The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the handling of information or an opinion about an identified individual, or an individual who is reasonably identifiable. In a health service, this law pertains to the following information:
(a) information or an opinion about:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of health services to the individual; or
(iii) a health service provided, or to be provided, to an individual; that is also personal information;
(b) other personal information collected to provide, or in providing, a health service to an individual;
(c) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Uniquely to obstetrics and gynaecology, the information about an individual (the patient) is often intimately related to information pertaining to other parties (such as his/her partner / parents and descendants). Furthermore, medical research has specific safeguards for the collection and management of health information.
Schedule 1 of the Privacy Act includes thirteen Australian Privacy Principles (APPs) which set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information). These principles apply specifically to medical information.
Health services need to be aware of their obligations under the Privacy Act, the consequences of failure to comply and the recently introduced data breach notification obligations when a data breach is likely to result in serious harm to any individual.