Most smartphones and tablets have a digital camera and can save and store thousands of images. Some mobile device applications (apps) have been developed to store and share patient photos.

A health service provider should be aware of their obligations under the Privacy Act 1988 when taking photos of patients and using photo-sharing apps.

Is the patient identifiable from the image?

Uploading a photograph would involve personal information under the Privacy Act if a patient is reasonably identifiable from that information. If the image includes health information about the person or is collected to provide a health service it is ‘sensitive information’ for the purposes of the Privacy Act and there are stricter requirements around its collection, use and disclosure.

De-identified information is not considered to be ‘personal information’ under the Privacy Act. An image can be de-identified by removing any information that might allow the individual to be identified, including rare characteristics or a combination of unique characteristics. This might include facial features and other distinctive physical details like a rare visible medical condition, physical marking or tattoo.

Many photo-sharing apps have a feature that allows a patient’s face or distinctive markings to be concealed. Before the image is used or disclosed, a health service provider should carefully consider whether this sufficiently de-identifies the patient. Even if a patient is not identifiable, it is good practice to obtain their consent before collecting, using or disclosing the image.

Has the patient provided consent?

A health service provider using devices to take images of patients involving personal information will usually need to ensure that they have the appropriate consent to collect and use or disclose the image.

There are limited exceptions to the need to obtain consent outlined in the Australian Privacy Principles, such as where there is a serious threat to life or health.

When seeking consent, a health service provider should make sure the patient has all the information they need to make an informed decision. This includes information about how the image might be used and disclosed in the future, which should be outlined in the app’s privacy policy.

Is the image kept secure?

A health service provider must take reasonable steps to protect the personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Our Guide to Securing Personal Information gives more detail about what constitutes reasonable steps

A health service provider who stores photos involving personal information on a mobile phone or tablet will need to make sure that their security settings are adequate to protect the information.

Images of patients showing medical conditions are likely to be highly sensitive and it could be difficult to control how images are used and disclosed once they are shared through an app. A health service provider should carefully consider whether they are able to maintain control of images, and review the app’s privacy policy, so they understand how the images will be used, disclosed and stored.

When disclosing to an overseas entity, health service providers also need to consider whether they comply with the requirements in Australian Privacy Principle 8 regarding cross-border disclosure.

For more information about about personal information, sensitive information and consent, see the Australian Privacy Principles Guidelines