While the dust is still settling following the major overhaul of privacy laws in March this year, some recent issues have arisen in the privacy space that are relevant to organisations in the health, aged care and retirement living sector. Set out below is a brief discussion of:
- how Medibank Health Solutions took a tough stance on overseas disclosures of personal information;
- recent steps towards the introduction of a tort of privacy.
Privacy coming into focus
The consequences of not keeping track of where personal information is held has led to Luxottica Retail Australia Ltd (Luxottica), parent company of OPSM, losing a subcontract worth $33.5 million for the provision of optional services to the Australian Defence Force (ADF).
The primary contractor, Medibank Health Solutions (MHS), terminated the contract when it discovered that personal information of ADF personnel had been transferred overseas. This was in breach of its contract with MHS which stipulated that all personal information of the ADF personnel had to remain in Australia.
This breach was discovered by MHS as part of a review it undertook of Luxottica's operations. The MHS media release states that none of the information had been passed onto parties other than those under contracts with Luxottica.
Under the new Australian Privacy Principles (APPs), organisations need to be aware of where it (and potentially its suppliers) physically store personal information, including where the servers holding electronic information is held, to ensure it can comply with contractual restrictions on the movement of information.
Click here to view Medibank Health Solutions media release
Calvary Healthcare - a model of privacy compliance
On the whole, the report was positive about Calvary's compliance with the APPs. The comments the OAIC did make regarding improvement were general ones and are equally applicable to other organisations in the health sector, including aged care facilities holding health information or retirement village facilities holding personal information.
Some of the more pertinent suggestions of the OAIC were:
- The OAIC took issue with the policy not being definitive about how Calvary collected, used and disclosed personal information. The OAIC suggested that the word 'may' should be avoided as it 'suggested uncertainty about the extent of Calvary’s information handling practices'.
- With regard to groups of organisations, the policy should be explicit about what entities or operations were covered by the policy. In the case of Calvary, the OAIC suggested it was unclear whether the policy was to cover all hospitals it administered, or only particular ones.
- The OAIC stated that the policy should deal with how healthcare identifiers and eHealth records are collected and disclosed.
- With regard to collection statements, when listing the entities that an organisation will disclose information to, if the organisation uploads information to an eHealth record it needs to disclose the PCEHR System operator as a recipient of personal information.
Click here to view full report.
'Eyes in the Sky' prompt call for privacy laws on the ground: should victims of invasions of privacy have the right to sue?
On 14 July 2014, the House of Representatives’ Standing Committee on Social Policy and Legal Affairs published the report 'Eyes in the Sky', examining the use of the drone technology and its applications.
How is this relevant to businesses in the health and aged care sectors?
The report recommends that the Federal Government introduce legislation to create a tort of 'serious invasion of privacy', which would enable victims of serious privacy breaches to sue perpetrators for damages. While the report suggests the tort should be limited to the use of 'invasive technologies' such as drones, a wider application has been suggested previously by the OAIC.
The arguments for stronger privacy laws have gained traction since the announcement of the current Government's proposed anti-terrorism measure to collect and store the internet and telephone metadata of Australian citizens, and prompted the reintroduction of the Privacy Amendment (Privacy Alerts) Bill 2014 (Cth) to parliament on 20 March 2014. This Bill proposes to force APP Entities which hold personal information to inform the OAIC, the person to whom the information relates and, in certain circumstances, publish details in newspapers in every state, if a serious data privacy breach occurs. The Bill has passed debate in the Senate on 19 June 2014 and is currently before the House of Representatives.
Tightening of privacy laws and new powers to punish non-compliant APP entities is of concern to organisations which hold large volumes of personal and sensitive information, including hospitals, aged care facilities and other businesses conducting medical research through clinical trials.
At this stage the tort of privacy remains a proposal only, but if adopted, businesses that deal in personal and sensitive information may need to reassess their liability and safeguards against privacy breaches.