The Privacy Health Guidelines
TERMINOLOGY ADOPTED IN THE PRIVACY AMENDMENT (PRIVATE SECTOR) ACT 2000
The Privacy Amendment (Private Sector) Act 2000 sets the standards for the way in which organisations, including all health serviceproviders in the private sector, collect, use and disclose information about individuals. These standards are contained in 10 National Privacy Principles (NPPs). The NPPs form the basis of the Act and govern the collection of personal information. By its very naturehealth information contained in an individual’s medical record is considered to be highly confidential to consumers of health services.
Health service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual, or the person performing it, to:
- Assess, record, maintain or improve the individual’s health;
- Diagnose the individual’s illness or disability; or
- Dispense on prescription a drug or medical preparation by a pharmacist (section 6 of the Privacy Act).
Health service providers can range from hospitals and general practitioners to organisations that may not traditionally have been considered health service providers such as gyms and weight loss clinics.
An organisation collects personal information if it gathers, acquires or obtains information from any source, by any means, in circumstances where the individual is identified or is identifiable. It includes information that:
- An organisation comes across by accident or has not asked for but nevertheless keeps;
- The organisation receives directly from the individual; and
- Information about an individual an organisation receives from somebody else
Use of personal information relates to the handling of personal information within the organisation. Examples of uses of information are:
- Adding information to a data base;
- Forming an opinion based on information collected and noting it on a file.
n organisation discloses information when it releases information outside the organisation. Examples of disclosures include:
- When an organisation gives another organisation information under contract to carry out an “outsourced” function;
- When an organisation sells information to another organisation.
Health information means information or an opinion about the:
- Health or disability (at any time) of an individual;
- Individual’s expressed wishes about the future provision of health services;
- Health services provided or to be provided to an individual that is also personal information or other personal information collected to provide, or in providing a health service;
- Health service or other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances (section 6 of the Privacy Act).
Health information can include details such as an individual’s name, address, billing information and Medicare number, for example, if it is part of the information about an individual’s health.
Personal information means information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a
material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. (Section 6 Privacy Act)
Personal information must relate to a natural person. A natural person is a human being rather than, for example, a company, which may in some circumstances, be recognised as a legal “person” under the law. Personal information can range from the very sensitive (for example, political beliefs, medical history, sexual preference or medical records to the everyday (for example, hair colour, address, phone number). The information needs to be accurate, it may include opinion and speculation and it may simply be false information. It doesn’t matter whether the information is held in a computer database, or in paper records, or in any other medium, provided the information itself makes it clear which individual is identifiable. Whether an individual’s identity is reasonably ascertainable will depend on the context and on who holds the information.
Sensitive information is information or an opinion about an individual’s personal information or health information, relating to the following:
- Racial or ethnic origin;
- Political opinion;
- Membership of a political association or religious beliefs, affiliations or philosophical beliefs;
- Membership of a professional or trade association or membership of a trade union;
- Sexual preferences or practises; or
- Criminal record
This advice has been prepared by the AMA (NSW) Limited. January 2002