Page tools

My Parliament

Privacy Legislation Amendment Bill 2006


Index

Bills Digest no. 9 2006–07

Privacy Legislation Amendment Bill 2006

WARNING:
This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.

CONTENTS

Passage History
Purpose
Background
Main Provisions
Concluding Comments
Endnotes
Contact Officer & Copyright Details

Passage History

Privacy Legislation Amendment Bill 2006

Date introduced: 22 June 2006

House: House of Representatives

Portfolio: Attorney General

Commencement: Royal Assent

Purpose

The purpose of the Bill is to amend the Privacy Act 1988 and the National Health Act 1953 in order to:

  • ensure medical practitioners can continue to access health information available through the Prescription Shopping Information Service without breaching the National Privacy Principles
  • ensure genetic information is covered by the National Privacy Principles that govern the use and disclosure of health and sensitive information
  • enable health care professionals to disclose genetic information to genetic relatives where there is a serious health risk to the genetic relative.

Background

Schedule 1 Amendments relating to collection of health information

Health information under the Privacy Act 1988 (Cth)

The statutory framework for health privacy in Australia is made up of a complex patchwork of interlocking privacy laws. At the centre of this patchwork is the Privacy Act 1988, which applies two standards to health information the Information Privacy Principles (IPPs) when it is being handled in the Commonwealth public sector and the National Privacy Principles (NPPs) when handled by the private sector. These principles govern the collection, use, disclosure and other aspects of the handling of personal health information.(1)

What is health information?

Under the Privacy Act, the special nature of health information is recognised through the inclusion of health information as a sub-set of sensitive information . As a result, health information is subject to the higher privacy standards that apply to sensitive information under NPP 10. Under the Act health information is defined as:

  • information or an opinion about:
    • the health or a disability of an individual
    • an individual s expressed wishes about the future provision of health services to him or her, or
    • a health service provided to an individual that is also personal information, or
  • other personal information collected to provide a health service; or
  • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.
Health information and the National Privacy Principles

Obligations regarding the collection(2) of health information are spelt out in the provisions of NPP 1 relating generally to the collection of personal information and NPP 10 relating specifically to the collection of sensitive information (which includes health information).

In general, health information should only be collected with an individual s express or implied consent. This general rule is, however, subject to a number of exceptions. In particular, an organisation may collect health information without consent where:

  • the information is necessary to provide a health service to the individual and the information is collected:
    • as required by law (other than under the Privacy Act), or
    • in accordance with binding professional rules of confidentiality.(3)

Organisations may also collect health information without consent if:

  • the collection is undertaken because of a law requiring them to do so
  • the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, or
  • where the individual is either unable to provide consent or cannot communicate consent.(4)

NPP 10.3 also allows organisations to collect health information if they have public interest purposes to collect health information, or business purposes related to the overall management of a health service. These organisations are not required to obtain consent for the collection of health information if it is impracticable, providing the information is subject to ongoing protection.

Prescription Shopping Information Service and the Privacy Commissioner s Public Interest Determination

The Privacy Commissioner issued a Temporary Public Interest Determination(5) in 2005, subsequently renewed until December 2006, to clarify the application of NPP 10 to the practice of doctors collecting information on their patients from a database operated by the Health Insurance Commission. The database known as the Prescription Shopping Information Service, (PSIS) contains Pharmaceutical Benefits Scheme (PBS) history about some individuals who have been identified under the Department of Health and Ageing s Prescription Shopping Project as a prescription shopper . Section 30 of the Medicare Australia (Functions of the Chief Executive Office) Direction 2005 defines a prescription shopper as a person who in any three month period obtains more than 50 pharmaceutical benefits or 25 target pharmaceutical benefits, or has pharmaceutical benefits provided by more than six prescribers, and who may therefore endanger their health and be misusing health resources.(6) Medical practitioners who suspect an individual may be prescription shopping can check the person s details against the PSIS, which at any point in time holds records on around 20,000 individuals.(7)

As a result of the Public Interest Determination, a general practitioner in private practice does not commit a breach of NPP 10 when they collect information concerning a patient s PBS history without the patient s consent. The Commissioner s reasoning behind the Determination was as follows:

The Privacy Commissioner is satisfied that the act or practice [of accessing the PSIS] would or may constitute a breach of National Privacy Principle 10 [I]n certain cases, there may be an unwillingness on the part of an individual to provide consent to the collection of information from the Information Service, including where this would assist in determining the individual s therapeutic needs. Denying the applicant access to the Information Service may limit the applicant s knowledge of the individual s prescription history and hinder the applicant from, where appropriate, offering counselling or other treatment alternatives. For the applicant not to be able to collect this information may lead to serious and potentially life-threatening consequences in respect of the individual s clinical management and welfare.

In making the Determination, the Commissioner was satisfied that as required by section 80A(1)(b) of the Privacy Act:

the public interest in the applicant collecting health information from the Information Service outweighs to a substantial degree the public interest in the applicant adhering to National Privacy Principle 10 in these circumstances, as the collection may immediately and directly affect the health care of an individual.(8)

The Explanatory Statement to the Determination states that this is a temporary measure to ensure that collection of PBS information by doctors from the PSIS without the consent of patients can continue until there is an appropriate legislative measure.(9) The amendments in Schedule 1 of the Bill provide the legislative measure to replace the Temporary Determinat ion.

Schedule 2 Amendments relating to genetic information

The issues surrounding genetic information are amongst the most controversial of all privacy issues. Unlike many other dimensions of personal information that relate to behaviour and lifestyle, genetic information is entirely outside the control of individuals. And yet, on the basis of that information, other organisations may make decisions about individuals that can have serious adverse effects whether in relation to employment, insurance cover, medical treatment or other issues. Genetic information may form the basis of discrimination that could seriously affect the lives of individuals.(10)

The other side of this argument is that gene technology also offers many benefits. Genetic information can help to identify the presence of a certain condition in an individual or predict an individual s likelihood of developing a certain condition. Adopting an appropriate framework to regulate the use and privacy of genetic information has therefore emerged as a key issue in public policy. (11)

Essentially Yours: Protection of Human Genetic Information Inquiry

The Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee (AHEC) issued a major report on genetic privacy issues in 2003, after a lengthy inquiry. The Terms of Reference for the Inquiry directed the ALRC and the AHEC to consider, with respect to human genetic information and the samples from which such information is derived, how best to:

  • protect privacy
  • protect against unfair discrimination, and
  • ensure the highest ethical standards. (12)

The Inquiry then applied these basic concerns across a wide range of contexts, reflecting the growing breadth and impact of the new genetics in modern society including:

  • the provision of clinical genetic services
  • the ethical oversight of scientific and medical research
  • the collection, storage, analysis and use of DNA samples by law enforcement authorities
  • the use of genetic information in insurance underwriting, employment and by immigration authorities
  • the management of tissue banks, genetic registers and human genetic research databases
  • DNA parentage and kinship testing.(13)

The Report, called Essentially Yours: the Protection of Human Genetic Information in Australia made 144 wide ranging recommendations, covering information privacy, protection against unfair discrimination in employment and insurance, the use of genetic information in forensic investigations and parentage testing and ensuring the highest ethical standards in medical research and practice. In December 2005 the Government indicated that it supported the bulk of those recommendations.(14)

Recommendations for amendment to the Privacy Act

In the context of this Bill, the Report recommended a number of amendments to the Privacy Act to:

  • ensure the definitions of health information and sensitive information expressly include human genetic information about an individual,(15) and
  • permit a health care professional to disclose genetic information about their patient to a genetic relative of that patient where disclosure is necessary to prevent a serious health threat to an individual.(16)

The Government supports these recommendations and Schedule 2 implements the Government s response to them.

The Government however, also indicated it does not support other recommendations relating to the Privacy Act, including:

  • amending the Privacy Act to ensure all small businesses that hold genetic information are subject to the Privacy Act(17)
  • giving individuals a right to access bodily samples of their first-degree genetic relatives to obtain genetic information,(18) and
  • enacting legislation to provide enforceable standards for handling genetic samples(19) (as opposed to genetic information) and ensuring the relevant Privacy Principles cover genetic samples.(20)
Definitions of health information and sensitive information in the Privacy Act

Genetic information is not specifically referred to in the Privacy Act, although in many cases the definitions of health information and sensitive information would cover genetic information. There are however, circumstances in which genetic information may not amount to health information either because the information is not about health, disability or the provision of a health service (as in the case of parentage or forensic testing, where the focus is on identification), or because it is not about the health or disability of an existing individual (as sometimes may be the case with genetic carrier testing, where the information is primarily about the health of future children).(21)

There is also a range of non-health genetic information that falls outside the definition of sensitive information in particular, parentage testing done by commercial laboratories.

Submissions to the ALRC/AHEC Inquiry generally supported proposals to amend the Privacy Act to ensure that all genetic information is treated as health information or other sensitive information under the Act.(22)

After considering definitions in other health information privacy legislation, the Inquiry recommended that the definition of health information be amended to include genetic information about an individual in a form which is, or could be, predictive of the health of the individual or any of his or her genetic relatives (whether or not it was collected in relation to the health of, or the provision of a health service to, the individual or a genetic relative).(23)

It was also considered necessary to amend the definition of sensitive information to include human genetic test information, in order to cover genetic information derived from parentage, forensic and other identification testing that is not predictive of health. (24)

The Bill generally adopts these recommendations through items 2 and 3 of Schedule 2.

Access to the genetic information of first degree relatives(25)

Genetic records often contain information about the biological relatives of the individual to whom the information primarily relates. However, privacy laws are largely built around the protection and vindication of individual rights. A key issue for the Inquiry was whether the familial or collective nature of genetic information also requires recognition as a basic element of the privacy protection regime. This would involve a shift away from the rights model towards a medical model , based primarily on what doctors consider best practice in providing medical care for patients and their families. Control of genetic information would be shared amongst genetic relatives. (26)

Under the Privacy Act, disclosure of genetic information other than for the primary purpose of treating the person tested, is generally only permitted with the consent of that person. However, as David Weisbrot, President of the ALRC and Chair of the Inquiry notes, in some circumstances, the disclosure of genetic information could allow the prevention of serious health consequences in genetic relatives for example, where an individual s test results are positive for mutations linked colectoral cancer or breast cancer. Weisbrot goes on:

Ideally, and in many instances, the patient will consent to informing relatives, so that they may seek their own medical advice, including screening. Where consent is not obtained, in most circumstances (where disclosure is not for the primary purpose of collection or for a directly related secondary purpose), a health services provider only may disclose personal information to a relative if this is necessary to lessen or prevent a serious and imminent threat to an individual s life, health or safety (NPP 2.1(e)(i)). However, a familial predisposition to cancer or other genetic conditions generally would not be regarded as a sufficiently imminent threat to justify disclosure in breach of a patient s wishes.(27)

The Inquiry concluded that there was a need to amend the Privacy Act to broaden the circumstances in which doctors and allied health professionals may use or disclose genetic information to prevent threats to life, health or safety. It was considered that the existing serious or imminent threat test included in the NPPs (NPP2.1(e)(i)) is too restrictive in the context of shared genetic information. The Inquiry recommended that the Privacy Act be amended so that use or disclosure of genetic information by a health professional be permitted where the health professional believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual s life, health or safety, even where such threat is not imminent for example, where a genetic test indicates a familial predisposition to breast cancer or colon cancer.(28)

The Government, in its response accepted this recommendation(29) and items 1, 4 and 5 of Schedule 2 of the Bill implement it.

Reaction to the Bill

Australian Democrats

Democrats' Science and Biotechnology Spokesperson, Senator Natasha Stott Despoja has welcomed the Bill stating that the Government has finally moved to safeguard genetic privacy in law: Senator Stott Despoja had introduced similar amendments to the Privacy Act in 2000 in a bid to protect genetic privacy and prior to that in 1998 she introduced a Private Member's Bill, the Genetic Privacy and Non-discrimination Bill, to protect genetic privacy and prevent discrimination on the basis of genetic information. In a recent press release Senator Stott Despoja noted:

[genetic information] is our most sensitive health information and it deserves to be protected. The next step is to outlaw discrimination on the basis of genetic information, a move which is long overdue, especially now that we have reported cases of genetic discrimination in this country.

[ ]

The work of the ALRC has been world-class and is among the most comprehensive investigation of this issue. I commend the ALRC on the recommendations which have led to this bill.(30)

Recommendations for amendment of the Privacy Act not accepted by the Government ALRC President response

As discussed above, some of the recommendations for amendment to the Privacy Act made by the Essentially Yours Inquiry were rejected by the Government. In particular, the Government rejected the recommendation to give individuals a right to access bodily samples of their first-degree genetic relatives to obtain genetic information.(31) The Government s rationale for rejection is:

First degree genetic relatives, who suspect that a relative s genetic sample contains important genetic information that could lessen or prevent a serious threat to his or her life, health, or safety, could easily access that genetic information by undertaking a genetic test themselves. This assumes that the person understands the basic nature of the genetic risk that they face. In the absence of such knowledge, access to their relative s sample, as distinct from the relevant genetic information contained in that sample, would provide little advantage.

David Weisbrot, President of the ALRC and Chair of the Inquiry has responded critically stating:

With respect - and whatever one thinks about the policy or principle - this is inaccurate from a clinical and scientific point of view. The whole rationale behind familial genetic registers, tissue banks and human genetic research databases is that it is, in fact, extremely important to track genetic disease markers across families, communities and populations. In recent years, major biobanking initiatives have been undertaken in the UK (UK Biobank), Japan, Estonia, Iceland, Taiwan, China, Canada and the US. It is hoped that the new HGAC [Human Genetics Advisory Council] will purse this matter further with the Government, to ensure that Australian policy is built upon sound medicine and science, as well as on sound ethical, legal and social principles.(32)

A further recommendation to enact legislation to provide enforceable standards for handling genetic samples(33) and ensuring the relevant Privacy Principles cover genetic samples(34) was also rejected. The Government stated:

... [the] privacy principles are designed to regulate the collection, use and disclosure of personal information, not the source of that information. Accordingly, the Government does not consider that privacy legislation is the appropriate place for regulating genetic samples. The concerns raised about the use and handling of genetic samples could be addressed in the Human Tissues Acts.

Again, the ALRC President was critical of the Government s response stating:

Unfortunately, the Government response did not engage with the detailed rationale underlying this recommendation, as set out in Essentially Yours, including the ALRC s express preference for dealing with these matters under the federal Privacy Act rather than the various State and Territory Human Tissue Acts.(35)

Financial implications

The Bill is not expected to have any financial implications.

Main provisions

Schedule 1 Amendments relating to collection of health information

Item 1 inserts new section 135AC into the National Health Act 1953. The effect is that where the disclosure of information is authorised by or under a health law or the Medicare Australia Act 1973, the collection of that information by the person to whom it is disclosed is deemed also to be authorised by or under that law.

NPP 10.2 of the Privacy Act currently provides that an organisation delivering a health service(36) may collect health information, without the consent of the individual, if the information is collected as required by law (NPP 10.2(b)(i)). Item 2 amends NPP 10.2(b)(i) so that an organisation delivering a health service will be able to collect health information, where the collection is authorised by or under law as well as required by law. The effect of item 2 is that where an organisation is delivering a health service and there is a stated legal authority for it to collect health information about an individual, NPP 10(2)(b) will permit this to occur without consent.

Schedule 2 Amendments relating to genetic information

Item 1 inserts a definition of genetic relative into the definition section of the Privacy Act. Genetic relative is defined to include another individual who is related by blood to the first individual including a sibling, parent or descendant. The Explanatory Memorandum states that this definition would also cover grandparents of the individual.(37)

Item 2 amends the definition of health information in subsection 6(1) of the Privacy Act to include genetic information. This is to ensure that genetic information that could be predictive of the health of an individual or the genetic relatives of the individual will be treated as health information for the purposes of the Act.

Item 3 amends the definition of sensitive information in subsection 6(1) of the Privacy Act to include genetic information about an individual that is not otherwise health information. This is to ensure that genetic information that is not considered predictive of the health of an individual or the genetic relatives (such as the result of parentage or kinship tests) will be treated as sensitive information for the purposes of the Act.

Item 4 inserts new section 95AA which provides for guidelines for NPPs relating to the use and disclosure of genetic information. The guidelines will be issued by the NHMRC and approved by the Privacy Commissioner via legislative instrument.

Item 5 amends NPP2.1 in Schedule 3 of the Privacy Act. NPP 2.1 prohibits secondary uses or disclosure of personal information unless one of the exceptions specified in NPP 2.1 applies. New paragraph NPP 2.1(ea) provides a new exception. It permits the use or disclosure of genetic information about an individual to a genetic relative in circumstances where the genetic information may reveal a serious threat to a genetic relative s life, health or safety, but not necessarily an imminent threat. Use or disclosure must be done in accordance with relevant guidelines relating to the use and disclosure of genetic information (new paragraph 2.1(ea)(ii)).

Concluding comments

The amendments in Schedule 2 of the Bill appear uncontroversial. They represent only a small and uncomplicated part of the Government s response to the Equally Yours Inquiry.

Consideration of the full 144 recommendations of the Inquiry and the Government s response to them is beyond the scope of this digest. However, in the context of this Bill, it may be relevant to consider some of the recommendations for amendment of the Privacy Act not accepted by the Government.(38) For example, the Inquiry recommended that any business that holds genetic information should be subject to the Privacy Act(39), noting that there is a loophole in the case of a small business that is not a health service provider but nevertheless holds health information such as where a business stores genetic samples or acts as a genetic data repository, but does not itself provide a health service. The Government does not support this amendment(40) the rationale being:

The Government recognises that many small businesses are a low privacy risk and has provided that they are exempt from coverage under the Privacy Act. However, where a small business provides a health service, trades in personal information, provides services under a contract with the Australian Government, or is part of a larger business covered by the Privacy Act, it is required to comply with the Act.

The Government considers that this coverage is sufficient to protect the privacy of genetic information that may be held by small businesses while at the same time ensuring that small businesses are not unfairly burdened by the costs and processes of complying with the privacy legislation.(41)

One of the purposes of this Bill is to give all genetic information the higher standards and protection afforded to health and sensitive information under the Privacy Act. Parliament may wish to consider that logically, in order to fulfil this purpose, all businesses that deal in genetic information, irrespective of size and whether they provide a health service, should be subject to the provisions of the Privacy Act.

Endnotes

  1. CCH Private Sector Privacy Handbook, 40-300.
  2. Collection is generally interpreted to mean where an organisation receives and retains information, as opposed to where an organisation receives information but has not intention to retain it in a record or make it generally available (Source: CCH Private Sector Privacy Handbook, 40-220)
  3. NPP 10.2.
  4. NPP 10.1(b), 10.2(b)(i) and 10.1(c).
  5. Sections 80A and 80B of the Privacy Act give the Privacy Commissioner the power to issue temporary public interest determinations in which she may determine that an act or practice shall be disregarded for the purposes of the Act where the act or practice might otherwise constitute a breach of the Act. The Privacy Commissioner may make a determination only if she is satisfied that the public interest in the agency or organisation doing the act outweighs to a substantial degree the public interest in adhering to the Act.
  6. CCH Private Sector Privacy Handbook, 40 340.
  7. ibid.
  8. Office of the Privacy Commissioner, Temporary Public Interest Determination No. 2006 1.
  9. As at 28 July 2006 located at:http://www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/previewlodgmentattachments/E682B7A0EF30D573CA25710E00789321/$file/2006-01%20Prescription%20Shopping%20TPID%202006-1%20and%202006-1A%20Explanatory%20Statement%20Final%5B1%5D.htm
  10. CCH Private Sector Privacy Handbook, 40 500.
  11. ibid.
  12. David Weisbrot, Rethinking privacy in the era of the new genetics , Privacy Law Bulletin, v.2, no. 8, 2006, p. 105.
  13. ibid.
  14. Australian Law Reform Commission and Australian Health Ethics Committee Report, Essentially Yours: The Protection of Human Genetic Information in Australia, Government Response to Recommendations, December 2005. As at 28 July 2006 located at:http://www.health.gov.au/internet/wcms/publishing.nsf/Content/FCFC216B5A318E90CA2570D2000A4D55/$File/human_genetics_report061205.pdf
  15. Recommendations 7 4 and 7 5.
  16. Recommendation 21 1.
  17. Recommendation 7 7. Further information about this recommendation is provided in the Concluding Comments of the Digest.
  18. Recommendations 8 4 and 21 3. Further information can be found below under the heading Reaction to the Bill.
  19. Genetic samples such as blood, tissue or saliva are not covered by privacy principles (except in New South Wales). Essentially Yours identified a number of reasons why protection of genetic samples should be covered by privacy legislation. Further information about the recommendations regarding genetic samples and the Government response can be found in David Weisbrot, op cit. See also below in the Digest under the heading Reaction to the Bill.
  20. Recommendations 8 1 and 8 2.
  21. David Weisbrot, op cit., p. 108.
  22. ALRC and NHMRC, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC report 96 , 2003, p. 253.
  23. ibid., p. 254.
  24. ibid., p. 254, Recommendations 7 4 and 7 5.
  25. First degree genetic relatives are siblings, parents or children of the individual.
  26. David Weisbrot, op. cit., p. 109.
  27. ibid.
  28. ibid., p. 110, and Recommendation 21 1.
  29. Government response, p. 23.
  30. Media Release, Eight years later a win on genetic privacy, 23 June 2006.
  31. Recommendations 8 4 and 21 3.
  32. David Weisbrot, op. cit., p. 111.
  33. Genetic samples such as blood, tissue or saliva are not covered by privacy principles (except in New South Wales). Essentially Yours identified a number of reasons why protection of genetic samples should be covered by privacy legislation. Further information about the recommendations regarding genetic samples and the Government response can be found in David Weisbrot, op cit.
  34. Recommendations 8 1 and 8 2.
  35. David Weisbrot, op. cit., p. 109.
  36. Health service is defined in the Privacy Act to mean:

    (a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

    (i) to assess, record, maintain or improve the individual s health; or

    (ii) to diagnose the individual s illness or disability; or

    (iii) to treat the individual s illness or disability or suspected illness or disability; or

    (b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

  37. Explanatory Memorandum, paragraph 19.
  38. See p. 6 of the Digest.
  39. Recommendation 7 7.
  40. Recommendation 7 7.
  41. Government response, p. 8.

Contact Officer and Copyright Details

Mary Anne Neilsen
7 August 2006
Bills Digest Service
Information and Research Services

This paper has been prepared to support the work of the Australian Parliament using information available at the time of production. The views expressed do not reflect an official position of the Information and Research Service, nor do they constitute professional legal opinion.

IRS staff are available to discuss the paper's contents with Senators and Members and their staff but not with members of the public.

ISSN 1328-8091
© Commonwealth of Australia 2006

Except to the extent of the uses permitted under the Copyright Act 1968, no part of this publication may be reproduced or transmitted in any form or by any means, including information storage and retrieval systems, without the prior written consent of the Parliamentary Library, other than by members of the Australian Parliament in the course of their official duties.

Published by the Parliamentary Library, 2006.

Back to top

Facebook LinkedIn Twitter Add | Email Print