The Report, which was released in February 2023, recommends substantial changes to the Privacy Act 1988 (Cth) ("Act"). The recommendations, if adopted, would grant several rights to individuals whose data has been collected or is held by an entity to which the Australian Privacy Principles (“APP”) apply (“APP Entities”).
Given the significant number of data breaches which occur within the health sector and the sensitive nature of the information which health practices hold, it is crucial practices:
In this article, we have provided a brief summary of some of the key recommendations set out in the Report and what health practices may want to start to consider.
The Report proposes that a direct right of action be made available to individuals where a serious invasion of privacy has taken place. This proposal would grant individuals a greater scope to seek redress for interferences with their privacy and to seek remedies in courts. It is proposed that this right of action will only be made available to individuals who have suffered harm as a result of a breach. The Report also recommends the legislating of a statutory tort for serious invasions of privacy, to allow individuals to seek compensation for breaches of privacy which may otherwise fall outside the scope of the Act.
Currently, the Office of the Australian Information Commissioner (“OAIC”) bears sole responsibility for enforcing and investigating breaches of the Act, with individuals who suffer because of any breach unable to personally seek remedies, or to commence any action against the responsible entity.
It is therefore likely that the adoption of this change would expose health practices, to a greater level of risk in relation to any privacy breaches, particularly in circumstances where a patient may feel particularly strongly that their privacy has been breached.
The Report recommends that individuals be granted a right to challenge whether an entity’s handling of personal information complies with the Act. If this amendment was implemented, individuals would be able to question or challenge how an organisation handles their personal information, and organisations would be required to provide justifications for their practices. Individuals could subsequently utilise the entity’s response in determining whether to make a formal complaint to the OAIC.
The Report recommends the introduction of a new right to erasure of an individual’s personal information. This would grant individuals the right to require that an entity delete all personal information they hold or have distributed which pertains to the individual. Currently, APP11 requires entities to destroy or de-identify information once it is no longer relevant to the purpose to which it was collected; however, individuals are unable to directly request this.
The implementation of this recommendation would likely create challenges for health practices who store information across multiple platforms, or who frequently distribute information to third parties (such as to pharmacists, external practitioners, or third parties who manage their servers). If an individual invokes this right, practices would need to notify all relevant third parties of the erasure request.
The Report proposes expanding the current right to access personal information collected by an entity, granted under APP 12. Currently, individuals have a right to request access to their personal information which is held by an entity. The Report proposes to extend this right to require that companies inform individuals as to how and when they collected the information, as well as what the information has been (or is intended to be) used for.
This would mean that health practices would need to ensure their data collection and storage systems are capable of tracking where they collected any information which they may have obtained, as well as the purposes for which such information has been used. For example, practices would need to record each time a patient’s information is sent to an external party such as other practitioners, pharmacists, or allied health practitioners.
Upon receiving a request from an individual exercising a right under the Act, the Report proposes that entities be required to respond within 30 days (unless a longer period can be reasonably justified). The entity would also be obliged to facilitate the request unless a valid exemption applies (including if it would be technically impossible or unreasonable to comply), and, if the entity seeks to rely on such an exemption, the entity would be required to outline their explanation for refusal and provide information to the individual on how they can lodge a complaint with the OAIC.
The Report also recommends that entities be required to notify individuals of their rights under the Act at the time of which their information is collected, and to provide individuals with additional steps they may take to obtain further information.
These additional proposed obligations would require greater transparency from practices and may require practices to engage further with individuals with respect to any requests they may make for access to their personal information.
Although these recommendations have not yet been adopted as legislation, they are indicative of the areas in which the government is likely to make changes to the Privacy Act.
Accordingly, we recommend that health practices take proactive steps to review their data collection, storage, and usage to ensure they are compliant with current legislation and determine whether they are ‘fit for purpose’ with respect to implementing the Report’s recommendations, should these be passed.
If you have any questions or would like more information or guidance as to how these proposed changes might affect your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here.
Justin Fung is a lawyer and the Head of Commercial and Corporate in our Avant Law team. Justin has over 15 years’ experience advising in commercial, corporate, risk, compliance, governance, regulatory enforcement and dispute resolution and advises clients in the private and public sectors. He was previously General Counsel of a national allied health group of companies and held Group and Divisional Head of Legal roles in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. Prior to these in-house legal roles, Justin was an Executive Counsel with the global law firm Herbert Smith Freehills where he practiced for over 10 years.
Anthony Ha is a Senior Associate in Avant Law’s Commercial and Corporate law practice, based in Sydney. Anthony has over seven years’ experience advising clients in both the private and public sectors on all aspects of commercial and corporate law. His practice includes privacy, regulatory enforcement, governance, and risk and compliance matters. Before joining Avant Law, Anthony held the role of senior legal counsel in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. He has also worked as a senior lawyer within one of New South Wales’s largest primary and secondary education providers.
Disclaimer: The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of this content. The information in this article is current to
1 August 2023. Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme. © Avant Mutual Group Limited 2023
Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.