Please note that National Privacy Principles ( NPP ) 1 sets out general collection obligations for health agencies 1 when collecting personal information. NPP 9 deals specifically with the collection of sensitive information.
Sensitive information is:
- health information ; or
- personal information about an individual relating to the individual's:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual preferences or practices
- criminal record.
Health information is:
- personal information about an individual that includes any of the following:
- the individual's health at any time
- a disability of the individual at any time
- the individual's expressed wishes about the future provision of health services
- a health service that has been provided, or that is to be provided, to the individual
- personal information about the individual collected in order to provide, or in providing, a health service
- personal information about the individual collected in connection with the donation, or intended donation, of any of the individual's body parts, organs or body substances.
Collection of sensitive information
In addition to the obligations under NPP 1, NPP 9(1) requires that a health agency must not collect sensitive information about an individual unless:
- the individual has consented
- the collection is required by law
- the collection is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, and the individual:
- is physically or legally incapable of giving consent; and
- physically can not communicate
- the collection is necessary for the establishment, exercise or defence of a legal or equitable claim
- the information is a family medical history, social medical history or other relevant information about any individual, that is collected for the purpose of providing any person, whether or not the relevant individual, with a health service, and is collected by a health agency from:
- the person who is to receive or is receiving the service
- a parent of the relevant individual
- a child or sibling of the relevant individual if the child or sibling has capacity
- a spouse or de facto partner of the relevant individual
- a relative of the relevant individual if a member of the relevant individual's household
- a guardian of the relevant individual
- a person exercising a power under an enduring power of attorney made by the relevant individual that is exercisable in relation to decisions about the relevant individual's health
- a person who has sufficient personal interest in the health and welfare of the relevant individual
- a person nominated by the relevant individual to be contacted in case of emergency.
Collection of health information for the purpose of providing health service
Despite NPP 9(1), a health agency may collect health information about an individual if the information is necessary to provide a health service to the individual and:
- the individual would reasonably expect the health agency to collect the information for that purpose; and
- the information is collected as authorised or required by law.
Collection for management, research or statistical purposes
Regardless, a health agency may collect health information about an individual if:
- the collection is necessary for any of the following purposes:
- research relevant to public health or public safety
- the compilation or analysis of statistics relevant to public health or public safety
- the management, funding or monitoring of a health service
- the purpose can not be served by the collection of de-identified information
- it is impracticable for the health agency to seek the individual’s consent to the collection
- the information is collected:
- as authorised or required by law
- by a designated person with the approval of the relevant chief executive of the health agency
- in accordance with guidelines approved by the relevant chief executive of the health agency.
However, if a health agency collects health information about an individual under this exception, it must, before it discloses the personal information, take reasonable steps to de-identify the personal information.