Title: Privacy in Victoria An introduction to the Information Privacy Act and the Health Records Act
1Privacy in VictoriaAn introduction to the
Information Privacy Act and the Health Records
Act
2Session outline
- Overview of the privacy laws relevant to Victoria
- Types of information covered by privacy laws
- The Privacy Principles and your responsibilities
- Collection
- Use and disclosure
- Management of personal information
- Access and correction
- Scenarios
- Responding to privacy complaints
3Why do you need to know about privacy?
- Its the law All Victorian organisations must
comply. People have a right to challenge how
your organisation handles their personal
information. - Its makes good business sense - Research
indicates that the public is more likely to trust
an organisation that values and protects privacy. - Privacy is a basic human right We all expect
our privacy to be protected.
4Impact of privacy laws
- Privacy laws provide people with more control
over how organisations handle their personal
information. - Privacy laws should not stop an organisation
carrying out their core business, but may mean
changes to the way personal information is
handled. - Privacy laws promote openness and transparency in
the handling of personal information. - The right to privacy has to be balanced against
the necessary flow of information for provision
of services
5Context for privacy laws
- Technological advances are rapidly changing the
way that information is collected and handled. - For example
- Increase in CCTV cameras
- RFIDs in brochures to allow targeted advertising
as person walks around waiting room - Tracking traffic flow using drivers mobile
phones - GPS enabled school uniforms
6The privacy protection landscape
Health Records Act (Vic)
Information Privacy Act (Vic)
Privacy Act (Cth)
- Covers
- All health related personal information held in
public and private sectors - Most of the personal info handled by health
service providers
- Covers
- Federal government agencies, e.g. Centrelink
- Much of the private sector
- Covers
- All personal info handled by State government
agencies and local government - (other than health related info)
7The Victorian privacy principles
- There are 11 HPPs and 10 IPPs and they
- govern the life cycle of information
- Collection
- Use and disclosure
- Management of personal information
- Access and correction
- are legally binding
8Privacy Principles Interaction with other
legislation
- The Privacy Principles co-exist with other
legislation. - Existing provisions in other statutes governing
the confidentiality, use and disclosure of
personal information and those that regulate
access to certain kinds of personal information
continue to apply. - Specific statutory provisions override the
general standards in both the Health Records Act
and the Information Privacy Act to the extent of
any inconsistency.
9What information is subject to privacy laws?
- Personal information means
- Information or opinion about an individual whose
identity is apparent, or can be reasonably
ascertained - Does not have to be true
- Recorded in a material form (IPA only)
- 2 categories information about clients/patients
and information about staff
10Health Information differs depending on what
you do
- For health service providers health
informationmeans - all identifying personal information collected to
provide a health service - e.g. includes next of kin information
- For non health service providers health
information means - all identifying personal information about the
health or disability of an individual - it does not cover other personal information like
payroll or bank account details.
11Deceased individuals
- The Health Records Act applies in relation to the
health information of a deceased individual who
has been dead for 30 years or less in the same
way it applies to the health information of a
living person.
12Privacy Principlescommon to both Acts
- Collection
- Use Disclosure
- Data Quality
- Data Security Retention
- 5. Openness
- Access Correction
- Identifiers
- Anonymity
- Transborder Data Flows
13Additional Principles
- IPA
- Sensitive Information
- HRA
- Making information available to another health
service provider - Transfer / closure of practice of a health
service provider
14Collection
15Collection (1)
- Dont overcollect - Collect only personal
information that is necessary for the performance
of functions. - Anonymity - People should have the option of not
identifying themselves when entering
transactions, if that is lawful and feasible. - Collect for a pre-determined purpose.
- Collect lawfully, fairly and not unreasonably
intrusively. - Collect information only from the person
themselves, where practicable.
16Collection (2)
- Generally need consent to collect health
information (either express or implied) (HRA) - Provide a collection statement to notify those
you collect from about what you do with the
information and that they can gain access to it.
17When collecting personal information, tell the
person
- who is collecting the information
- what it will be used for
- whether the collection is required by law
- how the person can get access to the information
- who else usually has access to the information
and - what the main consequences, if any, are for the
person if they do not provide the information.
18Sensitive information (IPA only)
Collection of sensitive information is tightly
restricted. This includes information or opinion
about an individuals
- political views
- religious beliefs
- sexual preferences
- membership of groups (eg unions, political
groups) - racial or ethnic origin or
- criminal record.
19Points to consider - collection
- Do you really need all of the personal
information you collect? - Do you obtain consent to collect health
information? - Do you have collection notices on all forms
requesting personal information? - Are customers who provide information over the
telephone/internet/in person given clear notice
about how the information will be used and
disclosed? - Do you collect any sensitive information? Is
this collection justified?
20Use and disclosure
21Use Disclosure
- Use or disclose personal information for the
primary purpose for which it was collected - Or a related purpose a person would reasonably
expect - Or for one of the allowed exceptions.
- Otherwise, use or disclosure can only occur with
consent. - Health information can be disclosed to an
immediate family member for compassionate reasons
where the individual is incapable of consent.
22Use and Disclosure
Info may also be used or disclosed for a
secondary purpose, without consent, for the
following reasons
- Serious and imminent threat to individuals life,
health, safety or welfare - Serious threat to public health, safety or
welfare - Law enforcement
- Research or statistical analysis
- Required or authorised by another law
-
23Consent
- Individual has the capacity to consent
- Voluntary
- Informed
- Specific
- Current
24Use and disclosure
- Transborder data flows
- Personal information can only be transferred
interstate or overseas if certain conditions are
met. - Consent is one condition.
25Points to consider use and disclosure
- When does your organisation use or disclose
personal information for a purpose other than the
primary purpose it was collected for? - Which of the use and disclosure rules authorise
this? - Is there a practical commonsense way that this
purpose can be met without a disclosure, for
example, releasing non-identifying data or acting
as a go-between to pass on information without
disclosing personal details? - Dont feel pressured to respond hastily to
requests for disclosure. If uncertain, check
before disclosing.
26Management of personal information
27 Data Quality
- Take reasonable steps to ensure the information
you hold is - accurate
- complete
- up-to-date
TIP Check the spelling of common names, such as
John/Jon. Many privacy breaches occur by mixing
client records.
28Recording personal information
- Be specific vagueness and ambiguity make it
difficult for others to use the information - Distinguish fact from opinion
- Check the information, particularly if it is old
or not provided by the person themselves - Inaccurate spelling of names and addresses lead
to privacy breaches
29Security and retention
- Take reasonable steps to protect personal
information from misuse, loss, unauthorised
access, modification or disclosure. - Non-health related personal information health
information held by non-health service providers
should be destroyed or de-identified when it is
no longer needed. - Health service providers check HPP4.2
- (Public sector - Destruction should be in
accordance with disposal schedules of the Public
Records Act 1973.)
30Data security
- Physical security might include
- locking filing cabinets
- restricting access to certain areas
- positioning computer terminals so they cannot be
seen by unauthorised personnel and - questioning unaccompanied or unrecognised
visitors.
31Data security
- Operational Security might include
- rules on levels of access
- audit trails to detect unauthorised access
- changing of passwords at frequent intervals
- avoiding collecting information in public waiting
rooms where possible - use of fictitious information for training and
- procedures for dealing with employees who leave.
32Data security
- Security of transmission
- programming fax machines to avoid risk of
misdialling - retaining fax activity history reports
- controlling the type of information sent and
- telephoning intended recipient prior to
transmission.
33Data security
- E-mail
- guidelines for use of e-mail
- encrypting files
- blind carbon copying address details and
- e-mail privacy notices.
- Post
- take care not to display contents of letters
through window envelopes.
34Unique identifiers
- This principle limits the
- assignment
- adoption and
- sharing of unique identifiers.
- Intended to minimise cross-matching of data
across government agencies.
35Privacy Policy
- Document clearly expressed policies on management
of personal information and provide the policies
to anyone who asks. - Know where to find your organisations privacy
policy. - Know who your privacy contact person is.
- Make sure the policy is reviewed to reflect
current practice.
36Making information available to another health
service provider (HRA only)
- Health service providers must make health
information relating to an individual available
to another health service provider if requested
by the individual.
37Transfer/closure of the practice of a health
service provider (HRA only)
- Health service providers whose business or
practice is being sold, transferred or closed
down, without you continuing to provide services,
must give notice of the transfer or closure to
past service users.
38Points to consider management of personal
information
- Once privacy is lost, it cant easily be
retrieved regularly review the security
arrangements for both paper-based and electronic
data. - One simple effective way to monitor data quality
is to make a habit to ask people, in any
correspondence with them, to check the
information and advise of updates or corrections.
39Access and correction
40Access correction
- Individuals have a right to seek access to
information about them. - They also have a right to correct it if it is
inaccurate, incomplete, misleading or not
up-to-date. - The FOI Act continues to give individuals a right
of access to information about themselves held by
public sector organisations.
41Some exemptions from the privacy principles
- The judiciary and quasi-judicial bodies (Courts
tribunals) when exercising their judicial or
quasi-judicial functions - Partial exemption for law enforcement agencies
(IPA only) - Genuine news activities carried out by
organisations whose dominant function is
disseminating news (HRA only) - Information relating to personal, family or
household affairs. (HRA only)
42Privacy complaints
43What is a complaint?
- If a person believes an organisation has breached
their privacy rights, they may complain to the
Health Services Commissioner or Victorian Privacy
Commissioner. - A contravention of any of the privacy principles
can be an interference with the privacy of an
individual.
44Responding to complaints (1)
- Many privacy complaints are able to be resolved
by the organisation without involvement by the
Commissioners. - Complaints are referred back to the organisation
to resolve as the first option. - Commissioner may accept the complaint if the
organisation and complainant cannot reach
resolution.
45Responding to complaints (2)
- Commissioners will attempt to resolve by
conciliation. - If complainant still dissatisfied, complaint can
be referred to VCAT - If VCAT upholds a complaint, potential remedies
include - restraint orders
- ordering action to redress the damage suffered
- compensation up to 100,000
46Key points
- Privacy laws do not prevent the legitimate flows
of information necessary for the operation of
government or provision of a health service. - Become familiar with the privacy principles and
apply them to the way you handle personal
information - Collect only the information you need.
- Advise people why you need the information and
how it will be used and disclosed. - Use and disclose for the primary purpose of
collection unless the person consents or an
exemption applies. - Take steps to ensure the quality of the
information. - Secure the information.
47More Information
Health Services Commissioner www.health.vic.gov.a
u/hsc 8601 5200 Privacy Victoria www.privacy.vic
.gov.au 1300 666 444 Federal Privacy
Commissioner www.privacy.gov.au 1300 363 992