Privacy Issues for the Victorian Disability Sector

On July 1st 2002 there were changes to privacy legislation, which affected all health services including disability agencies in Victoria; in particular the Commonwealth Government Information Privacy Act 2000 and especially the Victorian State Government Health Records Act 2001.

This means that all Victorian disability agencies will have a legal obligation to abide by the health privacy principles (listed below).

Individuals will be given a legally enforceable right of access to their own health information, which is held in records in the private sector. This will apply to all Victorian businesses (profit and non-profit, public and private sector) and persons that handle health information.
All health information that is collected, held or used by organisations is bound by this legislation.

Contents

• The 11 Health Privacy Principles (HPPs)
• Further Issues
• Advice
• Contact The Office of the Health Services Commissioner
• Further Links

The 11 Health Privacy Principles (HPPs)

The Health Privacy Principles provide standards for the collection, handling and disposal of health information. The focus is upon gaining the consent of the individual concerned where possible and working in their best interests.
(This information is provided only as an introduction in nonlegal language.)

1. Collection: Only collect health information when it is necessary and with consent from the individual with a disability concerned ). When gaining consent is not possible, an authorised representative can be consulted and their consent given. In emergencies consent need not be gained as long as the agency acts in the best interests of the individual with a disability.
2. Use and Disclosure: Information is only to be used for the purpose for which it was collected (or matters closely related to this purpose). Otherwise the consent of the person with the disability is usually required (see comments in 1 above).
3. Data Quality: Reasonable steps must be taken to ensure that the data collected is accurate, up-to-date and complete.
4. Data Security and Retention: The organisation must take reasonable steps to ensure that the data collected is protected from misuse and loss and unauthorised access, modification or disclosure. This includes a number of considerations. Relevant information must not be changed. The agency must keep track of whomever the information is passed onto. If the information is no longer needed to be kept by the agency, or wanted to be accessed by the individual concerned, then it must either be destroyed or any identifying details removed. Usually information must be kept for 7 years.
5. Openness: Organisations must set out in a document how they manage health information and how this information can be accessed. This document must be made available to anyone who requests it.
6. Access and Correction: Individuals have a right to access information that names them and to have it corrected if it is inaccurate.
7. Identifiers:  When the information is sensitive and still needs to be kept but it is not necessary to identify who it refers to, avoid using identifiers that can be traced such as the individual concerned's medicare number.
8. Anonymity: Yet the individual has a right not to be identifiable if they so wish, as long as this is legal and practical.
9. Transborder Data Flows: Only transfer health information outside Victoria if it is to an Organisation governed by laws similar to the HPPs, or the individual with a disability concerned gives their permission (see the comments in 1 above).
10. Transfer/Closure of the Practice of a Health Service Provider: If a disability organisation is being sold, closed-down or taken over (no longer continuing to provide services), then it has an obligation to inform all past service users.
11. Making Information Available to Another Health Service Provider: An individual can request that their health information be made available to another health service provider.

If you want to read the full eleven Health Privacy Principles click here:
                                Official Health Privacy Principles

Further Issues

• The information, whether health or personal, which is covered by the legislation is only information which is kept, identifies a particular individual and sensitive
• Information requested by an individual with a disability or their authorised representative must be made accessible. This means legible, provided reasonably promptly and with no unreasonable cost associated with access.

Advice

DISTSS advises all Victorian Non-government disability organisations to delegate a staff member (preferably someone with management skills) to be in charge of privacy matters, to ensure that these principles are being met and that the organisation has a privacy policy handout. We acknowledge that many agencies will be already meeting these principles but wish to remind you that they are now not only guidelines to best practice but also legally binding.

All disability agencies should prepare a health privacy handout for clients or their representatives who ask for the release of information (this is a prerequisite of abiding by principle 5 HPP5 Openness). This handout can also be used as a means of informing staff of privacy and managers could even request that staff sign a form which says that they have read the statement.

DISTSS has prepared a proforma for agencies to pass on to people who use their service, outlining how the agency deals with health and privacy information. This proforma can be downloaded and tailored to meet the needs of individual agencies.

Questions you need to be able to answer:

• What is your agency's primary purpose for collecting health information?
  
• What data do you collect?
  
• How do you store the data and is it kept securely?
  
• What data do you disclose and to whom?
  
• When do you obtain the client's consent?
  
• What if the client cannot give consent?

Contact The Office of the Health Services Commissioner

For further details, enquiries or concerns contact;
The Office of the Health Services Commissioner
30/570 Bourke Street
Melbourne Vic 3000
Tel: (03) 8601 5222
Fax: (03) 8601 5219
Email: hsc@dhs.vic.gov.au
Website: www.health.vic.gov.au/hsc

Further Links

• PowerPoint Presentation by the Office of the Health Services Commissioner - A very informative Microsoft PowerPoint presentation on the new privacy legislation and who it affects and how.
  
  
• Allens Arthur Robinson - A leading Australian Law firm providing a very informative website on all matters dealing with privacy.
  
  
• Department of Human Services - link to their website pages on privacy.