Public Interest Determination No. 12
Collection of Family, Social and Medical Histories
Privacy Act 1988(Cth), Part VI
Relevant National Privacy Principle: National Privacy Principle 10.1
Effective: 11 December 2011 to 10 December 2016
Under s72(2) of the Privacy Act 1988 (Cth) (Privacy Act) I, Timothy Pilgrim, Australian Privacy Commissioner, determine that I am satisfied that:
(1) Dr Steve Hambleton (the applicant) is an organisation for the purposes of s6C of the Privacy Act. The applicant has applied under s73 of the Privacy Act for a Public Interest Determination in relation to the acts and practices set out in (2) below.
(2) The applicant collects health information from an individual (a ‘health consumer’), or from a person responsible* for the health consumer, about another individual (a ‘third party’) in circumstances where:
a) the collection of the third party’s information into the health consumer’s family, social or medical history is necessary for the applicant to provide a health service directly to the health consumer, and
b) the third party’s information is relevant to the health consumer’s family, social or medical history, and
c) the applicant collects the third party’s information without obtaining the consent of the third party, and
d) the third party’s information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.
(3) The acts and practices set out in (2) above breach or may breach National Privacy Principle 10.1 in relation to the collection of the third party’s information.
(4) The public interest in the applicant doing the acts or engaging in the practices set out in (2) above substantially outweighs the public interest in adhering to National Privacy Principle 10.1 in those circumstances.
(5) This determination should remain in force from 11 December 2011 to 10 December 2016 (inclusive).
*In this determination, ‘person responsible’ has the same meaning as defined in National Privacy Principle 2.5 and 2.6.
My reasons for making this determination are attached.
Australian Privacy Commissioner
Statement of Reasons
Public Interest Determination No. 12
Collection of Family, Social and Medical Histories
Privacy Act 1988 (Cth), s79(3)
Dr Hambleton’s application
On 14 October 2011, Dr Steve Hambleton made an application under s73 of the Privacy Act 1988 (Cth) (the Privacy Act) for a public interest determination (PID) to be issued under s72 of the Privacy Act.
Dr Hambleton is a general practitioner based in New South Wales, and the current President of the Australian Medical Association.
Dr Hambleton requests a PID to enable the continuation of a practice that breaches, or may breach, National Privacy Principle (NPP) 10.1. The practice in question is the collection of personal information from a patient, about a third party, in the context of compiling a family, social or medical history for the patient. Dr Hambleton has also requested that the PID be given general effect under s72(4)to allow all clinicians to continue this practice across all clinical settings.
NPP 10.1 prohibits the collection of sensitive information (including health information) about an individual, in this case the third party, unless a prescribed exception applies.
Dr Hambleton notes that PID 10 and the associated PID 10A (which gives PID 10 general effect for other organisations in the same circumstances) currently permit the relevant practice to occur in specific circumstances without complying with NPP 10.1. PIDs 10 and 10A will expire on 10 December 2011.
Dr Hambleton submits that:
· the arguments made in support of the first application regarding this issue, made by theAdelaide Community Healthcare Alliance (ACHA Health) on 19 December 2001 for PIDs 9 and 9A, are still relevant
· the effect of the existing PIDs ‘continues to be of critical importance for health service providers in providing best practice assessment, diagnosis and care to patients’
· ‘there is a large body of evidence supporting the collection of third party health information, such as family history, as a fundamental part of the diagnosis and treatment regime’
· fulfilling the requirement to obtain the consent of third parties to collect their information, and notifying third parties of the collection of their information in this context is ’clearly impractical and could compromise the health care of consumers’, and
· ‘the public interest is served by the efficient and accurate diagnosis of patients by health service providers’ and ‘the absence of a Public Interest Determination to exempt healthcare providers from NPP 10, would result in significant inefficiencies and impracticalities, which would have a detrimental effect on the provision of quality health care’.
Dr Hambleton notes that, as emphasised by stakeholders during the previous consultation processes (PIDs 9 and 9A, and 10 and 10A), ‘the standards for the accreditation of general practitioners include the collection of current and accurate health summaries, including pertinent medical or social history information for patient care’, and that ‘this practice is considered best practice clinical care’.
Dr Hambleton asserts that ‘a patient’s social, family or medical history information is collected in an environment of maximum consumer privacy (governed by professional codes of ethics and confidentiality)’, and that ‘clinicians are bound to treat personal information collected in the course of providing a health service as confidential, regardless of the person to whom the particular facts or opinions relate’.
History of past Public Interest Determinations in relation to the collection of family, social and medical histories
On 19 December 2001, ACHA Health, a private sector health service provider, made an application for a PID.ACHA Health was concerned that the accepted practice of collecting family, social and medical histories during the course of providing a ‘health service’couldbreach the NPPs. At that time, the NPPs were about to come into operation.
On 21 December 2001, in response to ACHA Health’s application, the then Privacy Commissioner, Malcolm Crompton, issued two temporary PIDs (TPIDs). The TPIDs were effective for 12 months from 21 December 2001. The TPIDs were issued to enable ACHA Health and other health service providers to continue the practice of collecting third party information without the third party’s consent – in the course of taking a health consumer’s family, social or medical history – while broad consultation was undertaken regarding ACHA Health’s application.
After undertaking that consultation, the then Commissioner issued PIDs 9 and 9A.
The combined effect of PIDs 9 and 9A was to exempt health service providers from complying with NPP 10.1 in certain circumstances. In summary, under PIDs 9 and 9A, a health service provider could collect a third party’s health information from a health consumer without the third party’s consent when both of the following circumstances were met:
· the collection of the third party’s information into a health consumer’s family, social or medical history is necessary for a health service provider to provide a health service directly to the health consumer, and
· the third party’s information is relevant to the family, social or medical history of that health consumer.
PIDs 9 and 9A were effective from 11 December 2002 to 10 December 2007 (inclusive).
On 21 August 2007, Dr Tony Hobbs, a general practitioner, applied for a PID to continue the effect of PIDs 9 and 9A.
During the consultation process that followed Dr Hobbs’ application, an additional substantive issue was raised, namely that good clinical practice may require the collection of the relevant third party health information from a 'person responsible' for a health consumer when the consumer is incapable of providing that information themselves. Examples of where this need may arise include in the treatment and care of health consumers living with dementia or intellectual disabilities.
The then Privacy Commissioner, Karen Curtis, wrote to 14 key privacy, health professional and health consumer stakeholders seeking views on thatissue. Stakeholders offered the view that the proposed PIDs should provide a mechanism for permitting collection of third-parties’ health information from a 'person responsible' where the health consumer is not capable of providing that information themselves. The then Commissioner was satisfied that the public interest in addressing this issue substantially outweighed the public interest in protecting privacy in compliance with the NPPs. Accordingly, PIDs 10 and 10A make provision for this type of collection.
The then Commissioner issued PIDs 10 and 10A on 6 December 2007. Those PIDs are effective from 11 December 2007to 10 December 2011 (inclusive).
In the absence of a further determination, after 10 December 2011, s16A of the Privacy Act would require Dr Hambleton and other health service providers to comply with NPP 10.1 when collecting information about a third party in the course of collecting a health consumer’s family, social or medical history. This would generally require health service providers to obtain the consent of the third party to the collection of their personal information.
Pending law reform
The former Office of the Privacy Commissioner (the OPC), now the Office of the Australian Information Commissioner (the OAIC), publicly acknowledged the clinical value of family and social medical history information, and recognised the widespread support for the activity in the health sector, in its submissions to the Australian Law Reform Commission (the ALRC) review of Australian privacy law and practice.
In its submissions, the OPC recommended that the Privacy Act be amended to allow health service providers to collect third party health information that is relevant to a health consumer's family or social medical histories, without the third party's consent.
The ALRC released its report ‘For your Information: Australian Privacy Law and Practice’ in August 2008 (Report 108). In Report 108, the ALRC recommended that new health regulations should include provisions based upon PIDs 10 and 10A.
In its First Stage Response to Report 108, the Australian Government accepted that recommendation, although it indicated the recommendation should be implemented by amending the Privacy Act.
While the Government is the process of preparing draft legislation to reform the Privacy Act, the necessary legislative reforms to the Privacy Act will not be completed by 10 December 2011.
Publication of the application and invitation of submissions
The OAIC invited submissions on Dr Hambleton’s application between 20 October and 11 November 2011.
On 20 October 2011, the OAIC published on its website:
· a copy of Dr Hambleton’s application, and
· a consultation paper that included supporting information regarding Dr Hambleton’s application, the existing PIDs 10 and 10A, the issues raised by Dr Hambleton’s application, my preliminary views, and how to make a submission regarding the application and proposed PIDs.
All material was published in accessible and downloadable formats, and was available in hard copy on request.
The consultation was publicised:
· by notation on the OAIC’s website,
· on the OAIC’s Twitter feed,
· through the OAIC email list, OAICnet
· through the OAIC’s RDF Site Summary (RSS) feed, and
· on the Australian Government online forum, GovDex.
In addition, on 21 October 2011, the OAIC directly contacted (by letter or email) the following individuals and entities to notify them of Dr Hambleton’s application, and to invite submissions:
· the members of the OAIC’s Privacy Advisory Committee (the PAC)
· the members of the Privacy Authorities Australia network, and
· 34 key privacy, health professional and health consumer stakeholder organisations.
Submissions received regarding Dr Hambleton’s application
The following individuals and entities made written submissions regarding Dr Hambleton’s application:
· Consumers Health Forum of Australia
· Professor Michael Kidd AM, Faculty of Health Sciences, Flinders University, and member of the PAC
· Queensland Health
· Queensland Health Quality and Complaint Commission (HQCC), and
· South Australian Health and Community Complaints Commissioner (HCSCC).
In his application, Dr Hambleton advised that the Australian Medical Association also supported the application.
All five submissions were supportive of Dr Hambleton’s application.
All submitters noted the continued importance of permitting the collection of such information for the adequate diagnosis, treatment and ongoing care of health consumers.
OAIC experience with PID 9 and 9A, and10 and 10A
The OAIC understands that the existing PIDs 10 and 10A have been operating effectively since 2007. The OAIC has not received, and the former OPC did not receive, any complaints in relation to the existing PIDs.
Similarly, the OAIC understands that PIDs 9 and 9A operated effectively from 2002 to 2007. No submissions to the former OPC’s Private Sector Review criticised the content or effect of PIDs 9 and 9A. The OPC did not receive any complaints regarding PIDs 9 and 9A.
Requirements of s72 of the Privacy Act
Under s72(2) of the Privacy Act,I am empowered to make a written determination where I am satisfied that:
(a) an act or practice of an organisation breaches, or may breach… a National Privacy Principle that binds the organisation; but
(b) the public interest in the organisation doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that… Principle.
Under s72(3) of the Privacy Act, the effect of such a determination is that the act or practice of the organisation will be disregarded for the purposes of s16A of the Privacy Act. That is, the act or practice will not be regarded as an act or practice that breaches an NPP.
Breach of National Privacy Principle 10.1
As set out in Dr Hambleton’s application, the acts or practices that are the subject of PID 12 involve the collection, from an individual, by Dr Hambleton, of information about a third party without that third party’s consent, for inclusion in the individual’s family, social or medical history, where that information is necessary to provide a health service to that individual.
The issue of whether such acts or practices would breach NPP 10.1 was comprehensively dealt with in the decision by my predecessors when determining PIDs 9 and 9A, and 10 and 10A.
I am satisfied that the proposed collection may breach NPP 10.1.
Assessing the Public Interest
In determining the public interest test set out in s72(2)(b) of the Privacy Act, I have relied on the information in the current application, and the submissions received in relation to that application. In addition, I have taken into account that the OAIC has received no complaints about the operation of the existing PID 10 or 10A, and that the former OPC received no such complaints about PIDs 9 and 9A, or 10 and 10A (though I acknowledge that the nature of the practice involved may mean that third-parties are not aware that their information has been collected without their consent).
The reasons expressed in Dr Hambleton’s application for a new PID with similar effect to PIDs 10 and 10A focused on the importance of obtaining health consumers’ family, social and medical histories in order to provide continued quality diagnosis and treatment services and health care.
Dr Hambleton’s application also noted the impracticalities, inefficiencies and detriment to provision of quality health care if there was a requirement to obtain the consent of third parties in these circumstances.
In considering whether the public interest in Dr Hambleton collecting the health information of a third party, without consent, substantially outweighs the public interest in adhering to NPP 10.1 in the relevant circumstances, I have also made reference to the factors discussed below, which are taken from the OAIC’s Public Interest Determination Procedure Guidelines.
The nature of the public interest objectives served by the proposed interference with privacy
A key determinant of public interest in this decision is that permitting the relevant collection accords with widely accepted health care practices, which, in turn, allows for continuing, comprehensive and quality health care for consumers and for better public health outcomes.
Dr Hambleton’s application asserted that the effect of PIDs 10 and 10A ‘continues to be of critical importance for health service providers in providing best practice assessment, diagnosis and care to patients’. In particular, the applicant noted that collection of this type of information is used to inform efficient and accurate patient diagnoses and treatment plans.
The key issue of continuing to support best practice in patient care was echoed in almost all of the submissions. For example, Professor Kidd submitted that ‘being able to collect and store details of family medical histories is an essential public health measure which allows accurate preventative care, diagnosis, and treatment of individuals and their families’. Similarly, the Consumers Health Forum of Australia submitted that the effect of PIDs 10 and 10A is ‘of great significance to the safety and quality of healthcare’. The submission from Queensland Health supported the application on the basis that there is ‘a clear public interest in relation to the early diagnosis and treatment of inherited genetic conditions’.That view was also supported by the HQCC and the HCSCC.
The Consumers Health Forum of Australia also submitted that there was clear public interest in continuing to enable the collection of the health information of a third party from ‘persons responsible’ for that party, where that party is incapacitated and incapable of providing the information themselves.
The extent to which the proposed act or practice is inconsistent with an individual’s reasonable expectation of privacy
The practice of collecting health consumers’ family, social and medical histories for diagnosis, treatment and care – without the need to obtain third parties’ consent – is widespread, considered best clinical practice, and generally known and accepted in the community.
Further, I note that this practice predates the Privacy Act and the NPPs.The then Privacy Commissioner made TPIDs on the day that the NPPscame into force to enable the practice to continue, pending the consideration and issue of PIDs 9 and 9A.
Two submissions (HQCC, HCQCC) made specific reference to the high degree of consumer awareness regarding the importance of family, social and medical history information in facilitating accurate diagnosis and treatment. Professor Kidd noted that the practice is ‘a standing component of medical history taking’. The perception that this practice is consistent with individuals’ reasonable expectations is further demonstrated by the lack of complaints about the operation of PIDs 9 and 9A, and 10 and 10A, over the past ten years, and by the absence of any submissions opposing Dr Hambleton’s application.
The potential for the proposed act or practice to harm the interests of individuals
The applicant and HQCC indicated that the confidential setting in which medical and allied health consultations occur provides reasonable safeguards to protect the information collected about both the patients themselves and other relevant third parties. Existing ethical protocols in the health sector mean that health information is collected in an environment of ‘maximum consumer privacy’ governed by professional codes of ethics and confidentiality. Accordingly, I note that the risk of harm to individuals through inappropriate disclosure of their sensitive information is mitigated by the context in which the information is collected. In addition, the terms of PIDs 12 and 12A (like their predecessors) limit the information collected to thatwhich is both relevant and necessary to provide a health service directly to the health consumer.
The need to balance the competing interests contained in s29 of the Privacy Act and the impact on the public interest if the proposed act or practice is not permitted
The submissions gave strong support for the effective and generally accepted operation of PIDs 10 and 10A in relation to these acts and practices since 11 December 2007.
Previous consultation (in respect of PIDs 10 and 10A) gave strong support for the effective and generally accepted operation of PIDs 9 and 9A in relation to the relevant acts or practices between 11 December 2002 and 10 December 2007.
Under s29 of the Privacy Act, in performing their functions or exercising their powers, the Privacy Commissioner must, amongst other things:
(a) have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way; …
In that regard, the following issues were raised in the course of Dr Hambleton’s application and the written submissions:
· if the consent of relevant third parties needed to besought, this would be onerous, time consuming, costly, often impracticable, and would not necessarily be given by the relevant third party
· if the consent of third parties was required, this couldcause unnecessary delay in providing health care to the consumer, which couldultimately compromise health outcomes
· the collection of family, social and medical history information is in the public interest and in the health consumer’s best interest, as it can assist in obtaining a correct and accurate diagnosis and health outcome, and
· if health consumer history information is not sought, the end result could be increased investigation and litigation in relation to medical negligence claims.
The impact on the public interest if the proposed act or practice is not permitted
Based on the clinical practice examples presented by Dr Hambleton and the written submissions the OAIC has received, I am of the view that individual health assessment, diagnosis and care could be compromised if the proposed collection is not permitted. Furthermore, requiring health and medical professionals to notify third parties of the collection of relevant health information in these circumstances, or to seek their consent, would delay the healthcare delivery process in individual cases. Also, as noted in submissions, if third party consent were routinely required, individual health care may be compromised where third parties do not provide consent.
Furthermore, I am satisfied that relying on a consent-based regime in these circumstances may have an impact on the efficient and effective running of medical businesses, in turn, risking reduced capacity to provide adequate and timely health care to the public.
Conclusions regarding the public interest
On balance, having taken all of the above factors into consideration and in consultation with relevant stakeholders, I have found that the public interest in permitting the relevant acts or practices substantially outweighs adherence to NPP 10.1 in the relevant circumstances. In arriving at this conclusion, I particularly note the following:
· the public interest in permitting the relevant acts or practices in order to provide continuing, comprehensive and quality health care for consumers, and better public health outcomes
· the fact that the practice of collecting health consumers’ family, social and medical histories for good health care and treatment without the need to obtain third parties’ consent is widespread, considered best clinical practice, and generally known and accepted in the community
· the need for efficient and effective running of health care services, and
· the effective and generally accepted operation of PIDs 9 and 9A in relation to these acts and practices between 2002 and 2007, and of PIDs 10 and 10A since 11 December 2007.
I am of the view that the central public interest objective being served by this determination is that of the provision of quality health services to health consumers and ultimately safeguarding public health.
I am satisfied that family, social and medical history collection, including in settings such as counselling and therapeutic health services, and residential and community aged care health services is critical to good healthcare provision.
Continuing application of the National Privacy Principles to information collected under these determinations
Further, I note that the privacy protection standards in NPPs 1 to 9 and 10.2 to 10.3 will continue to apply to protect the third party’s information once collected.
In particular, NPPs 1.1 and 1.2 ensure that information that is collected should be confined to that necessary to an organisation’s functions or activities and be collected only by lawful and fair means and in a way that is not unreasonably intrusive.
NPP 2 provides protection for the use and disclosure of the information collected under the determinations. Under NPP 2, information collected may generally only be used or disclosed for the primary purpose of collection such as establishing an individual’s family, social or medical history in order to provide a health service directly to the individual. Exceptions do apply. For example, under NPP 2.1(a), information may be used or disclosed for a directly related secondary purpose within the reasonable expectations of the person to whom the information relates. Other limited exceptions are set out in paragraphs 2.1(b), and 2.1(d) to 2.1(h). Overall, the remaining NPPs appear to provide adequately for the protection of information that may be collected under the determinations.
For all of these reasons I am satisfied that the public interest in allowing Dr Hambleton to collect the information in question, in the circumstances set out in PID 12, substantially outweighs the public interest in adhering to NPP 10.1.
Notifying third parties of the collection
I note that, in his application, Dr Hambleton has included reference to notifying third parties of the collection of their information:
‘In the absence of a Public Interest Determination on this issue, National Privacy Principle 10 would require health service providers to obtain the consent of third parties to collect personal and health information on these persons, and notify third parties of the collection of their information. This is clearly impractical and could compromise the health care of patients.’
NPP 1.5 requires an organisation to take reasonable steps to notify an individual of the collection of their information from another person (in this case, from the health consumer). My predecessors canvassed the issue of whether a separate exemption for NPP 1.5 was required in similar circumstances in PIDs 9 and 10. I am of the same view that the requirement of NPP 1.5 for an organisation to take reasonable steps may mean, in some circumstances, that no steps need be taken to notify an individual of a collection of their information from another person. Consequently, no determination needs to be made in relation to that issue here.
Generalising the effect of the determination
In addition to applying for a determination for himself, Dr Hambletonreferred to the importance of applying the determination to health service providers generally. My reasoning above has been developed on the basis that these issues apply to all health service providers and, accordingly, I have made a separate determination (PID 12A) under s72(4) of the Privacy Act, giving general effect to PID 12.
Organisations to which PID 12A applies
PID 12A applies to all organisations that provide a ‘health service’ under the Privacy Act (health service providers), where those organisations collect third party information in the limited circumstances referred to under PID 12.
Under s6 of the Privacy Act, ‘health service’ means:
(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
(i) to assess, record, maintain or improve the individual’s health; or
(ii) to diagnose the individual’s illness or disability; or
(iii) to treat the individual’s illness or disability or suspected illness or disability; or
(b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
The Privacy Act applies to all private sector organisations that deliver these types of services, including all health services that hold health information. The types of health services covered include traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists, and allied health professionals such as counsellors, as well as complementary therapists, gyms, weight loss clinics and many others.
 Available at: www.privacy.gov.au/publications/acha.pdf.
 The term ‘health service’ is defined in s6(1) of the Privacy Act: see below at ‘Organisations to which PID 12A applies’.
 OPC’s Submission to the ALRC’s Review of Privacy Issues Paper 31, www.privacy.gov.au/materials/types/download/9110/6757, pp. 301-303.
OPC’s Submission to the ALRC’s Review of Privacy Discussion Paper 72, www.privacy.gov.au/materials/types/download/9111/6748, pp. 664-666.
 ALRC Report 108 is available at: www.alrc.gov.au/publications/report-108
 ALRC Report 108, Recommendation 63-1.
 Australian Government’s First Stage Response to ALRC Report 108, www.dpmc.gov.au/privacy/reforms.cfm, p133.
 PID 9: www.comlaw.gov.au/Details/F2008B00573
PID 9A: www.comlaw.gov.au/Details/F2008B00574
PID 10: www.comlaw.gov.au/Details/F2007L04670
PID 10A: www.comlaw.gov.au/Details/F2007L04669