Privacy Reforms – What do they mean for the aged care industry?
By Julie McStay13 Feb 2014
Significant reforms to the privacy laws in Australia are set to commence on 12 March 2014. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cwth) (the Act) makes changes to the Privacy Act 1988 (Cwth) (the Privacy Act) including the introduction of a new harmonised set of privacy principles, the Australian Privacy Principles (the APPs).
Generally businesses with an annual turnover of $3 million or less are not required to comply with the APPs. However aged care providers are covered by the Privacy Act and the APPs because they provide a health service to individuals and are an exception to the $3 million turnover rule.
In this article we have set out the basic information you need to know about the changes to privacy laws. This article is not a substitute for legal advice. If you are interested obtaining further advice, obtaining a compliant policy or attending one of our webinars please contact us.
Failure to comply
A failure to comply with the new APPs may have significant consequences for entities. After 12 March 2014, the Privacy Commissioner will have new powers in dealing with non-compliance with the APPs and other privacy laws. Fines of up to $1.7 million for organisations and $340,000 for individuals may apply for serious and repeated breaches of the APPs.
The Australian Privacy Principles
The APPs will replace the National Privacy Principles and the Information Privacy Principles that currently apply to Australian businesses and Australian Government agencies.
There are a number of APPs that are new and significantly different from the current principles that are likely to impact on the activities of aged care providers. In particular, the APP introduces:
- more onerous obligations in respect of the storage of information;
- new rules regarding the collection of unsolicited information;
- new rules about notifying individuals whose personal information is collected by an entity; and
- changes to the rules relating to direct marketing.
There are also significant changes surrounding cross boarder disclosure of information. While these changes will mostly impact those businesses operating internationally they will also affect those providers who use off shore data storage.
The key changes are outlined below:
Open and transparent management of personal information
Importantly, the APPs will require entities to have a “clearly expressed and up to date” APP policy. This document should be tailored to aged care providers as it must be specifically account for the types of information collected by facilities (i.e. health information). A “cookie cutter” approach will not be acceptable.
The APPs create new rules on how an entity must deal with “unsolicited information.” Unsolicited information includes any personal information, not relevant to the entities functions, which the entity did not actively seek to collect.
If you receive unsolicited information then you will be required to “de-identify or destroy the information as soon as practicable”. For example, if a prospective resident in filling out a resident agreement accidently provides personal records not relevant to their care or financial position, then this would constitute unsolicited information and should be destroyed.
Notification of the collection of personal information
Under the current privacy principles, an entity is required to inform an individual about various matters, such as, the identity of the organisation collecting the personal information, the purpose of the collection and the rights an individual has to access their personal information. However, post 12 March 2014, entities will be required to provide additional information to an individual such as, whether the personal information will be disclosed to overseas recipients (if so, the location of the recipient), how the individual can access and correct their personal information and how the individual can make a complaint about a breach of the APPs.
The rules about the collection of sensitive information (ie health information) are essentially the same. An entity will only be able to collect sensitive information if the individual consents and the information is reasonably necessary for the entity’s functions.
The APPs now provide that an entity must not use or disclose personal information for the purposes of direct marketing unless the individual has consented or at least been given an opportunity to opt-out.
Security of information
Under the current privacy principles, entities must ensure that an individual’s personal information is protected from misuse, loss, unauthorised access, modification or disclosure. The new APPs will place an additional requirement on entities to ensure that personal information is secure from “interference”.
For example, this means aged care providers who hold personal information on computers or other electronic devices must ensure that the information is protected from computer viruses, and other forms of virtual-attacks. Aged care providers should at a minimum review their record security, computer systems, software and information technology practices to ensure there are adequate security protections in place.
Where to from here?
If you have not undertaken a thorough review of your facility’s privacy policies and procedures, you should do so because it is likely you will need to make some changes to your systems to ensure you are compliant post 12 March 2014.
Quick steps for compliance
As a minimum aged care providers should:
- Review how information is stored – Review your system of storing personal information to ensure the information is secure.
- Update and review policies for de-identifying and destroying information – Ensure you have policies and procedures in place for dealing with unsolicited information or information no longer required by a facility.
- Update and review collection statements – Implement policies on how an individual will be notified that their personal information is being collected.