 72, Chapter 19 [15] – [28]

[61] See the Office’s submission to ALRC Discussion Paper, Part H, proposal 58-1, see also proposal 58-5

[62] See the Office’s submission to ALRC Discussion Paper 72, Part H, proposal 57-10, and the Office’s submission to ALRC Issues Paper 31, Chapter 56, available at www.privacy.gov.au/materials/types/download/9110/6757

[63] In some cases, such as where a missing person is known to suffer a life?threatening condition, or to lack capacity, an agency or organisation could form a reasonable belief that there is both a serious and imminent threat to their life or health. In other cases, however, there will not be any clear evidence for assuming that a missing person is at risk, for example, people may have legitimate reasons for choosing to dissociate themselves from family or friends. Such situations do not seem a matter for government regulation (Office submission to ALRC Discussion Paper 72, proposal 22-3, [37] – [41])

[64] See the Office’s submission to Discussion Paper 72, Part D, proposal 23-3, [15] – [16]

[65] See the Office’s submission to ALRC Discussion Paper 72, Part D, proposal 25-5

[66] See the Office’s submission to ALRC Discussion Paper 72, Part H, proposal 57-7

[68] See the Office submission to the ALRC Issues paper 31, Question 12-3

[69] See the Office’s submission to ALRC Discussion Paper 72, Part D, proposal 28-4