Privacy in Victoria An introduction to the Information Privacy Act and the Health Records Act

1
Privacy in VictoriaAn introduction to the
Information Privacy Act and the Health Records
Act
2
Session outline

• Overview of the privacy laws relevant to Victoria
• Types of information covered by privacy laws
• The Privacy Principles and your responsibilities
• Collection
• Use and disclosure
• Management of personal information
• Access and correction
• Scenarios
• Responding to privacy complaints

3
Why do you need to know about privacy?

• Its the law All Victorian organisations must
  comply. People have a right to challenge how
  your organisation handles their personal
  information.
• Its makes good business sense - Research
  indicates that the public is more likely to trust
  an organisation that values and protects privacy.
• Privacy is a basic human right We all expect
  our privacy to be protected.

4
Impact of privacy laws

• Privacy laws provide people with more control
  over how organisations handle their personal
  information.
• Privacy laws should not stop an organisation
  carrying out their core business, but may mean
  changes to the way personal information is
  handled.
• Privacy laws promote openness and transparency in
  the handling of personal information.
• The right to privacy has to be balanced against
  the necessary flow of information for provision
  of services

5
Context for privacy laws

• Technological advances are rapidly changing the
  way that information is collected and handled.
• For example
• Increase in CCTV cameras
• RFIDs in brochures to allow targeted advertising
  as person walks around waiting room
• Tracking traffic flow using drivers mobile
  phones
• GPS enabled school uniforms

6
The privacy protection landscape

Health Records Act (Vic)
Information Privacy Act (Vic)
Privacy Act (Cth)

• Covers
• All health related personal information held in
  public and private sectors
• Most of the personal info handled by health
  service providers

• Covers
• Federal government agencies, e.g. Centrelink
• Much of the private sector

• Covers
• All personal info handled by State government
  agencies and local government
• (other than health related info)

7
The Victorian privacy principles

• There are 11 HPPs and 10 IPPs and they
• govern the life cycle of information
• Collection
• Use and disclosure
• Management of personal information
• Access and correction
• are legally binding

8
Privacy Principles Interaction with other
legislation

• The Privacy Principles co-exist with other
  legislation.
• Existing provisions in other statutes governing
  the confidentiality, use and disclosure of
  personal information and those that regulate
  access to certain kinds of personal information
  continue to apply.
• Specific statutory provisions override the
  general standards in both the Health Records Act
  and the Information Privacy Act to the extent of
  any inconsistency.

9
What information is subject to privacy laws?

• Personal information means
• Information or opinion about an individual whose
  identity is apparent, or can be reasonably
  ascertained
• Does not have to be true
• Recorded in a material form (IPA only)
• 2 categories information about clients/patients
  and information about staff

10
Health Information differs depending on what
you do

• For health service providers health
  informationmeans
• all identifying personal information collected to
  provide a health service
• e.g. includes next of kin information
• For non health service providers health
  information means
• all identifying personal information about the
  health or disability of an individual
• it does not cover other personal information like
  payroll or bank account details.

11
Deceased individuals

• The Health Records Act applies in relation to the
  health information of a deceased individual who
  has been dead for 30 years or less in the same
  way it applies to the health information of a
  living person.

12
Privacy Principlescommon to both Acts

• Collection
• Use Disclosure
• Data Quality
• Data Security Retention
• 5. Openness

• Access Correction
• Identifiers
• Anonymity
• Transborder Data Flows

13
Additional Principles

• IPA
• Sensitive Information

• HRA
• Making information available to another health
  service provider
• Transfer / closure of practice of a health
  service provider

14
Collection
15
Collection (1)

• Dont overcollect - Collect only personal
  information that is necessary for the performance
  of functions.
• Anonymity - People should have the option of not
  identifying themselves when entering
  transactions, if that is lawful and feasible.
• Collect for a pre-determined purpose.
• Collect lawfully, fairly and not unreasonably
  intrusively.
• Collect information only from the person
  themselves, where practicable.

16
Collection (2)

• Generally need consent to collect health
  information (either express or implied) (HRA)
• Provide a collection statement to notify those
  you collect from about what you do with the
  information and that they can gain access to it.

17
When collecting personal information, tell the
person

• who is collecting the information
• what it will be used for
• whether the collection is required by law
• how the person can get access to the information
• who else usually has access to the information
  and
• what the main consequences, if any, are for the
  person if they do not provide the information.

18
Sensitive information (IPA only)
Collection of sensitive information is tightly
restricted. This includes information or opinion
about an individuals

• political views
• religious beliefs
• sexual preferences
• membership of groups (eg unions, political
  groups)
• racial or ethnic origin or
• criminal record.

19
Points to consider - collection

• Do you really need all of the personal
  information you collect?
• Do you obtain consent to collect health
  information?
• Do you have collection notices on all forms
  requesting personal information?
• Are customers who provide information over the
  telephone/internet/in person given clear notice
  about how the information will be used and
  disclosed?
• Do you collect any sensitive information? Is
  this collection justified?

20
Use and disclosure
21
Use Disclosure

• Use or disclose personal information for the
  primary purpose for which it was collected
• Or a related purpose a person would reasonably
  expect
• Or for one of the allowed exceptions.
• Otherwise, use or disclosure can only occur with
  consent.
• Health information can be disclosed to an
  immediate family member for compassionate reasons
  where the individual is incapable of consent.

22
Use and Disclosure
Info may also be used or disclosed for a
secondary purpose, without consent, for the
following reasons

• Serious and imminent threat to individuals life,
  health, safety or welfare
• Serious threat to public health, safety or
  welfare
• Law enforcement
• Research or statistical analysis
• Required or authorised by another law

23
Consent

• Individual has the capacity to consent
• Voluntary
• Informed
• Specific
• Current

24
Use and disclosure

• Transborder data flows
• Personal information can only be transferred
  interstate or overseas if certain conditions are
  met.
• Consent is one condition.

25
Points to consider use and disclosure

• When does your organisation use or disclose
  personal information for a purpose other than the
  primary purpose it was collected for?
• Which of the use and disclosure rules authorise
  this?
• Is there a practical commonsense way that this
  purpose can be met without a disclosure, for
  example, releasing non-identifying data or acting
  as a go-between to pass on information without
  disclosing personal details?
• Dont feel pressured to respond hastily to
  requests for disclosure. If uncertain, check
  before disclosing.

26
Management of personal information
27
Data Quality

• Take reasonable steps to ensure the information
  you hold is
• accurate
• complete
• up-to-date

TIP Check the spelling of common names, such as
John/Jon. Many privacy breaches occur by mixing
client records.
28
Recording personal information

• Be specific vagueness and ambiguity make it
  difficult for others to use the information
• Distinguish fact from opinion
• Check the information, particularly if it is old
  or not provided by the person themselves
• Inaccurate spelling of names and addresses lead
  to privacy breaches

29
Security and retention

• Take reasonable steps to protect personal
  information from misuse, loss, unauthorised
  access, modification or disclosure.
• Non-health related personal information health
  information held by non-health service providers
  should be destroyed or de-identified when it is
  no longer needed.
• Health service providers check HPP4.2
• (Public sector - Destruction should be in
  accordance with disposal schedules of the Public
  Records Act 1973.)

30
Data security

• Physical security might include
• locking filing cabinets
• restricting access to certain areas
• positioning computer terminals so they cannot be
  seen by unauthorised personnel and
• questioning unaccompanied or unrecognised
  visitors.

31
Data security

• Operational Security might include
• rules on levels of access
• audit trails to detect unauthorised access
• changing of passwords at frequent intervals
• avoiding collecting information in public waiting
  rooms where possible
• use of fictitious information for training and
• procedures for dealing with employees who leave.

32
Data security

• Security of transmission
• programming fax machines to avoid risk of
  misdialling
• retaining fax activity history reports
• controlling the type of information sent and
• telephoning intended recipient prior to
  transmission.

33
Data security

• E-mail
• guidelines for use of e-mail
• encrypting files
• blind carbon copying address details and
• e-mail privacy notices.
• Post
• take care not to display contents of letters
  through window envelopes.

34
Unique identifiers

• This principle limits the
• assignment
• adoption and
• sharing of unique identifiers.
• Intended to minimise cross-matching of data
  across government agencies.

35
Privacy Policy

• Document clearly expressed policies on management
  of personal information and provide the policies
  to anyone who asks.
• Know where to find your organisations privacy
  policy.
• Know who your privacy contact person is.
• Make sure the policy is reviewed to reflect
  current practice.

36
Making information available to another health
service provider (HRA only)

• Health service providers must make health
  information relating to an individual available
  to another health service provider if requested
  by the individual.

37
Transfer/closure of the practice of a health
service provider (HRA only)

• Health service providers whose business or
  practice is being sold, transferred or closed
  down, without you continuing to provide services,
  must give notice of the transfer or closure to
  past service users.

38
Points to consider management of personal
information

• Once privacy is lost, it cant easily be
  retrieved regularly review the security
  arrangements for both paper-based and electronic
  data.
• One simple effective way to monitor data quality
  is to make a habit to ask people, in any
  correspondence with them, to check the
  information and advise of updates or corrections.

39
Access and correction
40
Access correction

• Individuals have a right to seek access to
  information about them.
• They also have a right to correct it if it is
  inaccurate, incomplete, misleading or not
  up-to-date.
• The FOI Act continues to give individuals a right
  of access to information about themselves held by
  public sector organisations.

41
Some exemptions from the privacy principles

• The judiciary and quasi-judicial bodies (Courts
  tribunals) when exercising their judicial or
  quasi-judicial functions
• Partial exemption for law enforcement agencies
  (IPA only)
• Genuine news activities carried out by
  organisations whose dominant function is
  disseminating news (HRA only)
• Information relating to personal, family or
  household affairs. (HRA only)

42
Privacy complaints
43
What is a complaint?

• If a person believes an organisation has breached
  their privacy rights, they may complain to the
  Health Services Commissioner or Victorian Privacy
  Commissioner.
• A contravention of any of the privacy principles
  can be an interference with the privacy of an
  individual.

44
Responding to complaints (1)

• Many privacy complaints are able to be resolved
  by the organisation without involvement by the
  Commissioners.
• Complaints are referred back to the organisation
  to resolve as the first option.
• Commissioner may accept the complaint if the
  organisation and complainant cannot reach
  resolution.

45
Responding to complaints (2)

• Commissioners will attempt to resolve by
  conciliation.
• If complainant still dissatisfied, complaint can
  be referred to VCAT
• If VCAT upholds a complaint, potential remedies
  include
• restraint orders
• ordering action to redress the damage suffered
• compensation up to 100,000

46
Key points

• Privacy laws do not prevent the legitimate flows
  of information necessary for the operation of
  government or provision of a health service.
• Become familiar with the privacy principles and
  apply them to the way you handle personal
  information
• Collect only the information you need.
• Advise people why you need the information and
  how it will be used and disclosed.
• Use and disclose for the primary purpose of
  collection unless the person consents or an
  exemption applies.
• Take steps to ensure the quality of the
  information.
• Secure the information.

47
More Information
Health Services Commissioner www.health.vic.gov.a
u/hsc 8601 5200 Privacy Victoria www.privacy.vic
.gov.au 1300 666 444 Federal Privacy
Commissioner www.privacy.gov.au 1300 363 992