Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act). NPPs 1 and 9 set out the ways in which a health agency1 can collect personal information.
NPP 1 applies to all personal information2, and Obligations when collecting personal information explains its requirements. NPP 9 applies when a health agency collects sensitive information.
Sensitive information has a specific definition. It means:
(a) personal information about the individual that includes any of the following—
(i) the individual's racial or ethnic origin;
(ii) the individual's political opinions;
(iii) the individual's membership of a political association;
(iv) the individual's religious beliefs or affiliations;
(v) the individual's philosophical beliefs;
(vi) the individual's membership of a professional or trade association;
(vii) the individual's membership of a trade union;
(viii) the individual's sexual preferences or practices;
(ix) the individual's criminal record; or
(b) information that is health information about the individual for the NPPs.
Health information is defined as:
(a) personal information about the individual that includes any of the following—
(i) the individual’s health at any time;
(ii) a disability of the individual at any time;
(iii) the individual’s expressed wishes about the future provision of health services to the individual;
(iv) a health service that has been provided, or that is to be provided, to the individual; or
(b) personal information about the individual collected for the purpose of providing, or in providing, a health service; or
(c) personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.
Generally, a health agency can only collect sensitive information about an individual (called ‘the relevant individual’) if one of the conditions in NPP 9 apply.
Under NPP 9(1)(a) sensitive information may be collected with the express or implied consent of the relevant individual. If sensitive health information is collected directly from the individual, their consent could generally be implied as long as they understand what information is being recorded and why.
NPP 9(1)(b) allows collection of sensitive information where it is required by law. Because the collection must be required by law, not merely authorised, the collection must be mandatory and not discretionary, but it can be both impliedly and explicitly required.
Under NPP 9(1)(c), sensitive information can be collected without consent where it is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of the relevant individual when they are:
This may include an emergency in which an individual is unconscious, or in significant distress or confusion, or is otherwise unable to provide consent, and urgent intervention is required.
An unconscious individual is brought to hospital by a relative or friend. A health practitioner may need to obtain details about the individual’s medical history from the accompanying person to determine the best course of action.
There must be a sufficient link between the collection of the sensitive information and the prevention or lessening of the threat. This should only be used in emergency or extraordinary situations where time is of the essence, and not used to justify regular or ongoing collections of sensitive information.
NPP 9(1)(d) allows sensitive information to be collected if it is necessary to establish, exercise, or defend a legal or equitable claim.
For the information to be necessary, it must be more than helpful or useful; it must be essential to establishing, exercising, or defending the claim. Under NPP 9 (1)(d) the claim can be made against the health agency or by the health agency against another party, but it would not extend to circumstances where the health agency was a third party to a legal or equitable claim.
Under NPP 9(1)(e) a health agency can collect sensitive information that is a family medical history, social medical history, or other relevant information, about any individual if it is collected for the purpose of providing any individual with a health service, and it is collected from:
NPP 9(2) and (3) only apply to sensitive information that is health information.
Under NPP 9(2), a health agency can collect sensitive information that is health information about an individual if the information is necessary to provide a health service to the individual and:
NPP 9(3) allows the collection of sensitive information that is health information as long as:
the information is collected as required or authorised by law, with the designated approval of the chief executive of a health agency, or in accordance with guidelines approved by the chief executive of the Health Department.
If a health agency collects health information under NPP 9(3), before disclosing that information it must take reasonable steps to ensure the individual can no longer, and cannot in the future, be identified from the information.
To be relevant to public health or public safety the outcome of the research or the compilation or analysis of statistics should have an impact on, or provide information about, public health or public safety.
'Public health or public safety' is not defined in the IP Act. Examples of research and statistics that could fall into this category are research and statistics on communicable diseases, cancer, heart disease, mental health, injury control, diabetes and the prevention of childhood diseases.
Whether an activity falls within the 'management, funding or monitoring of a health service' will depend on the circumstances. Factors that might ordinarily be relevant to this question include whether the organisation provides a health service (health services are defined in schedule 5 of the IP Act) or whether the organisation has a role in funding or monitoring the quality or other aspects of a health service. Management, funding or monitoring of a health service may include some quality assurance and audit activities.
An example of collection for these purposes might be an incident monitoring body collecting information about dangerous incidents that have occurred in a hospital.
Before collecting health information under NPP 9(3), a health agency must consider if the research, statistical, or management aims can be achieved by collecting anonymised or de-identified information.
An example where anonymised health information might not allow the purpose to be achieved is where a project involves linking individual’s health information from two or more sources and identified information is needed to correctly link records from each data source.
As a security measure, once the health information is no longer needed in an identifiable form, consideration should be given to de-identifying it. For instance, in the above example the organisations might de-identify the information once the information from the different sources was linked.
The question of whether it is impracticable to seek consent will depend on the particular circumstances of the case. Impracticability involve more than merely incurring some expense or expending some effort in seeking an individual's consent.
An example of where it may be impracticable to seek consent would be where there are no current contact details and there is insufficient information to get up to date contact details, eg in in longitudinal studies of old records. Another example could be in blind trials where consent would compromise the integrity of research.
The chief executive of the Health Department can develop guidelines for the collection of health information for one of the purposes in NPP 9(3).
The chief executive of a health agency can give approval for the collection of health information by a designated person.
Current as at: August 19, 2019