Health agencies - collecting sensitive personal information

Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).  NPPs 1 and 9 set out the ways in which a health agency¹ can collect personal information.

NPP 1 applies to all personal information², and Obligations when collecting personal information explains its requirements. NPP 9 applies when a health agency collects sensitive information.

What is sensitive information?

Sensitive information has a specific definition. It means:

(a) personal information about the individual that includes any of the following—

(i) the individual's racial or ethnic origin;
(ii) the individual's political opinions;
(iii) the individual's membership of a political association;
(iv) the individual's religious beliefs or affiliations;
(v) the individual's philosophical beliefs;
(vi) the individual's membership of a professional or trade association;
(vii) the individual's membership of a trade union;
(viii) the individual's sexual preferences or practices;
(ix) the individual's criminal record; or

(b) information that is health information about the individual for the NPPs.

Health information is defined as:

(a) personal information about the individual that includes any of the following—

(i) the individual’s health at any time;
(ii) a disability of the individual at any time;
(iii) the individual’s expressed wishes about the future provision of health services to the individual;
(iv) a health service that has been provided, or that is to be provided, to the individual; or 

(b) personal information about the individual collected for the purpose of providing, or in providing, a health service; or

(c) personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.

When can sensitive information be collected?

Generally, a health agency can only collect sensitive information about an individual (called ‘the relevant individual’) if one of the conditions in NPP 9 apply.

Collection of sensitive information with the individual's consent

Under NPP 9(1)(a) sensitive information may be collected with the express or implied consent of the relevant individual. If sensitive health information is collected directly from the individual, their consent could generally be implied as long as they understand what information is being recorded and why.

Collection required by law

NPP 9(1)(b) allows collection of sensitive information where it is required by law. Because the collection must be required by law, not merely authorised, the collection must be mandatory and not discretionary, but it can be both impliedly and explicitly required.

Collection about an incapacitated person to prevent or lessen a serious threat

Under NPP 9(1)(c), sensitive information can be collected without consent where it is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of the relevant individual when they are:

• physically or legally incapable of giving consent to the collection; or
• physically cannot communicate consent to the collection.

This may include an emergency in which an individual is unconscious, or in significant distress or confusion, or is otherwise unable to provide consent, and urgent intervention is required.

There must be a sufficient link between the collection of the sensitive information and the prevention or lessening of the threat. This should only be used in emergency or extraordinary situations where time is of the essence, and not used to justify regular or ongoing collections of sensitive information.

Collection to establish, exercise, or defend a claim

NPP 9(1)(d) allows sensitive information to be collected if it is necessary to establish, exercise, or defend a legal or equitable claim.

For the information to be necessary, it must be more than helpful or useful; it must be essential to establishing, exercising, or defending the claim. Under NPP 9 (1)(d) the claim can be made against the health agency or by the health agency against another party, but it would not extend to circumstances where the health agency was a third party to a legal or equitable claim.

Collection from or about a third party

Under NPP 9(1)(e) a health agency can collect sensitive information that is a family medical history, social medical history, or other relevant information, about any individual if it is collected for the purpose of providing any individual with a health service, and it is collected from:

• the individual who is receiving, or will receive, the service
• the parent of the relevant individual
• a child or sibling of the relevant individual where a health professional believes they have capacity
• a spouse or de facto partner of the individual
• a relative of the relevant individual who is a member of their household
• a guardian of the relevant individual
• a person exercising a power of attorney exercisable in relation to health decisions on behalf of the relevant individual
• a person with sufficient personal interest in the health and welfare of the relevant individual
• a person the relevant individual has nominated to be contacted in the case of an emergency.

Collection of health information

NPP 9(2) and (3) only apply to sensitive information that is health information.

Collection for the purpose of providing health service

Under NPP 9(2), a health agency can collect sensitive information that is health information about an individual if the information is necessary to provide a health service to the individual and:

• the individual would reasonably expect a health agency to collect the information for that purpose; or
• the information is collected as required or authorised by or under law.

Collection for management, research or statistical purposes

NPP 9(3) allows the collection of sensitive information that is health information as long as:

1. it is for the primary purpose of research relevant to public health or public safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service
2. the purpose cannot be served by collecting the information anonymously or with the identifying particulars removed
3. it is impracticable for a health agency to seek the individual's consent for the collection; and

the information is collected as required or authorised by law, with the designated approval of the chief executive of a health agency, or in accordance with guidelines approved by the chief executive of the Health Department.

Collection for the specified primary purposes

Research and statistics 'relevant to public health or public safety'

To be relevant to public health or public safety the outcome of the research or the compilation or analysis of statistics should have an impact on, or provide information about, public health or public safety.

'Public health or public safety' is not defined in the IP Act.  Examples of research and statistics that could fall into this category are research and statistics on communicable diseases, cancer, heart disease, mental health, injury control, diabetes and the prevention of childhood diseases.

The management, funding or monitoring of a health service

Whether an activity falls within the 'management, funding or monitoring of a health service' will depend on the circumstances.  Factors that might ordinarily be relevant to this question include whether the organisation provides a health service (health services are defined in schedule 5 of the IP Act) or whether the organisation has a role in funding or monitoring the quality or other aspects of a health service. Management, funding or monitoring of a health service may include some quality assurance and audit activities.

An example of collection for these purposes might be an incident monitoring body collecting information about dangerous incidents that have occurred in a hospital.

The purpose cannot be served by anonymised or de-identified Information

Before collecting health information under NPP 9(3), a health agency must consider if the research, statistical, or management aims can be achieved by collecting anonymised or de-identified information.

An example where anonymised health information might not allow the purpose to be achieved is where a project involves linking individual’s health information from two or more sources and identified information is needed to correctly link records from each data source.

As a security measure, once the health information is no longer needed in an identifiable form, consideration should be given to de-identifying it. For instance, in the above example the organisations might de-identify the information once the information from the different sources was linked.

Impracticable to seek consent

The question of whether it is impracticable to seek consent will depend on the particular circumstances of the case. Impracticability involve more than merely incurring some expense or expending some effort in seeking an individual's consent.

An example of where it may be impracticable to seek consent would be where there are no current contact details and there is insufficient information to get up to date contact details, eg in in longitudinal studies of old records.  Another example could be in blind trials where consent would compromise the integrity of research.

Collection in accordance with the designated approval of, or with guidelines approved by, a chief executive

The chief executive of the Health Department can develop guidelines for the collection of health information for one of the purposes in NPP 9(3).

The chief executive of a health agency can give approval for the collection of health information by a designated person.