On 12 March 2014, 13 new Australian Privacy Principles (APPs) were created with the aim of greater uniformity and greater transparency in the federal privacy sphere. At the same time, the Office of the Privacy Commissioner was brought under the same banner as the Office of the Australian Information Commissioner (OAIC). The OAIC is now the body responsible for ensuring organisations are complying with the law and advising both government and businesses about how the laws operate. It also manages privacy complaints and enforcement.
The OAIC’s powers were significantly enhanced in the reforms so that it now has the power to:
- Conduct performance assessments, investigations and monitor compliance with privacy obligations.
- Accept Court-enforceable undertakings from APP entities to act or refrain from certain activities.
- Apply to the Federal Court for a civil penalty order (up to $340,000 for individuals and $1.7million for a body corporate).
The OAIC routinely publishes outcomes of assessments and determinations on its website, particularly where it believes to do so is in the public interest. In time, these published decisions will provide further guidance about the changes implemented by the APPs.
To whom do the APPs apply?
The 2014 reforms introduced the concept of “APP Entities”, which encompass either Australian government organisations or agencies including:
- Public hospitals
- NSW Health Care Complaints Commission (HCCC)
- Australian Health Practitioner Regulation Agency (AHPRA), which governs the national registration and regulation of health practitioners.
Private organisations which would otherwise be regarded as non-APP Entities, are subject to the APPs if they are providing a health service. “Health service” is widely defined under the Privacy Act 1988 and (according to guidance provided by the OAIC) would include:
- Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals.
- Complementary therapists, such as naturopaths and chiropractors.
- Gyms and weight loss clinics.
- Childcare centres, private schools and private tertiary educational institutions.
What kinds of complaints are likely to be made about health services?
Health information is afforded greater protection under the regime and it extends not only to information about health services provided but also opinions about health or disabilities and individuals’ wishes about future provision of health services including organ donation. The OAIC provides the following as examples of health information:
- Information about an individual’s physical or mental health.
- Notes of an individual’s symptoms or diagnosis and the treatment given.
- Specialist reports and test results.
- Appointment and billing details.
- Prescriptions and other pharmaceutical purchases.
- Dental records.
- Records held by a fitness club about an individual.
- Information about an individual’s suitability for a job, if it reveals information about the individual’s health.
- An individual’s healthcare identifier when it is collected to provide a health service.
- Any other personal information (such as information about an individual’s date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.
How to make a complaint
If you have a complaint about an APP Entity concerning:
- The way in which your health information has been collected, handled, stored or used;
- Access to your health information;
- Mistakes in your recorded health information;
And you are unsatisfied with the organisation’s response to your complaint you can make a complaint to the Privacy Commissioner (Mr Timothy Pilgrim) via the OAIC.
12 months on from the Federal Privacy changes, what’s changed?
Many government agencies and organisations appear to have taken the initiatives on board with updated privacy policies on their websites stating what kinds of information they collect and how it is held. These policies now appear to be more comprehensive and specific regarding types of information and in that regard are a welcome move towards the greater transparency heralded by the APPs.
On the first anniversary of the APPs being introduced, the OAIC reported that in the first 12 months of the regime, it had:
- Received 4016 privacy complaints (a 43% increase on the previous 12 months).
- Received 14,064 privacy enquiries.
- Received 104 voluntary data breach notifications.
- Commenced 13 privacy assessments.
Until such time as further data becomes available, it is difficult to see whether the new regime has delivered what it promised, although it is clear from the above report that the OAIC is at least using its new powers to conduct assessments.
The monumental increase in privacy complaints is a clear sign that those entities dealing with personal and health information need to take a considered and targeted approach to implementing compliant privacy policies and procedures.
 as set out in schedule 1 of the Privacy Act 1988