The following excellent review appeared a few days ago.
IT Advocate: The privacy minefield
There are significant differences between state and federal privacy legislation. CIOs who deal with government agencies or other public sector organisations must determine the privacy laws applicable to them – and how best to accommodate them.
Emma Weedon 15 September, 2009 08:05:00
It is clear to most businesses that deal with personal information that the Privacy Act 1988 (Cth) (Privacy Act) and National Privacy Principles (NPPs) impact in some way or another on them in terms of rights and obligations under the Act. Conversely, consumers dealing with private sector organisations can be relatively certain of the procedures by which they can access personal information held by private sector organisations, or make a complaint in respect of the information handling practices of such an organisation.
However, if consumers or service provider businesses find themselves dealing with government-owned corporations, universities, local governments, state governments or a raft of other state-based public sector bodies, they will need to undertake a significant amount of research to determine the privacy laws applicable to them, and how to best deal with those privacy laws.
At least one thing is clear -- all jurisdictions recognise a definition of personal information that is roughly the same and that such information must be protected, and used only in certain ways.
Commonwealth and Australian Capital Territory government agencies
Commonwealth and ACT government agencies are required to comply with the provisions of the Privacy Act in so far as they relate to Commonwealth and ACT government agencies. In general, this means complying with the requirements of the 11 Information Privacy Principles (IPPs).
Interestingly, the ACT also has the Health Records (Privacy and Access) Act 1997 which covers health records held in the public sector in the ACT and also seeks to apply to acts or practices in the private sector not covered by the Privacy Act. There is no such legislation dealing separately with the handling of health information at the Commonwealth level.
The Privacy Act requires that an agency entering into a contract with a service provider (whether private sector or otherwise) must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an IPP if done or engaged in by the agency. If an individual considers that the contractor has breached their obligations in the handling of personal information about them, they may make a complaint to the Privacy Commissioner who has jurisdiction to directly investigate the actions of the contractor.
Individuals may apply for access to personal information held about them by a Commonwealth or ACT Government Agency either under the Privacy Act or the Freedom of Information Act 1982 (Cth), but the Privacy Commissioner has accepted that most agencies will deal with such requests in accordance with the procedures under the Freedom of Information Act, and has not initiated a separate regime for dealing with access requests under the Privacy Act.
Queensland Government Agencies
Until 1 July 2009, Queensland government agencies were bound by the requirements of ‘information standards’ which essentially did not have the force of law. As of 1 July 2009, Queensland government agencies are bound to comply with the Information Privacy Act 2009 (Qld) which sets out obligations similar to the IPPs mentioned above for most agencies, and obligations similar to the NPPs for the Queensland Department of Health.
Interestingly, and despite this new regime, Queensland does not have separate privacy legislation to regulate private sector health providers.
Under the Information Privacy Act if a service provider is contracted to provide services to a government agency, and the provider is bound to comply with the provisions of the act under the contract, then it becomes a ‘bound service provider’ for the purposes of the legislation, and it is answerable to the Privacy Commissioner under that legislation, regardless of the fact that it is not originally bound to comply with the requirements of that legislation.
Access to information held about individuals by the Queensland government is now facilitated under the Information Privacy Act. However, if an individual incorrectly makes an application for access under the Right to Information Act 2009 (Qld) (the new freedom of information legislation) -- then the relevant government agency must the individual of their error, and ask the individual if they would like to amend their application so that it is made under the correct legislation.
The other States and Territories are covered here:
http://www.cio.com.au/article/318565/it_advocate_privacy_minefield?eid=-601
Quite alarming is the following paragraph at the end of the article.
“Both Western Australia and South Australia are currently without legislative privacy regimes. Various confidentiality provisions cover government agencies in Western Australia and the South Australian government has issued an administrative instruction requiring its government agencies to generally comply with a set of IPPs.”
With the current plans for legislation surrounding the IHI etc it seems we have a few hurdles to cross first! It is very hard to know how what the Commonwealth is planning can be expected to remedy this mess other than a full legislative override of all State Health Information Privacy regimens.
My comments on the request for submissions are found here:
http://aushealthit.blogspot.com/2009/07/commonwealth-department-of-health.html
The Commonwealth Privacy Commissioner has also commented. This – with my comments can be found here:
http://aushealthit.blogspot.com/2009/08/privacy-commissioner-administers.html
I understood the submissions on this topic were all to be made public, but I have not seen them yet. If you have please provide the URL as a comment.
It will be very interesting to see what the final legislation looks like!
David.
No comments:
Post a Comment