Industry Focus

The sleeping giant After the recent implementation of extensive changes to the Privacy Act, it's essential that medical professionals are aware of the regulations and requirements for collecting personal information WORDS: HEATHER BECKINGSALE Amendments to the Privacy Act 1988 (Cth) (Privacy Act) commenced on 12 March 2014, affecting a significant number of businesses across Australia. The nature and extent of the changes, together with the renewed emphasis on compliance and enforcement, mean that privacy compliance is no longer the sleeping giant that can be ignored. Failure to comply may result in considerable penalties to unsuspecting businesses. The privacy regime in general The Privacy Act regulates the way that an individual's personal information is collected and handled by various organisations and agencies. Because health information is regarded as sensitive information under the Privacy Act, health service providers that deal with the collection and handling of health information must adhere to strict requirements. The changes to the regime mean that health service providers are subject to Australian Privacy Principles (APPs) and therefore must understand the changes to the privacy regime, particularly the requirement to comply with the new APP regulations, and the impact of the regime on their businesses. How the privacy regime has changed The changes to the privacy regime are extensive. The previous Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) have been replaced by the APPs. The APPs impact on how private and public sectors collect and handle personal information, including health information. The notable changes involve: • the handling of sensitive information and the disclosure obligations imposed upon health service providers. • the extension to the definition of sensitive information to include certain biometric information. • changes to the rules governing the collection of sensitive information in that an organisation must only collect sensitive information about an individual if that individual consents to the collection and the information is reasonably necessary for the organisation's functions or activities. There are a number of exceptions to this principle, including that sensitive information may be collected if authorised under an Australian law or court/tribunal order and where a permitted general situation or permitted health situation applies. • the disclosure of personal information to overseas recipients. Reasonable steps must be taken to ensure that an overseas recipient of personal information does not breach the relevant APPs. There are also positive obligations to ensure the security of personal information that is complicated by cross-border disclosure. While this change may not appear relevant to health providers, where cloud data storage services are utilised by a health service provider and personal information is held electronically within these cloud data storage services, contractual arrangements with cloud service providers must be in place to meet the new requirements. This is particularly relevant given the increased growth in electronic collection and storage of customer data together with e-commerce. • changes to who may be classified as a credit provider. Importantly, health service providers may find themselves as part of the new credit reporting regime, either as a credit provider or as a participant. Health service providers should consider their position within the regime. The changes will also apply to eHealth records. While the framework for eHealth records is governed by the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), the PCEHR Rules 2012 and the Personally Controlled Electronic Health Records Regulation 2012, the 4 Industry Focus HEALTHCARE

• Cover