Most smartphones and tablets have a digital camera and can save and store thousands of images. Some mobile device applications (apps) have been developed to store and share patient photos.
A health service provider should be aware of their obligations under the Privacy Act 1988 (the Privacy Act) when taking photos of patients and using photo-sharing apps.
Is the patient identifiable from the image?
Uploading a photograph would involve personal information under the Privacy Act if a patient is reasonably identifiable from that information. If the image includes health information about the person or is collected to provide a health service it is ‘sensitive information’ for the purposes of the Privacy Act and there are stricter requirements around its collection, use and disclosure.
De-identified information is not considered to be ‘personal information’ under the Privacy Act. An image can be de-identified by removing any information that might allow the individual to be identified, including rare characteristics or a combination of unique characteristics. This might include facial features and other distinctive physical details like a rare visible medical condition, physical marking or tattoo.
Many photo-sharing apps have a feature that allows a patient’s face or distinctive markings to be concealed. Before the image is used or disclosed, a health service provider should carefully consider whether this sufficiently de-identifies the patient. Even if a patient is not identifiable, it is good practice to obtain their consent before collecting, using or disclosing the image.
Has the patient provided consent?
A health service provider using devices to take images of patients involving personal information will usually need to ensure that they have the appropriate consent to collect and use or disclose the image.
There are limited exceptions to the need to obtain consent outlined in the Australian Privacy Principles, such as where there is a serious threat to life or health.
Is the image kept secure?
A health service provider must take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Our Guide to Securing Personal Information gives more detail about what constitutes reasonable steps
A health service provider who stores photos involving personal information on a mobile phone or tablet will need to make sure that their security settings are adequate to protect the information.
When disclosing to an overseas entity, health service providers also need to consider whether they comply with the requirements in Australian Privacy Principle 8 regarding cross-border disclosure.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org