Health agencies1 are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act).
NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies.
Health information is defined in schedule 5 of the IP Act as:
(a) personal information about the individual that includes any of the following—
(i) the individual’s health at any time;
(ii) a disability of the individual at any time;
(iii) the individual’s expressed wishes about the future provision of health services to the individual;
(iv) (iv) a health service that has been provided, or that is to be provided, to the individual; or
(b) personal information about the individual collected for the purpose of providing, or in providing, a health service; or
(c) personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.
In Queensland, health information is highly regulated, primarily by part 7 of the Hospital and Health Boards Act 2011 (HHB Act).
The HHB Act imposes strict obligations of confidentiality on designated persons2, which include employees, officers, and contractors of health agencies, when dealing with confidential information. Confidential information is any information acquired in the person's capacity as a designated person that could allow a person who is receiving, or has received, a public sector health service to be identified.
This obligation is subject to specific exceptions.3
The privacy principles operate subject to other Acts that deal with the disclosure of information.4 This includes the HHB Act, which applies to patient information. Health agencies cannot rely on National Privacy Principle 2 to disclose information where it is prohibited by the HHB Act, or by another piece of legislation.
Health information provided to the Pap Smear Registry is subject to specific statutory requirements relating to use and disclosure.
However, as long as the information remains within the control of the health agency the rules relating to the use of personal information will still apply. The health agency can rely on NPP 2, and must comply with NPP 2, when dealing with personal information.
For more information refer to the OIC's guidelines on use and disclosure of personal information. Generally, however, where the HHB Act does not apply and there are no other statutory requirements relating to use or disclosure, the health agency will only need to consider NPP 2. For example, while it does contain health information, only NPP 2 will apply to a medical certificate written by a health agency employee's GP and provided as part of their sick leave application.
Parents5 do not have an automatic right to their child’s personal health information. This is recognised by the HHB Act, which provides a framework for health agency officers dealing with children's health information. In the unlikely situation that the HHB Act does not apply, this framework can be followed for applying NPP 2.
One of the key considerations is deciding whether the child has capacity to consent—the HHB Act states they must be of sufficient age and mental and emotional maturity to understand the nature of consenting to the disclosure.
Determining competence can be complex. Health agency officers will need to carefully assess the young person’s maturity and their understanding of the relevant issues. There will be younger persons, in certain circumstances, who have sufficient maturity and understanding to make their own decisions. There may also be older teenagers who lack that ability.
Where a child or young person is not competent to make their own privacy decisions, the HHB Act allows disclosure in two circumstances:
In both cases, the health agency officer and the health professional have the discretion not to disclose. Generally, where a child cannot consent, the health agency officer can discuss their health matters with their parent, as obviously the parent would consent. However, there may be circumstances where this may not be in the best interests of the child. The officer may want to take into account the same considerations as a healthcare professional before exercising their discretion to disclose.
When considering the best interests of the child, the reason for the proposed disclosure of the child’s information will be relevant—for example, the child's continued treatment where the family is moving interstate or overseas compared with use in family court proceedings.
It will also be important to consider the relationship between the parent and the child. For example, if a parent is abusive towards a child or other family members, or has no relationship with the child, there may be reasonable grounds to believe disclosing the child’s health information would be contrary to the child’s interests.
Where information is disclosed, it should be limited to that which is necessary. Other information about the child that is not relevant should not be divulged.
In both cases, even if the young person is not competent, their views should still be considered, as should, the risks and benefits of disclosure in the circumstances.
Under the HHB Act, if the child is capable of consenting to the disclosure of their health information, health agency officers are empowered to disclose it as they direct. They are not required to do so, but outside of extraordinary circumstances, should generally follow the child's wishes.
If the parent (or any third party) wants to seek access to additional information about the child, they can apply under the RTI Act.
Current as at: September 20, 2019