1. The scope of 'Personal Information' is under review
The Review is considering the definition of personal information contained in the Privacy Act and whether, having regard to the proliferation of digital media and significant technological change over the last 30 years, the Privacy Act remains fit for purpose. Any change to the definition of personal information will necessarily change the definition of health information and sensitive information (which, by definition, is first and foremost ‘personal information’).
The Review will consider:
- whether the definition of personal information should be aligned with the definition contained in the European Union General Data Protection Regulation (GDPR) to appropriately capture technical data and online identifiers (such as pixel tags, cookies, device fingerprints and IP addresses);
- whether the definition of personal information should be amended to extend to inferred information (being information collected from a number of data sources to identify an individual);
- whether the definition of personal information should be amended to extend protections to deceased individuals; and
- whether the treatment of de-identified information should be afforded additional protections under the Privacy Act.
Importantly in relation to de-identified information, the Review will consider whether there should be additional protections under the Privacy Act to protect de-identified, anonymised and pseudonymised information, and if so, what these protections should be. This is because under the current legislation, is will not always be clear whether de-identified information falls within the ambit of the Privacy Act – particularly as data analytics methods make it ever easier to re-identify such information.
To this point, Issues Paper acknowledges that, in other jurisdictions, there is a requirement that personal information be anonymised through a process which irreversibly treats data so that no individual can be identified, including by the holders of the data. The Issues Paper nevertheless acknowledges that any technical requirement to irreversibly anonymise personal information will place a greater burden on APP entities than the current process of de-identifying personal information.
For healthcare organisations, including those conducting medical research using de-identified information, these changes would have significant implications.
2. Are protections needed for Employee Records?
Under the current Privacy Act, employee records are exempted from the ambit of the Privacy Act, in order to reduce the regulatory burden on organisations and enable them to efficiently manage their human resources functions.
The Issues Paper notes that the current employee records exemption is wide ranging, and accordingly may cover employer-held records that contain a wide array of personal and sensitive information.
The Review will consider the adequacy of this exemption, having regard to:
- the importance of ensuring that employee information is adequately protected;
- whether the removal of the employee records exemption will adversely affect appropriate management of human resources departments;
- whether the employee records exemption should remain but sensitive information be excised from the scope of the exemption;
- the additional regulatory burden that removing the exemption might place on employers;
- whether it would be appropriate for some, but perhaps not all, of the APPs to apply to employee records
- whether this exemption should be removed to enable Australia to achieve an adequacy decision under the GDPR (discussed further below).
3. Permitted Health Situations could be expanded, or restricted
The Review will consider the situations in which personal and sensitive information can be used under the Privacy Act without the consent of the individual to whom the information relates. This includes a question as to whether the 'are the current general permitted situations and general health situations appropriate and fir-for-purpose' and whether any additional situations should be included.
The Review will be an opportunity for healthcare providers to comment on when the permitted health situations have been used, whether, in the views of industry, the situations are appropriate, and whether there are circumstances where it would be advantageous and appropriate for healthcare providers to be able to rely on situations that are not, but should be, included within the permitted health situations.
4. Transfers of information between the EU and Australia could become simpler
Currently, Australia does not have an 'adequacy decision' with the European Union under the GDPR. This means that the personal information protections in the Privacy Act have not been declared 'adequate' for the purposes of the GDPR, and accordingly if personal information is to be transferred to Australia, it must be subject to strict arrangements contained in the GDPR.
A theme that runs through the Issues Paper is whether certain steps should be taken to enable Australia to be granted an adequacy decision by the EU for the purposes of the GDPR. This would allow information to flow more freely between Australia and the EU, making it simpler for healthcare providers in Australia to access personal data flowing between it and jurisdictions regulated by the GDPR. This would also likely extend to the United Kingdom, once the transition agreement ends.
The Review will consider:
- whether it is desirable or appropriate for Australia to seek an adequacy decision under the GDPR; and
- what steps need to be taken in order to achieve an adequacy decision (and, to this end, removing the employee records exemption and the small business exemption is identified as a potential key change that would enable Australia to achieve an adequacy decision).
5. New legal claims for breaches of privacy are being considered
The Review is considering whether the current enforcement provisions in the Privacy Act, and the Office of the Australian Information Commissioner (OAIC) are fit-for-purpose.
As part of this consideration, the Review will consider whether the privacy regime should include:
- a direct right of action for individuals under the Privacy Act; or
- a statutory tort of privacy.
Both of these measures were recommended in the DPI Report. The Commonwealth Government has agreed in principle to a direct right of action, and is continuing to consider a Statutory Tort of Privacy.
Importantly, both of these actions would enable an individual to bring a claim for a breach of their privacy. It appears from the Issues Paper that the statutory tort of privacy would likely be limited to serious breaches of privacy, intentional interference or gross negligence. The direct right of action however, may afford individuals the right to pursue an organisation directly for breaches of their privacy, rather than having to complain to the OAIC in relation to the breach.
Although the statutory tort of privacy may have limited application to healthcare providers, the direct right of action would, according to the Issues Paper, give individuals greater control over their personal information and 'provide an additional incentive for APP entities to comply with their obligations under the Act'.
Due to the large quantities of personal and sensitive information that healthcare providers collect, use and disclose, any additional enforcement provisions, and associated penalties, may have significant ramifications for healthcare providers.
Whilst their invocation would likely be limited to serious breaches of privacy, healthcare providers may be more exposed than most organisations to significant sanctions, given the large quantities of sensitive information that they handle, and which is subject to more stringent obligations under the Privacy Act.
6. Review of how privacy legislation interacts with State legislation
As part of the Review, the Attorney-General's Department will consider how the Privacy Act interacts with other legislation which governs the handling of personal information. This includes Commonwealth legislation (such as the Freedom of Information Act 1982 (Cth), but also state based legislation that governs the use of health records (such as the Health Records Act 2001 (Vic)) and state-based human rights legislation which contains a right to privacy).
Although the Review is a Commonwealth initiative, and accordingly cannot amend state-based legislation, it is possible that one outcome of the review will be an attempt to harmonise Commonwealth, State and Territory privacy legislation, to avoid circumstances such as where some healthcare operators in some jurisdictions need to comply with State or Territory based health records legislation as well as the Commonwealth Privacy Act.
7. The Attorney-General's Department wants to hear from you
The process of legislative reform – and particularly when it comes to privacy – is a lengthy and often complicated process. The Review is in its early stages; however the Attorney-General's Department is seeking submissions from interested parties on or before 29 November 2020 in relation to the 68 questions posed in the Issues Paper. In 2021, a discussion paper will be released, seeking specific feedback on preliminary outcomes and possible options for reform.
As we have discussed above, many of the questions that the Review is considering are of particular relevance to the healthcare industry. These means that healthcare providers are uniquely positioned to provide the Attorney-General's Department with valuable insights into the Review.
The most effective law reform is carried out through in-depth consultation with industry to ensure that proposed reforms are fit-for-purpose and effective. We encourage you to provide the Attorney-General's Department with a submission in relation to any of the matters discussed in the Issues Paper that may be of interest to your organisation. Please contact us if you'd like any more information or any assistance in preparing a submission.
Find out more about the Privacy Act Review Issues Paper.