Protecting privacy, information and data - Travis Schultz & Partners

Privacy, information access and data security law.

In this digital age, data security and privacy is a serious concern for everyone, whether in business or not. Overlapping State and Federal legislation can create a myriad of responsibilities for the holders of personal information and restrict the way databases can be used. In addition, people in Queensland are given rights to access certain information held by a range of agencies and patients of healthcare providers and even, at times, rights to correct errors in their health record.

Navigating these rafts of legislation can be a proverbial minefield, yet the consequences of a failure to strictly comply can be devastating for business. At Travis Schultz & Partners we can help to find a path through the maze and provide advice, training of business teams and assist in managing governance issues where privacy law and data security is concerned.

Data breaches

The Commonwealth Privacy Act now contains a Notifiable Data Breaches Scheme which is regulated by the Australian Information Commissioner. The scheme requires compulsory notification of an “eligible data breach” – where the breach is likely to result in serious harm to an individual to whom the information relates.

Not all data breaches are “eligible”. For example, a data breach that can be quickly remediated without any damage or is not likely to result in serious harm, does not have to be reported. If a breach is notifiable, notice must be given not only to the Office of the Australian Information Commissioner, but also to any individuals who are affected.

Where personal information is compromised by a data breach, the risk of harm will be more likely to result in it being notifiable where it contains information about an individual’s health, their financial information or personal information which might be used for identity fraud. Significant penalties apply to any business or organisation that fails to comply.

Health care professionals

Because of the sensitivity that applies to data and records held by healthcare professionals (including both medical practitioners and allied health care professionals), the obligations imposed by State and Federal legislation can be onerous.

Not only are healthcare professionals subject to the Australian Privacy Principles under the Privacy Act 1988, but they can also be subject to the Information Privacy Act 2009 [Qld]. The Information Privacy Act allows a patient to amend documents of Queensland Government agencies where they contain personal information. Medical records held by private healthcare providers are accessible by patients under the Australian Privacy Principles. Under those guidelines, a person has a right to access personal information held by a private sector healthcare provider. This access to information may be refused only on a limited number of grounds, such as where it would pose a serious threat to the life, health or safety of an individual, have an unreasonable impact on the privacy of other individuals, access would be unlawful or there are legal reasons why access should not be granted.

FAQs

Is anything I tell my doctor strictly confidential?

My Doctor is refusing to give me a copy of my records, am I entitled to them?

Under the Australian Privacy Principles, an individual has a right to access personal information held by a healthcare provider unless one of the exceptions applies. Access can be refused on grounds that include a concern about a serious threat to the life, health or safety of an individual or member of the public, if access would have an unreasonable impact on the privacy of others, if the information relates to current or anticipated legal proceedings or unlawful activity or misconduct is suspected.

I’ve noticed in my medical records that my personal information is incorrect. What can I do?

Under Australian Privacy Principle 13, if an entity to which the legislation applies holds personal information about an individual, the entity must take steps to correct or amend the information if the information is inaccurate, out of date, incomplete, irrelevant or misleading.

Where public sector organisations are concerned, legislation can prohibit the amendment of records and in those circumstances an addendum or notation to be viewed alongside the records might be the appropriate mechanism to deal with the inaccuracy.

Can my treating doctor send information or reports about me to my other healthcare providers without my knowledge?

Medical records relating to a patient should not ordinarily be disclosed to a third party without the patient’s express (and recent) consent, unless in the circumstances it would reasonably be anticipated that a patient would expect the disclosure to take place. For example, a medical specialist would ordinarily anticipate that their patient would expect a report following a consultation to be sent back to the General Practitioner who referred them.

Where however, the relationship is further removed, such as an allied health professional sending a report to another allied health professional or specialist (where their involvement is only peripherally associated with the relevant treatment regime), the disclosure may not be “reasonably anticipated”. In those circumstances, prudent practice requires that the allied health professional obtain patient consent before sending any record or report to another practitioner who is not an immediate part of the treating team.

I’ve inadvertently sent a document which contains personal information of a client to the wrong person. What do I need to do?

Where a data breach occurs, it may be necessary for the person or entity breaching the data to comply with the Notifiable Data Breach Scheme under the Privacy Act 1988 (CTH). The scheme applies to Australian Government agencies and any business or not for profit organisation that has an annual turnover of more than $3 million.

Any private sector health service provider will be bound by the scheme irrespective of their turnover. Similarly, any business that trades in personal information or is a credit reporting body must also comply. A data breach must be assessed within 30 days as to whether or not it is “notifiable”. A breach is notifiable if there is unauthorised access or loss of personal information and the breach is likely to result in serious harm to one or more individuals.

If that is the case and the business is unable to prevent the likely risk of harm with remedial action, then it must be notified.

More information about Travis Schultz & Partners

Travis Schultz & Partners have specialist No Win / No Fee lawyers who will help you understand your rights and pursue a claim on your behalf.

The below links contain further information about us.

Our lower fee promise

Meet the team

Causes we support

Lawyers Travis Schultz and Michael Callow are accredited specialists in personal injury law, each with more than 25 years’ experience. Together with the Travis Schultz & Partners team, they service clients across Queensland with offices on the Sunshine Coast, Brisbane and the Gold Coast. Contact us today for a free case review.

Find us

We service clients Queensland wide, with offices on the Sunshine Coast (head office), in Brisbane, the Gold Coast and Cairns, we're here to help. Our team of lawyers offer no-obligation free initial advice over the phone, by video call and with in-person appointments. One of our lawyers will speak with you and hear about your personal situation. From here, they will establish whether you can make a claim. Your lawyer will also explain your rights, any time limits and the claim process. It does not cost a cent to understand your rights. If you choose to make a claim, we offer a genuine no win / no fee service. You will have no costs or outlays along the way and a lower fee at the end of your claim. Get in touch today.