Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

Publication date: 22 July 2019

Version 1.1

Download the print version [167.7KB]

What are permitted health situations?

D.1 The information handling requirements imposed by APP 3 and APP 6 do not apply to an organisation if a ‘permitted health situation’ exists. This exception applies to the collection, use or disclosure of health information or genetic information by an organisation. The exception applies only to organisations, and not to agencies. It is open to an organisation to comply with the APP requirements even though an exception applies.

D.2 There are five permitted health situations listed in s 16B:

  • the collection of health information to provide a health service (s 16B(1)) (see APP 3.4(c))
  • the collection of health information for certain research and other purposes
    (s 16B(2)) (see APP 3.4(c))
  • the use or disclosure of health information for certain research and other purposes (s 16B(3)) (see APP 6.2(d))
  • the use or disclosure of genetic information (s 16B(4)) (see APP 6.2(d))
  • the disclosure of health information for a secondary purpose to a responsible person for an individual (s 16B(5)) (see APP 6.2(d)).

D.3 ‘Health information’ is defined in s 6(1). It is a type of sensitive information and is discussed in more detail in Chapter B (Key concepts). Genetic information is not defined in the Privacy Act, and is discussed in paragraphs D.26–D.27 below.

D.4 The permitted health situations are discussed generally below. For specific examples that are relevant to APPs 3 and 6, see Chapters 3 and 6.

Collection — providing a health service

D.5 This permitted health situation applies when an organisation is collecting health information about an individual, if the information is necessary to provide a health service to the individual, and either:

  • the collection is required or authorised by or under an Australian law (other than the Privacy Act), or
  • the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation (s 16B(1)).

D.6 The terms ‘necessary’, ‘health service’ and ‘required or authorised by or under Australian law’ are discussed in Chapter B (Key concepts).

D.7 This permitted health situation overlaps with another exception stated in APP 3.4(a), namely the collection of sensitive information (which includes health information) as required or authorised by or under law or a court/tribunal order.

D.8 In deciding whether the collection of health information is ‘necessary’ to provide a health service, an organisation should consider if there are reasonable alternatives available. Further, an organisation should collect only the minimum amount of health information needed to provide a health service.

D.9 The Privacy Act does not specify which bodies qualify as ‘competent health or medical bodies’. Common examples include medical boards and other rule-making bodies recognised in an applicable Australian law. An important requirement is that the organisation collecting the information does so in accordance with rules established by such a body, is bound by those rules, and those rules impose obligations of professional confidentiality. Generally, a binding rule is one that will attract a sanction or adverse consequence if breached.

Collection — conducting research; compiling or analysing statistics; management, funding or monitoring of a health service

D.10 This permitted health situation applies when an organisation is collecting health information about an individual, if the collection is necessary for research relevant to public health or public safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service, and:

  • the particular purpose cannot be served by collecting de-identified information
  • it is impracticable to obtain the individual’s consent, and
  • the collection is either:
    • required by or under an Australian law (other than the Privacy Act)
    • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
    • in accordance with guidelines approved under s 95A (s 16B(2)).

D.11 The terms ‘necessary’, ‘de-identified’, ‘consent’ and ‘required by or under an Australian law’ are discussed in Chapter B (Key concepts). Collection in accordance with rules of a competent health or medical body is discussed in paragraph D.9 of this chapter.

D.12 This permitted health situation overlaps with another exception stated in APP 3.4(a), namely the collection of sensitive information (which includes health information) as required or authorised by or under law or a court/tribunal order.

Public health or public safety

D.13 The phrase ‘relevant to public health or public safety’ is not defined in the Privacy Act. Illustrative examples include research or the compilation or analysis of statistics relating to communicable diseases, cancer, heart disease, mental health, injury control and prevention, diabetes and the prevention of childhood diseases.

Management, funding or monitoring of a health service

D.14 Examples of where health information about an individual may be collected for the ‘management, funding or monitoring of a health service’ include collection by:

  • a quality assurance body, of data about the quality of a health service provided by a nursing home or hostel
  • an oversight body, of information from a private hospital about an incident occurring in an individual’s health treatment
  • a health insurer, of information relevant to possible fraud or an incorrect payment.

De-identified information

D.15 An organisation should consider whether the purposes listed in s 16B(2)(a) can be achieved by collecting de-identified information, rather than personal information. If they can, this permitted health situation will not apply.

D.16 The following are given as examples of where it may be impracticable for an organisation to obtain an individual’s consent to the collection of health information for one of the purposes listed in this permitted health situation:

  • the integrity or validity of health research could be impaired, for example, because the organisation is conducting a participant observation study and obtaining the consent of participants may alter their behaviour and the research results. Consideration could be given to consulting a human research ethics committee as to whether obtaining consent would have this effect
  • where obtaining the individual’s consent would adversely impact an investigation or monitoring activity
  • there are no current contact details for the individual and the organisation has insufficient information to obtain up-to-date contact details.

D.17 It is the responsibility of an organisation relying on this permitted health situation to be able to justify why it would be impracticable to obtain an individual’s consent. Incurring some expense or doing extra work to obtain consent would not by itself make it impracticable to obtain consent.

Guidelines approved under s 95A

D.18 The ‘guidelines approved under s 95A’ are issued by the National Health and Medical Research Council (NHMRC) or a ‘prescribed authority’, and approved by the Information Commissioner.[1]

Disclosure of personal information collected under this permitted health situation

D.19 An organisation that collects personal information under this permitted health situation, must take reasonable steps to ensure that the information is de-identified before it is disclosed (APP 6.4 (Chapter 6)).

Use or disclosure — conducting research; compiling or analysing statistics

D.20 This permitted health situation applies when an organisation is using or disclosing health information about an individual, if the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:

  • it is impracticable to obtain the individual’s consent to the use or disclosure
  • the use or disclosure is conducted in accordance with guidelines approved under s 95A, and
  • in the case of disclosure — the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information (s 16B(3)).

D.21 The terms ‘necessary’ and ‘reasonably believes’ are discussed in Chapter B (Key concepts); ‘relevant to public health or public safety’ is discussed in paragraph D.13; ‘impracticable to obtain an individual’s consent’ is discussed in paragraph D.16–D.17; and ‘guidelines approved under s 95A’ is discussed in paragraph D.18.

D.22 When considering whether a use or disclosure is ‘necessary’ under this permitted health situation, an organisation should consider whether the research or statistical compilation or analysis could be undertaken using or disclosing de-identified information. If so, the use or disclosure of personal information would not be considered necessary. De-identification is discussed in Chapter B (Key concepts).

D.23 An organisation cannot rely on this permitted health situation to disclose health information unless it reasonably believes that the recipient will not disclose the information or personal information derived from that information. It is the responsibility of the organisation to be able to justify its reasonable belief.

Use or disclosure — necessary to prevent a serious threat to the life, health or safety of a genetic relative

D.24 This permitted health situation applies when an organisation is using or disclosing genetic information about an individual, if:

  • the organisation has obtained the information in the course of providing a health service to the individual
  • the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the individual
  • the use or disclosure is conducted in accordance with guidelines approved under s 95AA, and
  • in the case of disclosure — the recipient of the information is a genetic relative of the individual (s 16B(4)).

D.25 The terms ‘health service’, ‘necessary’ and ‘reasonably believes’ are discussed in Chapter B (Key concepts). The phrase ‘serious threat to life, health or safety’ is discussed in Chapter C (Permitted general situations).

D.26 ‘Genetic information’ is not defined in the Privacy Act. Genetic information about an individual is, however, included in the definition of ‘sensitive information’ (s 6(1)). Genetic information that is ‘about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual’ is also covered by the definition of ‘health information’ (s 6(1)).’ This permitted health situation applies to genetic information whether it is sensitive information or health information.

D.27 This permitted health situation applies to genetic information about an individual that an organisation has obtained from any source in the course of providing a health service to the individual. For example, the genetic information may include the results of a parentage test, or information from other sources that confirms a condition that is clinically apparent or that may predict the likelihood of an individual developing a condition.

D.28 A ‘genetic relative’ is defined in s 6(1) to mean an individual who is related by blood, including but not limited to a sibling, a parent or a descendant.

D.29 A serious threat to the life, health or safety of a genetic relative could include a threat to their physical or mental health. Whether a threat is serious can include consideration of both the likelihood of a threat occurring as well as the consequences if the threat materialises.

D.30 The ‘guidelines approved under s 95AA’ are issued by the NHMRC and approved by the Information Commissioner.[2]

Disclosure — responsible person for an individual

D.31 This permitted health situation applies when an organisation discloses health information about an individual, and:

  • the organisation provides a health service to the individual
  • the recipient of the information is a responsible person for the individual
  • the individual is either physically or legally incapable of giving consent to the disclosure, or physically cannot communicate consent to the disclosure
  • another individual providing the health service for the organisation (the ‘carer’) is satisfied that either the disclosure is necessary to provide appropriate care or treatment of the individual, or the disclosure is made for compassionate reasons
  • the disclosure is not contrary to any wish expressed by the individual before the individual became unable to give or communicate consent of which the carer is aware or of which the carer could reasonably be expected to be aware, and
  • the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment of the individual or to fulfil the purpose of making a disclosure for compassionate reasons (s 16B(5)).

D.32 The terms ‘health service’, ‘consent’ (including capacity), ‘reasonable’ and ‘necessary’ are discussed in Chapter B (Key concepts). A ‘responsible person’ is defined in s 6AA and includes for example, a parent, adult child, spouse, partner, relative, guardian or nominee of an individual.

D.33 An individual may be ‘physically or legally incapable of giving consent’ if they cannot understand the nature of a consent decision, including the effect of giving or withholding consent, forming a view based on reasoned judgement and how to communicate a consent decision. Issues that may affect an individual’s capacity to give consent include:

  • age
  • physical or mental disability
  • temporary or incremental incapacity, for example, during a psychotic episode, a temporary psychiatric illness, or because the person is unconscious, in severe distress, or suffering dementia
  • limited understanding of English.

D.34 An organisation should consider whether any such issue could be addressed by providing the individual with appropriate support to enable them to have capacity.

D.35 Where an individual physically cannot communicate consent to the disclosure, an organisation may disclose the individual’s personal information to a responsible person, without having to form a view as to the individual’s capacity (provided the other criteria in this permitted health situation are satisfied).

Carer

D.36 For the purposes of this permitted health situation, a ‘carer’ is an individual who is providing the health service for the organisation, such as a doctor, nurse, pharmacist, locum, visiting medical officer or qualified employee of the organisation. This is different to the use of the term 'carer' in other situations, as referring for example to a family member, close friend or other person who cares for the individual but does not provide a health service.

D.37 The carer must be satisfied that it is necessary to disclose the individual’s health information to a responsible person for the individual in order to provide appropriate care or treatment or for compassionate reasons. This requires a practical judgement by the carer. For example, the carer may be satisfied that ongoing care cannot be guaranteed without the disclosure occurring.

D.38 A compassionate reason for disclosure may include an update about the condition or progress of an unconscious patient to family members or an emergency contact.

Wishes of the individual

D.39 The disclosure must not be contrary to any wish expressed by the individual before they were unable to give or communicate consent. An individual’s wish or preference need not have been communicated in writing but may have been earlier communicated in anticipation of the individual no longer being able to make decisions about their health information, for example, where an individual has a degenerative condition which will lead to a lack of capacity.

D.40 An example of where a carer could be reasonably aware of an individual’s wishes is where they are noted on the individual’s medical record. An individual’s wishes may also have been expressed verbally during clinician-patient consultations, prior to the individual losing capacity to consent.

D.41 An individual’s wishes would be unlikely to override a guardianship order or other relevant legal authority, unless that guardianship order or other legal authority is limited or makes reference to the patient's wishes. In these circumstances, an organisation should consider whether it can disclose the information under APP 6.2(b).

Footnotes

[1] See National Health and Medical Research Council (NHMRC), Guidelines Approved Under Section 95A of the Privacy Act 1988, NHMRC website <https://www.nhmrc.gov.au>.

[2] See National Health and Medical Research Council (NHMRC), Use and Disclosure of Genetic Information to a Patient’s Genetic Relatives under Section 95AA of the Privacy Act 1988: Guidelines for Health Practitioners in the Private Sector, NHMRC website <https://www.nhmrc.gov.au>.