Privacy Act 1988 - Part VI - Public Interest Determination No. 11A - Collection and use of contact details of genetic relatives to enable use or disclosure of genetic information (Australia)

Privacy Act 1988 - Part VI - Public Interest Determination No. 11A - Collection and use of contact details of genetic relatives to enable use or disclosure of genetic information

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

Privacy Act 1988 Part VI - Public Interest Determination No. 11A
Collection and use of contact details of genetic relatives to enable use or disclosure of genetic information
In relation to National Privacy Principles 2.1 and 10.1
Effective: 15 December 2010 to 14 December 2015 inclusive
Under section 72(4) of the Privacy Act 1988 (the Privacy Act), I, Timothy Pilgrim, Australian Privacy Commissioner, make the following generalising determination:
(1)    No organisation providing a health service is taken to contravene section 16A of the Privacy Act 1988 while Public Interest Determination No. 11 (PID 11) is in force, if the organisation does an act, or engages in a practice, that is the subject of PID 11.

Timothy Pilgrim
Australian Privacy Commissioner
16 November 2010

Attachment:            Statement of Reasons for Public Interest Determination No. 11A

Attachment
Statement of Reasons for Public Interest Determination    No. 11A
Section 79(3), Privacy Act 1988 (Cth)
Determination
This statement sets out the context for, and my reasons for making, Public Interest Determination 11A.
Background
The application
On 16 July 2009, Dr Catherine McCusker (the applicant) made an application under s73 of the Privacy Act for the making of a public interest determination (PID) under s72 of the Privacy Act (the Application). The applicant is a neurologist located in New South Wales.
The applicant has requested a determination to exempt her, in limited and specified circumstances, from complying with National Privacy Principles (NPP) 10.1 and 2.1 as set out Schedule 3 of the Privacy Act.
In addition to applying for a determination for herself, the applicant referred to the importance of applying the determination to health services providers generally.
The Application is made in relation to the practice of the collection or (secondary) use of the contact details of the genetic relatives of a patient, with a view to informing the relatives of the implications of genetic information obtained from the patient for the relatives’ own health. In instances where consent has not been obtained from the patient for the disclosure of their genetic information, the disclosure must be made in accordance with guidelines issued by the National Health and Medical Research Council (NHMRC) and approved by the Privacy Commissioner under s95AA of the Privacy Act[1] (the s95AA Guidelines) (see ‘Background to amendments to the Privacy Act relating to genetic information’, below).
Background to amendments to the Privacy Act relating to genetic information
In 2006, the Privacy Legislation Amendment Act 2006[2] (the Amendment Act) amended the Privacy Act. The Amendment Act was enacted to effect the Australian Government’s decision to implement some of the recommendations of the Australian Law Reform Commission and the Australian Health Ethics Committee made in their report titled ‘Essentially Yours: the Protection of Human Genetic Information in Australia’.[3]
The amendments aim to safeguard the handling of genetic information by changing the definitions of ‘health information’ and ‘sensitive information’ in the Privacy Act to expressly include ‘genetic information’.[4] Genetic information that is (or could be) predictive of the health of an individual is now treated as ‘health information’[5] for the purposes of the Privacy Act. Genetic information that is not otherwise ‘health information’, such as the result of a parentage test, is treated as ‘sensitive information’[6] for the purposes of the Privacy Act.
The Amendment Act also introduced an additional exception to the general requirement set out in NPP 2.1 that personal information must not be used or disclosed for any other purpose other than that for which it was collected: NPP2.1(ea) allows for the use or disclosure of genetic information to a patient’s genetic relatives, without that patient’s consent, if the organisation ‘reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of the relative’ [emphasis added].[7]
Section 95AA of the Privacy Act allows the Privacy Commissioner to approve guidelines issued by the NHMRC to clarify circumstances in which genetic information may be used or disclosed without consent. NPP 2.1(ea) requires that the use or disclosure of genetic information by an organisation without the consent of the patient be conducted in accordance with such guidelines.
The amendments do not require disclosure of information, but provide the framework for such disclosure to occur under the appropriate circumstances.
Issues raised by the applicant
The applicant notes that a person’s genetic information may be relevant not only to that person but also to their genetic relatives, due to the shared genetic heritage within families. The person’s genetic information may indicate that their genetic relatives might also have a certain genetic trait and, consequentially, the propensity to acquire or manifest a particular condition.
The applicant states that if a patient’s genetic information suggests that there is potential for a serious threat to the life, health or safety of the patient’s genetic relatives due to a shared genetic trait, and disclosure of that information may lessen or prevent the threat, she would like to be able to provide the genetic information to the genetic relatives to enable them to take any relevant action if they wish to do so.
The applicant also submits that fulfilling the requirement to obtain the consent of the genetic relatives to collect or use their contact details in that context is impractical. Specifically, the applicant has expressed a concern that the collection of the contact details of a genetic relative may breach NPP 10.1, as it is impractical to gain consent for the collection of the contact details and no other exceptions seem to apply.
The applicant has also raised a concern that, where she has already collected the contact details of relevant genetic relatives (for another purpose), the secondary use of those contact details without the consent of the genetic relatives to whom they relate may breach NPP 2.1.
The applicant notes that those issues will arise whether or not a patient consents to their genetic information being provided to their genetic relatives.
The applicant asserts that the collection of contact details will occur in a health services environment which is governed by strong professional codes of ethics and confidentiality.
The applicant submits that the public interest is served through early and accurate diagnoses and management of genetic conditions by clinicians. The applicant considers that in the absence of a public interest determination, the health care of individuals could be compromised and the end results could include:
·        the failure to recognise and treat the manifestations of such conditions in a timely manner
·        an increase in the investigation required to make a diagnosis
·        an increase in the medical intervention required, and
·        as a consequence, increased costs.
The applicant also submits that the outcome may be increased morbidity and mortality from potentially treatable conditions.
The applicant also notes that the absence of a relevant PID will prevent health services providers from disclosing the genetic information of a patient to that patient’s genetic relatives as permitted by NPP 2.1(ea) and the s95AA Guidelines, as the providers will not be able to collect or use the contact details of the relevant genetic relatives.
Related temporary public interest determinations
On 10 December 2009, the Privacy Commissioner, made:
·        a temporary public interest determination (TPID) under s80A(2) of the Privacy Act in response to the Application (TPID 2009-1[8]), and
·        a second TPID under s80A(3) of the Privacy Act (TPID 2009-1A), giving the first TPID general effect.[9]
A TPID may only be issued when the matter requires an urgent decision: such circumstances generally limit the opportunity for public consultation.
The Office held discussions with clinicians with expertise in the field of genetics and the Department of Prime Minister and Cabinet. In addition, 17 stakeholder organisations and individuals, including the Department of Health and Ageing and the NHMRC, were provided the opportunity to comment.
Ten submissions were received from a range of sectors, including state government agencies, peak health professional bodies, private sector health service providers, and privacy advocacy groups.
The majority of the submissions received were highly supportive of the necessity for a PID relating to the collection and use of genetic relatives’ contact details.
More detail is provided in the Statement of Reasons for Temporary Public Interest Determination 2009-1.[10]
Process of Consultation
27 stakeholder organisations and individuals, including the Department of Health and Ageing and the NHMRC, were provided the opportunity to comment on the proposed making of this determination.
Eight submissions were received from a range of sectors, including state government agencies, academics, peak health professional bodies, and privacy advocacy groups. A schedule of the submitters is set out in Appendix A. Again, the majority of the submissions received were highly supportive of the necessity for a PID relating to the collection and use of genetic relatives’ contact details.
A number of submissions noted that this determination is substantially the same as TPID 2009-1A, and confirmed their support for this determination for the same reasons that they provided in relation to the TPID.
One submission provided that the making of this determination was necessary to ensure that health services providers are not placed in breach of NPP 2 and 10, pending planned amendments to the Privacy Act relating to the disclosure of genetic information.
One submission from a state government privacy body noted that no complaints have been received by that body since the TPIDs came into force, and that extensive consultation has already been conducted in relation to the TPIDs.
One submission from a consumer’s group noted that some consumers have indicated disapproval of the unauthorised disclosure of a patient’s genetic information to that patient’s genetic relatives, as it could infringe on consumer privacy and have a negative impact of familial relations. That submission also noted that some consumers found the practice acceptable, but considered that it is essential that health services providers should attempt to obtain the consent of their patients to the disclosure. I consider that the issue of obtaining consent is dealt with adequately by the s95AA Guidelines.
One submission recognised the potential benefits to individuals and the community of permitting disclosure of a patient’s genetic information to genetic relatives without consent of the patient, but had several concerns regarding the implementation of the s95AA Guidelines and the PID. I have considered those issues, and have communicated the stakeholders’ specific concerns to the NHMRC.
One submission reiterated concerns made in respect of the TPIDs, namely that the disclosure of genetic information could harm the interests of the recipient of that disclosure (psychological harm, and the possible risk of genetic discrimination). That submitter also considered the practice of unauthorised disclosure to be inconsistent with an individual’s reasonable expectation of privacy. I have considered those issues in the process of making my determination.
Two submissions argued that the applicant had not sufficiently made the case for the necessity of a PID. That issue is addressed below.
Reasons for the decision
Authority to make the decision
The Application seeks the making of a PID under s72 of the Privacy Act.
Under s72(2)) of the Privacy Act, I am empowered to make a PID where I am satisfied that:
(a)      an act or practice of an organisation breaches, or may breach a NPP that binds the organisation (s72(2)(a)),
(b)      the public interest in the organisation doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that NPP (s72(2)(b)).
Under s72(3) of the Privacy Act, such a determination has the effect that the organisation is taken not to breach the specified NPP(s) when doing an act, or engaging in a practice, which is described in the determination.
Under s72(4) of the Privacy Act, I am empowered to make a determination that gives a determination made under s72(2) general effect.
The acts or practices that are subject to this determination relate to NPPs 10 and 2. In this section, I will deal with each in turn.
Breach of National Privacy Principle 10.1
Under NPP 10.1, an organisation must not collect ‘sensitive information’ about an individual unless the individual has consented or a listed exception applies.
The act or practice raised in the Application concerns the applicant collecting the contact details (such as name and address) of a patient’s genetic relative(s) in order to inform the relative(s) of the implications for their own health of information obtained from the patient.
In some cases, the collection may occur in circumstances where the patient has given consent to the applicant for disclosure of their genetic information to their genetic relative(s), but does not wish or is unable to make the disclosure themselves. In such cases, the applicant may need to obtain the genetic relative’s contact details from the patient or, alternatively, from publically available records (in circumstances where the patient is not able or willing to provide the contact information).
In circumstances where the patient does not consent to the disclosure of their genetic information, the disclosure must be made in accordance with the requirements of NPP 2.1(ea) and the s95AA Guidelines. In such cases, the applicant may need to obtain the contact details of genetic relatives from publically available records.
Do the contact details of a genetic relative constitute ‘health information’?
Before considering whether the act or practice may breach NPP 10.1, it is necessary to establish whether the contact details of a genetic relative of a patient constitute, or may constitute, ‘sensitive information’ for the purposes of the Privacy Act.
For the purposes of the Privacy Act, ‘sensitive information’ includes ‘health information’ (s6, Privacy Act). ‘Health information’ includes ‘genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual’ (s6, Privacy Act).
The Office of the Australian Information Commissioner (into which the former Office of the Privacy Commissioner has been integrated) considers that the recording of a person’s contact details may, in some circumstances, convey information about their health. The context in which the contact details are held will inform what information can be inferred.
In the circumstances described above, it is likely that the applicant would need to collect the contact details of the genetic relative and note those details in the patient’s record. At that point, the contact details would be linked to other information on the patient’s record in such a way that it would be possible to infer that:
(a)        the person whose contact details are recorded is related to a person with a genetic condition, and
(b)        there is a possibility (or statistical probability) that the person whose contact details are recorded may also have a genetic condition.
I therefore consider that the contact details of a genetic relative of a patient are likely to constitute ‘health information’ (and therefore ‘sensitive information’) in circumstances where that information is associated with the genetic information of the patient (regardless of how the contact details are collected).
Does or could the act or practice breach National Privacy Principle 10.1?
I consider that collection of the contact details of the genetic relative of a patient can constitute the collection of ‘health information’. The collection of ‘health information’ without the genetic relative’s consent will constitute a breach of NPP 10.1 unless another exception prescribed in that principle applies.
I accept the applicant’s view that it is impractical to gain the consent of genetic relatives to the collection of their contact details, as to do so would, in itself, require contacting the relative. It does not appear that the circumstances detailed in the Application would allow the applicant to rely on any other exception.
As required by s72(2)(a) of the Privacy Act, I am satisfied that the act or practice described in the Application would or could constitute a breach of NPP 10.1.
Breach of National Privacy Principle 2.1
The applicant also raises her obligations in respect of NPP 2, where the applicant has previously collected the contact details of a genetic relative of the patient. In that situation, the applicant may wish to use those contact details for the secondary purpose of informing the consumer that they may be at risk of inheriting a genetic condition.
Under NPP 2.1, an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless the individual (whom the information is about) has consented or a listed exception applies.
Does or could the act or practice breach National Privacy Principle 2.1?
The circumstances in which the applicant has previously collected the contact details of a genetic relative may include the following:
(1)         The contact details were provided by the patient in order for the applicant to contact their next of kin in case of emergency
On collection, the ‘next of kin’ contact details would constitute ‘personal information’ collected for the purpose of being able to contact the relative about the patient in case of emergency, or for reasons relating to the patient’s health. Recorded in that way, the contact details would generally be part of the ‘health information’ of the patient but would not be considered to comprise ‘health information’ of the next of kin.
However, the contact details may become ‘health information’ of the next of kin in circumstances in which:
(a)        those details are associated with genetic information contained in the patient’s record, and
(b)        the next of kin is a genetic relative.
In that situation, information about the genetic relative’s health can be inferred from the patient’s genetic information.
The applicant has submitted that it is impractical to gain consent from the genetic relative to use their contact details where the applicant has previously collected the genetic relative’s contact details for another purpose, as to do so would, in itself, require contacting the relative for a secondary purpose (that is, to seek consent for the secondary use). It does not appear that the circumstances detailed in the Application would allow the applicant to rely on any other exception.
In particular, I have considered the application of NPP 2.1(a). That principle provides that ‘sensitive information’, including ‘health information’, may be used or disclosed for a related secondary purpose if:
·               the secondary purpose is ‘directly related to the primary purpose of collection’, and
·               the person to whom the information relates would ‘reasonably expect the organisation to use or disclose the information for the secondary purpose’.
I consider that, in the circumstances described by the applicant, the applicant would be unable to rely on NPP 2.1(a), as the information constitutes ‘sensitive information’ and there would not be a direct relationship with the original purpose for which it was collected.
I have also considered the application of NPP 2.1(e)(i), which permits the use or disclosure of ‘personal information’ by an organisation if that organisation believes it is ‘reasonably necessary to lessen or prevent...a serious and imminent threat to an individual’s life, health or safety’ [emphasis added]. However, generally, the consequences of a person not knowing about their genetic predisposition to illness will not be a sufficiently ‘imminent’ threat to their life, health or safety to justify disclosure in accordance with that provision.[11]
(2)    The genetic relative is a patient
Contact details for a genetic relative of a patient may be on a health services provider’s file because:
(a)        the genetic relative is a current patient of the health services provider, or
(b)        the genetic relative has had some other previous contact with the health services provider, i.e., the genetic relative is a former patient.
In such circumstances, the contact details would be considered to constitute ‘health information’ and, therefore, ‘sensitive information’, of the genetic relative, because the information is part of that person’s health record.
In the case of a current patient, the applicant may not be able to rely on NPP 2.1(a) as there may not be a direct relationship with the primary purpose of collection of the contact details (for example, where the patient has sought treatment for a particular condition).
This would be even problematic in the case of a genetic relative who is a former patient (or has had some other contact with the health services provider in the past) but who cannot be considered to have a current relationship with the provider. This is because it would be difficult to establish that there was implied consent (to use the contact details for this purpose), or that the use of the contact details is directly related to the original purpose of collecting them and within the genetic relative’s reasonable expectations.
It does not appear that the circumstances detailed in the Application would allow the applicant to rely on any other exception to the application of NPP 2.1.
As required by s72(1)(a) of the Privacy Act, I am satisfied that the act or practice described in the Application would or could constitute a breach of NPP 2.1.
Does the public interest in allowing the applicant to breach National Privacy Principles 10.1 and 2.1 outweigh to a substantial degree the public interest in adherence to those principles?
In considering the public interest test set out in s72(2) of the Privacy Act, I have considered:
·        the information provided by the applicant,
·        the submissions received in relation to the Application,
·        the stated intent of Parliament in enacting the Amendment Act, and
·        the continuing application of the NPPs to the information collected under this determination.
The potential for the proposed act or practice to harm the interests of individuals
Generally, an individual’s right to be informed as to the handling of their personal information, especially their health information, and to have some measure of control over how their information is collected, is regulated by NPPs 1 and 10. There is potential for harm to an individual if their health information is handled without their consent or knowledge.
In addressing a potential interference with privacy, it is necessary to consider other matters that may compete with privacy such as the possibility of a serious threat posed to an individual’s life or health.
The applicant and several submitters assert that the collection and use of the contact details of genetic relatives would occur in an [health services] environment of ‘maximum privacy and confidentiality’ that is ‘governed by professional codes of ethics and confidentiality’. The context in which the information is collected and used thus reduces the risk of harm through inappropriate disclosure.
Further, I note that any disclosure of patient information that occurs as a result of the conduct which is the subject of the PID is required to be in accordance with the s95AA Guidelines. Those guidelines take into account the risks of inappropriate disclosure, and proposed measures to mitigate the risk of harm to the interests of individuals.
I consider that the risks to individuals are adequately addressed by the context in which the information will be collected and used, and by compliance with the s95AA Guidelines.
Public interest objectives served by the proposed interference with privacy
The Application and the submissions of numerous stakeholders have also noted the impracticalities, inefficiencies and detriment to provision of quality health care if health services providers are not able to collect health information of genetic relatives in the circumstances covered by this determination.
On the basis of the Application and the evidence provided by stakeholders, I am satisfied that:
(a)        it is impractical to obtain consent for the collection of contact details of genetic relative(s) in the circumstances covered by this determination, and
(b)        the central public interest objective being served by this determination is the provision of quality health care for the genetic relative(s), and ultimately good public health outcomes for the community, and
(c)        the collection and use of the contact details of the genetic relative(s) in circumstances where the applicant has a reasonable belief that this is necessary to lessen or prevent a serious threat to the life, health or safety of the genetic relative(s) may contribute significantly to good health care in both respects outlined in sub-paragraph (b) above.
Legislative intent
I also note that although the Privacy Act permits the applicant to disclose the genetic information of a patient to that patient’s genetic relative(s) in accordance with NPP 2.1(ea) and the s95AA Guidelines, such disclosure would be impossible if the applicant was unable to collect and use contact details of the genetic relative(s). That situation is not in accordance with the legislative intent of the Parliament; the Explanatory Memorandum to the Amendment Act states that NPP2.1(ea) is intended to ‘ensure that a medical practitioner is able to disclose genetic information to a genetic relative where there is a serious risk to the health of the genetic relative’.[12]
In my view, a key factor in the making of this this determination is the fact that the determination will give effect to the clear and unambiguous intent of Parliament.
Continuing application of the National Privacy Principles to information collected and used under this determination
I note that the privacy protection standards in NPPs 1 to 9 will continue to apply to protect the genetic relatives’ information collected in accordance with this determination.
In particular, NPP 1.2 provides that information must be collected ‘only by lawful and fair means and not in an unreasonably intrusive way’.
NPP 2 provides protection for the use and disclosure of the information collected (that is, the contact details of the genetic relative of a patient). Under NPP 2, information that is collected may only be used for the primary purpose of collection, unless a listed exemption applies. In this case, that purpose would be to inform the patient’s genetic relative that they may possesses certain adverse genetic traits or be at risk of developing a genetic condition. Accordingly, if a health services provider collects the contact details of a genetic relative in the circumstances covered by this PID, the Privacy Act would not permit the provider to use or disclose the contact details for any other purpose unless an exception in NPP 2.1 applied.[13]
NPP 3 provides that an ‘organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date’.
I also note that the privacy protection standards in NPPs 1 and 3 to 10 will continue to apply to protect the genetic relatives’ information which is used for a secondary purpose in accordance with this determination.
The fact that personal information that may be collected or disclosed in accordance with this determination would still be subject to protections under the Privacy Act has been given significant weight in the decision to make this determination.
Decision
For the above reasons, and as required by s72(2)(b) of the Privacy Act, I am satisfied that the public interest in allowing the applicant to collect or use the contact details of a genetic relative in the circumstances set out in this determination substantially outweighs the public interest in adhering to NPP 10.1 and NPP 2.1.
Generalising the effect of Public Interest Determination 11
I have made a separate determination under s72(2) of the Privacy Act which specifically applies to the applicant (PID 11).
However, in addition to applying for a determination for herself, the applicant referred to the importance of applying the determination to health services providers generally. Accordingly, I have made this determination, which gives general effect to PID 11, on the basis that the issues raised in the Application may apply to all organisations that provide a health service.
Appendix A - Organisations and agencies that made written submissions on the Application and the making of PID 11

1.      National Health and Medical Research Council.
2.      SA Health.
3.      University of Tasmania, Law School.
4.      Australian Privacy Foundation.
5.      University of Canberra, Law Faculty.
6.      Consumer’s Health Forum Australia.
7.      Victorian Health Services Commissioner.
8.      WA Health, Office of Population Health Genomics.
9.      University of Sydney, Department of Medicine.

[1] The NHMRC guidelines, titled ‘Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth): Guidelines for health practitioners in the private sector’ were issued by the NHMRC on 27 October 2009 and took effect on 15 December 2009. Available at: www.nhmrc.gov.au/_files_nhmrc/file/publications/synopses/e96.pdf
[2] Available at: www.comlaw.gov.au/ComLaw/Legislation/Act1.nsf/asmade/bynumber/592A1E3B62096FD6CA2571ED0012E038?OpenDocument
[3] Available at: www.austlii.edu.au/au/other/alrc/publications/reports/96
[4] Privacy Act, s6.
[5] Privacy Act, s6.
[6] Privacy Act, s6.
[7] The inquiry conducted by the Australian Law Reform Commission and the Australian Health Ethics Committee concluded that there was a need to amend the Privacy Act to broaden the circumstances in which health professionals may use or disclose genetic information without consent. The Inquiry considered that the requirement of NPP 2.1 (e)(i) that a threat be ‘serious and imminent’ was too restrictive in the context of genetic information, given that most genetic conditions will take time to manifest. See Essentially Yours: the Protection of Human Genetic Information in Australia, chapter 21, p10.
[8] www.privacy.gov.au/materials/types/determinations/view/7007
[9] www.privacy.gov.au/materials/types/determinations/view/7006
[10] www.privacy.gov.au/materials/types/determinations/view/7007
[11] This was stated the reason for the inclusion of NPP 2.1(ea) in the private sector provisions of the Privacy Act. However, NPP 2.1(ea) only applies to ‘genetic information’: see footnote 12.
[12] Available at: www.austlii.edu.au/au/legis/cth/bill_em/plab2006310/memo_0.html
[13] E.g., NPP 2.1(g), which permits secondary use or disclosure of personal information if it is required or authorised by or under law.