Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPPs 5, 6 and 7 are concerned with the transparency of the actions of health agencies when dealing with personal information and with ensuring that the individuals the information is about are able to exercise some measure of control over it. They require a health agency to make people aware of what kind of personal information it holds and why, to tell people how they can get access to it and how they can seek to have it amended if they believe it is not accurate.
NPP 5 - Openness
Under NPP 5 a health agency must produce, and make available to anyone who asks for it, a document that clearly sets out its policies on managing personal information.
The principle also requires that a health agency, on request, take reasonable steps to give an individual general advice about:
- the sort of personal information it holds
- the purposes for holding the information
- how it collects, holds, uses and discloses the information.
While access to records containing personal information - or, in rare circumstances, acknowledgement of the fact that a class of record is held at all - may be withheld if that is required or authorised by law, under NPP 5 a health agency should have a general policy of openness about the types of personal information that it holds and what it uses them for.
A health agency could comply with this principle by:
- making publicly available a privacy plan describing the nature of the personal information it holds
- ensuring that health service clients are provided with a generic health information brochure describing a health agency’s usual information handling practices
- making people available to answer questions about information management practices if needed
- maintaining a privacy information page on a health agency internet site.
Additional information that a health agency could make available includes:
- the kinds of personal information it holds
- the main purposes for which a health agency holds the information
- whether it contracts out services that involve disclosing personal information
- how an individual can complain about a breach of privacy including a contact number in the organisation
- a health agency's contact details
- how a health agency handles requests for access to personal information.
- any disability the individual may have
- the individual's level of understanding
- the individual's language or literacy skills
- how much information the individual wants, for example, the request may only be about the type of personal information a health agency holds
- providing information in a way that avoids jargon or in-house terms which would likely not be known by the individual.
The Right to Information Act 2009 (Qld) (RTI Act) creates an obligation on agencies (and others) to publish a publication scheme which sets out the classes of information that a health agency has available and the terms on which it will make that information available, including any charges for acquiring copies.
The classes of information to be included are:
- information about a health agency itself, including what they do, where they are located, contact details and details of the more senior officers
- information about the services that a health agency offers, under both legislation and administrative schemes, and it should include advice and guidance it offers in the form of pamphlets, booklets, instructions, leaflets and media releases
- information about a health agency’s finances, including information about its actual and projected income, its tendering and contract processes, procurements and details of significant contracts
- information about a health agency’s priorities, including strategy and performance information, plans, assessments, inspections and reviews
- information about the decisions a health agency makes, including policy proposals and decisions, decision making processes, criteria that are applied to those processes, internal procedures and consultations
- information about and copies of a health agency’s policies, which include all written protocols for delivering its functions and responsibilities
- details of the registers and lists a health agency maintains, including public registers, which are maintained under both legislation and policy, which relate to the functions of a health agency.
Information about a health agency’s personal information holdings can be (and will be by default, for example, where public registers contain names) included in the publication schemes. However, this will not provide a complete picture, and will not meet all the requirements of NPP 5.
Access under NPP 6
NPP 6 provides that, where a health agency has control of a document containing personal information, it must the give the subject of the information access to the document if they ask. Chapter three provides a formal mechanism under which individuals can apply to access their personal information, however agencies may choose to allow access to personal information through NPP 6.
Access under these privacy principles is completely separate from access under chapter three of the IP Act, and refusal under chapter three would not be a breach of NPP 6.
Additionally, there is a discretion in NPP 6 to refuse to give access if the agency is authorised or required to refuse to give access, or the document is excluded from the operation of an access law.
Amendment under NPP 7
Reasonable steps to ensure accuracy
NPP 7 requires an agency to take all reasonable steps to ensure accuracy, including permitting an individual to amend their personal information. This means that an agency must have other steps in place to ensure the accuracy of the personal information it holds before it is used.
Chapter 3 of the IP Act provides a formal mechanism under which individuals can apply to amend their personal information, however agencies may choose to allow amendment of personal information under NPP 7.
Amendment under this privacy principle is completely separate from amendment under chapter 3 of the IP Act, and refusal under chapter 3 would not be a breach of NPP 7.
Current as at: July 19, 2013