Privacy, information access and data security law.

In this digital age, data security and privacy is a serious concern for everyone, whether in business or not. Overlapping State and Federal legislation can create a myriad of responsibilities for the holders of personal information and restrict the way databases can be used. In addition, people in Queensland are given rights to access certain information held by a range of agencies and patients of healthcare providers and even, at times, rights to correct errors in their health record.

Navigating these rafts of legislation can be a proverbial minefield, yet the consequences of a failure to strictly comply can be devastating for business. At Travis Schultz Law we can help to find a path through the maze and provide advice, training of business teams and assist in managing governance issues where privacy law and data security is concerned.

Data breaches

The Commonwealth Privacy Act now contains a Notifiable Data Breaches Scheme which is regulated by the Australian Information Commissioner. The scheme requires compulsory notification of an “eligible data breach” – where the breach is likely to result in serious harm to an individual to whom the information relates.

Not all data breaches are “eligible”. For example, a data breach that can be quickly remediated without any damage or it is not likely to result in serious harm, does not have to be reported.  If a breach is notifiable, notice must be given not only to the Office of the Australian Information Commissioner, but also to any individuals who are affected.

Where personal information is compromised by a data breach, the risk of harm will be more likely to result in it being notifiable where it contains information about an individuals’ health, their financial information or personal information which might be used for identity fraud.  Significant penalties apply to any business or organisation that fails to comply.

Health care professionals

Because of the sensitivity that applies to data and records held by healthcare professionals (including both medical practitioners and allied health care professionals), the obligations imposed by State and Federal legislation can be onerous.

Not only are healthcare professionals subject to the Australian Privacy Principles under the Privacy Act 1988, but they can also subject to the Information Privacy Act 2009 [Qld].  The Information Privacy Act allows a patient to amend documents of Queensland Government agencies where they contain personal information. Medical records held by private healthcare providers are accessible by patients under the Australian Privacy Principles.  Under those guidelines, a person has a right to access personal information held by a private sector healthcare provider. This access to information may be refused only on a limited number of grounds, such as where it would pose a serious threat to the life, health or safety of an individual, have an unreasonable impact on the privacy of other individuals, access would be unlawful or there are legal reasons why access should not be granted.

 

FAQ's

What is “My Health Record”?

“My Health Record” is an online summary of health information of individuals which can be accessed by hospital and medical practitioners. Patients and their doctors are able to add notes and entries to the record and patients are able to set access controls to restrict who can and can’t see their personal information. By the end of 2018 a My Health Record will be created for every Australian.  An opt out period has been announced for a three-month period.

Can a doctor record conversations without telling their patients?

Under Queensland law, a person may record a conversation which they are a party to provided that the recording is not by means of a device attached to a phone. Consequently, it is not illegal for a healthcare professional to record what is said during a consultation, though good practice would normally require that consent be obtained before recording any conversation that takes place in a clinical setting.

How long do medical records need to be kept?

The law on this issue differs from State to State but typically, medical practitioners are required to keep records of a patient for the longer of either seven years from a patient’s 18th birthday or seven years from the last treatment or consultation.

Who owns medical records, the doctor or patient?

In clinical private practices, medical records will generally belong to the entity that owns the medical practice rather than the individual doctor. The records are not those of the patient. Despite a patient generally having a right to access their records, that does not change rules relating to ownership.

Is anything I tell my doctor strictly confidential?

Under Queensland law, anything revealed to a treating practitioner during a consultation is to remain confidential unless there is a statutory obligation on the doctor to report the information or where there is a serious threat to the life, health or safety of the patient or someone else.

Certain health conditions (such as some sexually transmitted diseases) must be reported, likewise where is reasonably believed to exist a risk of harm to a child or someone else.

My Doctor is refusing to give me a copy of my records, am I entitled to them?

Under the Australian Privacy Principles, an individual has a right to access personal information held by a healthcare provider unless one of the exceptions applies.  Access can be refused on grounds that include a concern about a serious threat to the life, health or safety of an individual or member of the public, if access would have an unreasonable impact on the privacy of others, if the information relates to current or anticipated legal proceedings or unlawful activity or misconduct is suspected.

I’ve noticed in my medical records that my personal information is incorrect. What can I do?

Under Australian Privacy Principle 13, if an entity to which the legislation applies holds personal information about an individual, the entity must take steps to correct or amend the information if the information is inaccurate, out of date, incomplete, irrelevant or misleading.

Where public sector organisations are concerned, legislation can prohibit the amendment of records and in those circumstances an addendum or notation to be viewed alongside the records might be the appropriate mechanism to deal with the inaccuracy.

I’ve inadvertently sent a document which contains personal information of a client to the wrong person. What do I need to do?

Where a data breach occurs, it may be necessary for the person or entity breaching the data to comply with the Notifiable Data Breach Scheme under the Privacy Act 1988 (CTH). The scheme applies to Australian Government agencies and any business or not for profit organisation that has an annual turnover of more than $3 million.

Any private sector health service provider will be bound by the scheme irrespective of their turnover. Similarly, any business that trades in personal information or is a credit reporting body must also comply. A data breach must be assessed within 30 days as to whether or not it is “notifiable”. A breach is notifiable if there is unauthorised access or loss of personal information and the breach is likely to result in serious harm to one or more individuals.

If that is the case and the business is unable to prevent the likely risk of harm with remedial action, then it must notified.

Can my treating doctor send information or reports about me to my other healthcare providers without my knowledge?

Medical records relating to a patient should not ordinarily be disclosed to a third party without the patient’s express (and recent) consent, unless in the circumstances it would reasonably be anticipated that a patient would expect the disclosure to take place.  For example, a medical specialist would ordinarily anticipate that their patient would expect a report following a consultation to be sent back to the General Practitioner who referred them.

Where however, the relationship is further removed, such as an allied health professional sending a report to another allied health professional or specialist (where their involvement is only peripherally associated with the relevant treatment regime), the disclosure may not be “reasonably anticipated”.  In those circumstances, prudent practice requires that the allied health professional obtain patient consent before sending any record or report to another practitioner who is not an immediate part of the treating team.