The Law Handbook 2024
1110 Section 12: Government and the individual does not oblige an Australian Government agency to release data. The latest version of the section 95 guidelines was issued in November 2014. Section 95A guidelines The guidelines under section 95A of the PA 1988 (‘ section 95A guidelines ’) are conceptually similar to the section 95 guidelines and were issued by the NHMRC in March 2014. These guidelines apply to: • the collection, use or disclosure of health information held by private sector organisations for the purposes of research; • the compilation or analysis of statistics, relevant to public health or public safety; and • the collection of health information held by organisations for the purpose of health service management, where it is impracticable to seek the consent of relevant individuals. The section 95A guidelines provide a framework for assessing the privacy aspects of research proposals. These guidelines can be used by HRECs, and those involved in conducting research, compiling statistics, or working in health service management. The privacy assessment needs to determine whether the public interest in those activities substantially outweighs the public interest in the protection of privacy afforded by the APPs. Researchers must obtain approval from a HREC for research projects. The HREC assesses the privacy aspects, along with other factors, in deciding whether or not to approve the research proposal. Before applying for approval of a research proposal, researchers must assess its privacy impact and decide whether it is impracticable to seek consent for the use or disclosure of personal information. Section 95AA guidelines In March 2014, the Privacy Commissioner approved updated guidelines for the use or disclosure of a living individual’s genetic information by a private health service provider, to lessen or prevent a serious threat to a genetic relative’s life, health or safety (‘ section 95AA guidelines ’). The section 95AA guidelines – also issued by the NHMRC – must be followed when seeking to use or disclose this information without the individual’s consent, in reliance on the exception in APP 6.2(d). The above guidelines are available on the NHMRC’s website (www.nhmrc.gov.au) . My Health Record The ‘My Health Record’ system is the Australian Government’s electronic health system. The My Health Records Act 2012 (Cth) (‘ MHR Act ’) (formally known as the Personally Controlled Electronic Health Records Act 2012 (Cth)), together with My Health Records Regulation 2012 (Cth) and the My Health Records Rule 2016 (Cth) make up the legislative framework for the My Health Record system. The MHR Act places strict controls on the collection, use and disclosure of the health information in an individual’s ‘My Health Record’. A collection, use or disclosure that is not authorised by the legislation is both a contravention of the MHR Act and an interference with the individual’s privacy under the PA 1988. The MHR Act also imposes mandatory data breach notification obligations on the system operator, repository operators and portal operators. A ‘My Health Record’ allows an individual’s doctors and other healthcare providers to view the individual’s health information in accordance with access controls imposed by the individual. Individual health records can be accessed at www.digitalhealth.gov.au/initiatives-and-programs/ my-health-record. The system was previously opt-in only. However, since 31 January 2019, every Australian who did not already have a ‘My Health Record’ is automatically registered, unless they opt out. Healthcare identifiers The Healthcare Identifiers Act 2010 (Cth) (‘ HI Act ’) and the Healthcare Identifiers Regulations 2010 (Cth) implement a national system for assigning unique identifiers to individuals. Healthcare identifiers are assigned and administered through the Healthcare Identifiers Service (see ‘Contacts’ at the end of this chapter). Healthcare identifiers help healthcare providers to communicate information to each other about an individual, and to identify and access a patient’s records in the My Health Record system. Healthcare identifiers can only be accessed, used and disclosed for limited purposes. Any unauthorised use and disclosure is a breach of the PA 1988. The Information Commissioner regulates the handling of personal information under the My Health Record system by individuals, Australian Government agencies, private sector organisations, and some state and territory agencies, instrumentalities
RkJQdWJsaXNoZXIy MTkzMzM0