By Madeleine Brady, Workplace Compliance Advisor at ClinLegal. Madeleine holds a Bachelor of Laws (Hons), a Bachelor of Arts and a Graduate Diploma in Legal Practice.
Commencing 12 March 2014, significant changes were made to the Privacy Act 1988 (Cth). These changes were the product of privacy law reform that began in 2004. In light of these changes, it is advisable that health service providers review their workplace’s privacy policies to ensure that they are not at risk of being penalised for breaching the Australian Privacy Principles.
Background to privacy laws in Australia
Although there is no specific privacy legislation for the private sector, the Privacy Act 1988 (Cth) applies to all individual and institutional organisations and entities in the private & public sectors – in all States and Territories of Australia.
The most significant change to the Act as a result of the privacy law reform has been the inclusion of the Australian Privacy Principles (APPs). The APPs represent the minimum privacy standards for handling personal information and, as a subset, health information in any form (including paper, electronic, visual such as x-rays, and audio records). As all health service providers handle such information, they are required to comply with the 13 APPs.
How a practice can comply with Principle 1.3 of the APPs – ensuring that an effective Privacy Policy is in place
Prior to the inclusion of the APPs in the Act, a health service provider was only required to ensure that a patient was aware of certain privacy matters; there was no legal requirement that they do so via a Privacy Policy document, so long as they made the individual ‘aware’.
However, under the new APPs, a provider is required to have a clearly expressed and up-to-date Privacy Policy that outlines how the provider manages personal information.
What must be included in a Privacy Policy?
Without limiting what must be included in a provider’s Privacy Policy, the APPs provide that it must contain information such as, but not limited to: the kinds of personal information that the provider collects and holds; how the provider collects and holds such personal information; and, how an individual may access and correct their personal information.
In addition to the above specified information that must be contained within a provider’s Privacy Policy, the APPs also require a provider to take reasonable steps to notify the patient of certain other matters (such as the provider’s contact details). Although it is not a requirement under the APPs that these particular other matters are contained within a provider’s Privacy Policy, it is advised that it is convenient to do so and that it will reduce the possibility of staff failing to meet their notification requirements [please note that ClinLegal’s template Privacy Policy incorporates these matters].
How must the Privacy Policy be made available?
To meet the new requirements under the APPs, a provider must make their Privacy Policy available free of charge and ‘in such form as is appropriate’. Often, providers make their Privacy Policy readily accessible by displaying it as a sign in a location visible to patients, or on their websites.
Furthermore, if a provider is requested to provide a copy of their Privacy Policy in a particular form, they must take reasonable steps to fulfil this request.
For further information or advice, contact us at [email protected] or visit www.clinlegal.com.au and refer to our sample Privacy Policy. See ClinLegal’s Privacy Policy.