RACGP Standard Core 6.3 Confidentiality and privacy of health information

​

Introduction:

​

Our practice must comply with the Privacy Act 1988 (Cth) (Privacy Act) in dealing with any personal information. We have systems in place to protect the personal information we hold, from misuse, interference and loss, and from unauthorised access, modification or disclosure.

​

This document provides guidance to employees so they are aware of our practice’s obligations under applicable privacy legislation, and the requirements for handling any personal information they may interact with.

​

Personal and sensitive information:

​

Personal information under the Privacy Act is any information or an opinion about an identified individual (or an individual who is reasonably identifiable). The Privacy Act sets out various obligations in relation to the collection, handling, storage, use or disclosure of personal information.

​

Under the Privacy Act, additional obligations apply in relation to sensitive information, which requires a higher level of privacy protection than other personal information. Sensitive information includes any information or an opinion about an individual’s:

​

• racial or ethnic origin

• political opinions or associations

• religious or philosophical beliefs

• trade union membership or associations

• sexual orientation or practices

• criminal record

• health or genetic information

• some aspects of biometric information

​

Australian Privacy Principles:

​

The Australian Privacy Principles (or APPs) are the cornerstone of the privacy protection framework in the Privacy Act. They apply to any organisation or agency the Privacy Act covers (an APP entity). The APPs require that APP entities take reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs.

​

There are 13 Australian Privacy Principles which set out standards, rights and obligations around:

​

• the collection, use and disclosure of personal information;

• an organisation or agency’s governance and accountability;

• integrity and correction of personal information; and

• the rights of individuals to access their personal information.

​

Our practice regularly reviews our privacy policy to ensure compliance with the APPs.

 

The following is a summary of the APPs:

​

APP 1

 

An APP entity must manage personal information in an open and transparent way.

This includes having a clearly expressed, and up-to-date, APP privacy policy.

​

APP 2

​

An APP entity must give individuals the options either of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

​

APP 3

​

Outlines when an APP entity can collect solicited personal information.  Higher standards apply to the collection of sensitive information.

​

APP 4

​

Outlines how an APP entity must deal with unsolicited personal information.

​

APP 5

​

An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters, or to ensure that the individual is aware of those matters.

​

APP 6

​

An APP entity can only use or disclose personal information for the purpose for which it was

collected (known as the "primary purpose"), or for a secondary purpose if an exception applies.

​

APP 7

​

An organisation may only use or disclose personal information for direct marketing purposes 

if certain conditions are met.

​

APP 8

​

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

​

APP 9

​

Outlines the limited situations when an organisation may adopt a government-related identifier of an individual as the organisation’s own identifier, or itself use or disclose a government-related identifier of an individual.

​

APP 10

​

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up-to-date, and complete. An entity must also take reasonable steps to ensure that the personal information it uses or discloses is accurate, up-to-date, complete and relevant, having regard to the purpose of its use or disclosure.

​

APP 11

​

An APP entity must take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

An APP entity has obligations to destroy or de-identify personal information in certain situations.

​

APP 12

​

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the APP entity. This includes a requirement to provide access, unless a specific exception applies.

​

APP 13

​

Outlines an APP entity’s obligations for correcting the personal information it holds about individuals.

​

Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles

​

Notifiable Data Breaches Scheme:

​

Under the Privacy Act, certain breaches of privacy may constitute a notifiable incident which must be reported to the Office of the Australian Information Commissioner. As an APP entity, our practice is bound by these obligations, and penalties may apply if our practice does not comply with those duties.

​

If you are aware of, or suspect, that there may be an incident which may involve a breach of privacy, please notify our practice manager as a matter of urgency.

​

Please refer to our Notifiable Data Breach Scheme policy for more details regarding our data breach response plans.

​

Privacy and Other Legislation Amendment Act 2024 (Cth):

​

On 10 December 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) received royal assent, and was signed into law. These amendments significantly increase the risk of penalties associated with breaches of privacy by an APP entity, by introducing:

​

• increased penalties for any interferences with the privacy of an individual;

• additional enforcement powers for the Office of the Australian Information Commissioner, including the ability to issue infringement notices (with associated penalties) without court approval, greater investigative powers, and powers to require APP entities to mitigate damage arising from a breach of privacy; and

• new civil avenues for individuals to bring claims for serious invasions of their privacy.

​

These increased penalties mean that our practice must remain even more vigilant in ensuring that it takes great care with any personal information which it may receive.

​

Useful Resources:

 

The OAIC has several resources to assist and inform you about the privacy obligations applicable to our handling of personal information:

​

• Privacy fact sheet 17 — Australian Privacy Principles (Apps)

• Australian Privacy Commissioner, Timothy Pilgrim speaking about the reforms (YouTube)

• Australian Privacy Principles Quick reference tool and summary

• About the Notifiable Data Breaches scheme

​

If you have any questions regarding any aspect of this document, or any other issues involving personal information, please reach out to our practice manager.