Key takeaways

  • Familiarise yourself with the recommendations released in the Privacy Act Review Report ("Report") and the substantial changes proposed in relation to Individual Privacy Rights.
  • Review your current data collection, storage, usage and record-keeping systems (including all relevant processes, policies, procedures and consents) to identify whether these systems provide scope to quickly adopt the recommendations, should they be passed.
  • If there are any concerns with your current systems, take steps to promptly address these concerns.

Overview of recommendations

The Report, which was released in February 2023, recommends substantial changes to the Privacy Act 1988 (Cth) ("Act"). The recommendations, if adopted, would grant several rights to individuals whose data has been collected or is held by an entity to which the Australian Privacy Principles ("APP") apply ("APP Entities").

Given the significant number of data breaches which occur within the health sector and the sensitive nature of the information which health practices hold, it is crucial practices:

  • are aware of the proposed recommendations
  • review their current data collection, storage, usage and record-keeping systems and whether they would comply with the proposed amendments to the Act, should these be passed.

In this article, we have provided a brief summary of some of the key recommendations set out in the Report and what health practices may want to start to consider.

Right of individual action – statutory tort

The Report proposes that a direct right of action be made available to individuals where a serious invasion of privacy has taken place. This proposal would grant individuals a greater scope to seek redress for interferences with their privacy and to seek remedies in courts. It is proposed that this right of action will only be made available to individuals who have suffered harm as a result of a breach. The Report also recommends the legislating of a statutory tort for serious invasions of privacy, to allow individuals to seek compensation for breaches of privacy which may otherwise fall outside the scope of the Act.

Currently, the Office of the Australian Information Commissioner ("OAIC") bears sole responsibility for enforcing and investigating breaches of the Act, with individuals who suffer because of any breach unable to personally seek remedies, or to commence any action against the responsible entity.

Impact on health practices

It is therefore likely that the adoption of this change would expose health practices, to a greater level of risk in relation to any privacy breaches, particularly in circumstances where a patient may feel particularly strongly that their privacy has been breached.

Right to object to collection, use and disclosure

The Report recommends that individuals be granted a right to challenge whether an entity's handling of personal information complies with the Act. If this amendment was implemented, individuals would be able to question or challenge how an organisation handles their personal information, and organisations would be required to provide justifications for their practices. Individuals could subsequently utilise the entity's response in determining whether to make a formal complaint to the OAIC.

Right to erasure

The Report recommends the introduction of a new right to erasure of an individual's personal information. This would grant individuals the right to require that an entity delete all personal information they hold or have distributed which pertains to the individual. Currently, APP11 requires entities to destroy or de-identify information once it is no longer relevant to the purpose to which it was collected; however, individuals are unable to directly request this.

Impact on health practices

The implementation of this recommendation would likely create challenges for health practices who store information across multiple platforms, or who frequently distribute information to third parties (such as to pharmacists, external practitioners, or third parties who manage their servers). If an individual invokes this right, practices would need to notify all relevant third parties of the erasure request.

Right to access and explanation

The Report proposes expanding the current right to access personal information collected by an entity, granted under APP 12. Currently, individuals have a right to request access to their personal information which is held by an entity. The Report proposes to extend this right to require that companies inform individuals as to how and when they collected the information, as well as what the information has been (or is intended to be) used for.

Impact on health practices

This would mean that health practices would need to ensure their data collection and storage systems are capable of tracking where they collected any information which they may have obtained, as well as the purposes for which such information has been used. For example, practices would need to record each time a patient's information is sent to an external party such as other practitioners, pharmacists, or allied health practitioners.

Other additional obligations

Upon receiving a request from an individual exercising a right under the Act, the Report proposes that entities be required to respond within 30 days (unless a longer period can be reasonably justified). The entity would also be obliged to facilitate the request unless a valid exemption applies (including if it would be technically impossible or unreasonable to comply), and, if the entity seeks to rely on such an exemption, the entity would be required to outline their explanation for refusal and provide information to the individual on how they can lodge a complaint with the OAIC.

The Report also recommends that entities be required to notify individuals of their rights under the Act at the time of which their information is collected, and to provide individuals with additional steps they may take to obtain further information.

Impact on health practices:

These additional proposed obligations would require greater transparency from practices and may require practices to engage further with individuals with respect to any requests they may make for access to their personal information.

What does this mean for my practice?

Although these recommendations have not yet been adopted as legislation, they are indicative of the areas in which the government is likely to make changes to the Privacy Act.

Accordingly, we recommend that health practices take proactive steps to review their data collection, storage, and usage to ensure they are compliant with current legislation and determine whether they are 'fit for purpose' with respect to implementing the Report's recommendations, should these be passed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.