At a glance: data protection and management of health data in Australia

Data protection and management

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

Health data includes:

• information or an opinion about an individual’s health or any health services provided, or to be provided, to the individual;
• any personal information collected to provide or in providing a ‘health service’ to an individual (including organ donation); and
• genetic information about an individual that is in a form that could be predictive about the health of an individual (or relative of the individual).

The concept of ‘providing health services’ is very broad and can capture a range of services that may not be front of mind when thinking about health – for example, information collected by a gym on an individual in connection with a gym class, or Medicare billing information held by an insurance provider or debt collector.

Anonymised health data is not defined, although the Australian Privacy Principles (APP) Guidelines state that ‘anonymity’ means that an individual dealing with an entity cannot be identified. Critically, health data that may be anonymous in the hands of one entity may not be anonymous in the hands of another. The ability of an entity to link a data set with other information is relevant to whether data is truly anonymised.

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

Given the sensitivity of health information, its collection, use and management are regulated by the Privacy Act 1988 (Cth) (the Privacy Act).

Health data is treated more strictly than personal information under the Privacy Act. Health data is a subset of ‘sensitive information’ and consent is required for its collection.

Generally, an organisation can collect health data from a person if:

• the person provides their consent (express or implied); and
• the information is reasonably necessary for the organisation’s activities.

Implied consent arises when consent can be inferred from the circumstances and conduct of the person providing the health information. This is a higher test than that imposed on other personal information. The Australian government is currently undertaking a review of the Privacy Act. As part of this review, the government is considering updating the definition of ‘consent’ to be voluntary, informed, current, specific, and an unambiguous indication through clear action.

APP 11 requires entities to take reasonable steps to protect personal information (including sensitive information, such as health information) it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. According to the Office of the Australian Information Commissioner (OAIC) APP Guidelines, ‘reasonable steps’ will depend on the circumstances in each particular case and may include governance, culture and training, internal practices, procedures and systems, information and communications technology security, access security, and destruction and de-identification.

In addition, the handling of health information is also subject to certain state-based legislation, which differs from the Privacy Act in some aspects, but the differences are relatively minor.

Is anonymised health data subject to specific regulations or guidelines?

APP 2 provides that individuals must have the option of dealing anonymously or by pseudonym with entities subject to the Privacy Act. However, entities are not required to provide these options if the entity is required or authorised by law to deal with identified individuals or if it is impracticable for the entity to deal with individuals who have not identified themselves. There may also be practical consequences for patients who do not wish to identify themselves, as their ongoing healthcare may be difficult for organisations to manage and they are unlikely to be able to claim a Medicare or health fund rebate.

De-identification may be one way to protect the privacy of individuals. De-identification involves removing personal identifiers (such as name, address, date of birth, etc) and removing or altering other information that could identify an individual (such as unique characteristics). However, with the increasing capability of technology and the sophistication of cyber-attacks, it is becoming more and more difficult to de-identify data effectively. The Australian government is currently reviewing the Privacy Act, and considering increasing the relevant threshold from ‘de-identified’ to ‘anonymous’ (for information to no longer be considered ‘personal information’).

Types of de-identified health data include Medicare numbers and healthcare identifiers. Medicare numbers are primarily used by individuals to claim benefits under the Medicare Benefits Scheme. APP 9 restricts the use or disclosure of a patient’s government-related identifier to specific circumstances (eg, it is reasonably necessary to verify the patient’s identity for an organisation’s activities).

Healthcare identifiers are unique 16-digit numbers that identify individual healthcare providers, healthcare provider organisations (such as digital health organisations) and individuals receiving healthcare. Healthcare identifiers help to reduce the potential for mix-ups with health data and are the foundation for government initiatives such as the My Health Record system, in which individuals’ health information can be viewed securely online. They are not health records, but are limited to identifying information such as name, date of birth and sex to uniquely identify patients. The use of healthcare identifiers is regulated by the Healthcare Identifiers Act 2010 (Cth) and Healthcare Identifiers Regulations 2020 (Cth), which provide that healthcare identifiers may only be collected, accessed, used and disclosed for limited purposes (such as providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient). In circumstances where a healthcare identifier is used or disclosed for purposes not permitted by the legislation, criminal and civil penalties may apply.

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

The Privacy Act gives the Privacy Commissioner a range of privacy regulatory powers, including powers that allow the OAIC to work with entities to facilitate best privacy practices, as well as investigative and enforcement powers to use in response to privacy breaches.

For example, if a healthcare company fails to obtain consent to collect the health information of an individual, the company will be in breach of APP 3 regarding the collection of sensitive information.

A breach of an APP is an ‘interference with the privacy of an individual’ under section 13(1) of the Privacy Act and, although it is not a civil penalty provision, it can lead to regulatory action and penalties. The provisions of the Privacy Act are enforceable under Parts 6 and 7 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth), which provide for enforceable undertakings and injunctions to be issued to enforce provisions.

In March 2019, it was announced that the Australian government intended to investigate the effectiveness of Australia’s current data protection regime and potentially reform the Privacy Act, including by introducing higher penalties for breaches of the Privacy Act. In November 2022, the first legislation tabled in the Australian Parliament in connection with this review – the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Privacy Bill) – passed both Houses of Parliament. The Privacy Bill covers four key objectives with respect to the Privacy Act:

• to significantly increase the maximum penalty for serious or repeated interferences with the privacy of an individual under the Privacy Act, increasing the former penalty from A$2.22 million (for corporate entities) to the greater of A$50 million, three times the value of any benefit directly or indirectly obtained from the contravention, or, if the value of the benefit cannot be ascertained, 30 per cent of the company’s adjusted turnover during the breach turnover period (minimum 12 months) for the contravention;
• to give the OAIC enhanced powers to request information and conduct compliance assessments of the notifiable data breach regime under the Privacy Act;
• to give the OAIC new enforcement powers, including allowing the OAIC to require entities to conduct external reviews of their internal procedures and to publish notices about specific privacy breaches to affected individuals; and
• to introduce new information-sharing powers for the OAIC and the Australian Communications and Media Authority, the regulator that oversees telecommunications providers.

Additionally, the Privacy Act’s extraterritorial application has been broadened by the passing of the Privacy Bill. The Privacy Act requires entities that are established outside of Australia to meet the obligations of the Privacy Act if they ‘carry on business’ in Australia; however, the Privacy Bill has removed the former requirement in the Privacy Act for such entities to collect or hold personal information in Australia for the Privacy Act to apply.

What cybersecurity laws and best practices are relevant for digital health offerings?

APP 11 imposes a legal obligation on entities to take steps as are reasonable in the circumstances to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. Apart from this general obligation, there are no mandated IT security standards for the handling of health data in Australia. Some specific standards have been developed, including the ‘Information security management in health using ISO/IEC 27002’ and the National eHealth Security and Access Framework v4.0. However, compliance with these standards is voluntary.

The OAIC has published its ‘Guide to health privacy’ and the Australian Digital Health Agency has published an ‘Information Security Guide for small healthcare businesses’. IT service providers that engage with government health agencies will typically be required to meet certain minimum IT security standards (eg, see the Digital Transformation Agency’s Secure Cloud Strategy).

The Australian government has passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (the SLACI Act) and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (the SLACIP Act). These Acts implement the first initiative of Australia’s Cyber Security Strategy 2020, which is to protect Australia’s critical infrastructure providers from cyber threats by amending the SOCI Act. Key reforms made by the SLACI Act and SLACIP Act include to:

• expand the definition of critical infrastructure sectors and assets that are covered by the SOCI Act to include the healthcare and medical sector (among others);
• require mandatory notification of cyber security incidents;
• implement government assistance and intervention measure that give the Australian government the power to direct entities to gather information and take certain actions in respect of cyber security matters;
• authorise the Australian Signals Directors to intervene in response to cyber-attacks where critical;
• create a new ‘positive security obligation’ requiring responsible entities to create and maintain a critical infrastructure risk-management programme, including consideration of cyber and information security hazards; and
• introduce a new framework of ‘enhanced cyber security obligations’ that must be complied with by operators of systems of national significance (namely, Australia’s most important critical infrastructure assets).

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Organisations should consider the following three key questions:

• consent: do you have adequate consent to collect, use and disclose health data for this purpose? Where health data is collected in addition to personal information, additional consent may be required. The Privacy Act distinguishes between the use and disclosure of personal information for ‘primary purposes’ versus ‘secondary purposes’. The ‘primary purpose’ is the specific purpose for which the health information was collected. The context in which the health information was collected is relevant to this concept. A ‘secondary purpose’ is any use or disclosure for reasons other than the primary purpose. Secondary purposes are prohibited, unless the secondary purpose falls within a specifically permitted exception. In the health information context, the most common permitted exceptions are:
  • the individual would reasonably expect the organisation to use the information for the secondary purpose, and the secondary purpose is directly related to the primary purpose;
  • if the use and disclosure are required to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety;
  • if the use and disclosure is in connection with the provision of a health service or research or if the individual is incapable of giving consent (in each case, subject to specific rules); and
  • if required by law or for law enforcement purposes;
• data systems: do you have appropriate data management systems in place? There are differing legal requirements for the handling of health data and personal information; however, these types of information are most often collected together. It is important to understand which data fits into each category, and to establish distinct data management processes for these different types of data; and
• security: do you have adequate security to protect against unauthorised access and misuse? Consider security safeguards that are reasonable in the circumstances.