More prescriptive requirements have been introduced, following the changes to the Privacy Act 1988 (Cth) on 12 March 2014, which require medical practices to have a clearly expressed and up to date privacy policy.

On 12 March 2014, amendments to the Privacy Act 1988 (Cth) came into effect. The amendments introduced 13 Australian Privacy Principles (APPs) to replace the National Privacy Principles (NPPs). As part of the changes, under the new APP 1:¹

• a medical practice must have an up-to-date privacy policy clearly specifying: what personal information will be collected, how it will be collected and stored, how it will be used, how an individual may access information held about them, a process for individuals wishing to complain about privacy breaches, whether the practice is likely to disclose personal information to overseas recipients and, if so, the countries in which these recipients are likely to be located.
• a medical practice must take reasonable steps to make its privacy policy publicly available, with copies provided free of charge and, if required, in the format requested by an individual, e.g. print and email. This may also include making copies available in other languages.

Developing a practice privacy policy²

Guidelines produced by the Office of the Australian Information Commissioner (OAIC) state that a privacy policy must cover:

• the kinds of personal information collected and held by the practice
• how personal information is collected and held by the practice
• the purposes for which personal information is collected, held, used and disclosed by the practice
• how and for what purpose an individual may access their personal information and seek its correction
• where access by the individual is withheld, why, and how the individual is notified
• the consent process for the collection of information and situations where consent is not required
• the complaints process for individuals who wish to complain about a breach of privacy or confidentiality
• whether the practice is likely to disclose personal information to overseas recipients and to what countries, if it is practicable to specify those countries in the policy.

Although not required under privacy law, it is recommended that the practice’s privacy policy also covers:

• staff training and supervision
• the rights of particular groups of patients, e.g. children aged 15 years and over, or patients who may lack capacity
• who, other than the patient, can access personal information, and the conditions for access
• when the policy will be reviewed and how changes will be publicised
• the process for dealing with unauthorised access to individuals’ health information
• how long the information is to be held and how it will be destroyed
• circumstances where it is reasonable for the patient to request to be anonymous or use a pseudonym.

Presenting the information

It is important to cover these factors clearly and concisely to explain the practice’s obligations, and to set out the rights and corresponding responsibilities of patients. Remember, the policy is for your patients and their carers to read, rather than for staff – so it needs to be written with this in mind.

Drafting the policy

A policy generally starts with a statement or purpose. For a privacy policy, this would be a statement that confirms a commitment to protecting the privacy of patients in compliance with legal and professional obligations of practitioners and their staff. Subheadings are helpful to the reader. Using the APPs as subheadings can outline the obligations of the practice to protect privacy and ensure all relevant factors are addressed. However, care should be taken with this as aspects of the principles overlap and some of the APPs may not be applicable, so it may be preferable to use your own headings.

The policy could include a statement that any child aged 15 years or over is regarded as having the capacity to consent to the collection of their information and to restrict who will have access to it, although this may be assessed on a case by case basis by the treating doctor. This kind of statement recognises the rights of a specific group of patients and also how this will be managed. Likewise, statements covering the use of family members as interpreters and where this may not be suitable and what actions might be taken to manage this situation may be included, e.g. the use of formal translating services.

Including these factors in a privacy policy is an individual decision. It is recommended that the policy includes a review timeframe and that this occurs every 12 months. We have provided a sample privacy policy as a guide.

The following key concepts which relate to privacy and to a privacy policy require additional explanation.

Complaints

A key aspect of a privacy policy should be a description of a practice’s complaints handling process. This does not require a separate process from how the practice normally deals with a complaint. Having a consistent approach in handling complaints across the practice reduces the likelihood of confusion for staff. Importantly, it must include timeframes so that patients’ expectations can be managed and complaint handling is made a priority. The OAIC recommends that a response is given within 30 days of the receipt of the complaint. For any assistance with handling a significant complaint, and prior to writing any response, you should contact MDA National’s Medico-legal Advisory Service on 1800 011 255.

In larger practices, it may be advantageous to appoint a Privacy Officer whose role and responsibility includes:³

• receiving all requests for access to information
• facilitating access
• investigating complaints about privacy breaches
• monitoring staff training and compliance
• conducting privacy/confidentiality audits to identify potential risk concerns, e.g. unauthorised access to information.

Information security

It is not uncommon for practices to overlook security of their information handling and computer systems. Even though this may be unrelated to a privacy policy, due to the sensitive nature of information held, practices have a high obligation to ensure systems are secure. Under APP 11, the expectation is that reasonable action will be taken to ensure information is protected.⁴ Features of information security may include:

• security software, i.e. antivirus, anti-spam and firewall programs
• frequency of upgrades
• individual passwords and levels of access
• staff training and compliance
• access to information in the event of power or system failure
• frequency of system backups
• physical security, i.e. the location of computer terminals, access and storage of patient files.

If the practice has not assessed its computer systems or information handling systems and, in particular, if considering an upgrade or review of computer systems, then it is strongly recommended that a privacy audit is completed.

Sending information overseas

Sending information to a location outside of Australia is known as cross-border data transfer (see APP 8). If you use or are considering the use of overseas transcription services, or if you are sending patient information to third parties outside Australia, it is imperative that you understand what the privacy law changes mean for your practice. The OAIC guidelines, Cross-border Disclosure of Personal Information, can be accessed from the OAIC website.

Overseeing compliance

The OAIC is responsible for overviewing APP compliance. Under the amended legislation, the Information Commissioner has been given significantly greater powers to encourage and enforce compliance. These powers include investigation and audit, making determinations and commencing legal proceedings. Serious and repeated interference with the privacy of an individual may result in a fine of up to $1.7 million for an organisation or up to $340,000 for an individual.

More information on the privacy law reforms including a wide range of useful resources are available on the OAIC website:

Privacy law reform: oaic.gov.au/privacy/privacy-act/privacy-law-reform

Privacy resources:oaic.gov.au/privacy/privacy-resources/all/

References

1. Office of the Australian Information Commissioner. Privacy Law Reform. Available at: oaic.gov.au/ privacy/privacy-act/privacy-law-reform.
2. Office of the Australian Information Commissioner. Australian Privacy Principles: Privacy Fact Sheet 17. Canberra: OAIC, 2013. Also available at: oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles.
3. Office of the Australian Information Commissioner. Ten Steps to Protect Other People’s Personal Information: Fact Sheet 7. Canberra: OAIC, 2012.
4. Office of the Australian Information Commissioner. Guide to Information Security: ’Reasonable Steps’ To Protect Personal Information. Canberra. OAIC, April 2013.