1. Home
  2. Hansard & Papers
  3. Legislative Council
  4. 11 June 2002
Contact Print this page Reduce font size Increase font size

Health Records and Information Privacy Bill

Printing Tips | Print selected text | Full Day Hansard Transcript         « Prior Item | Item 42 of 51 | Next Item »

About this Item
Speakers - Egan The Hon Michael
Business - Bill, First Reading, Second Reading


    HEALTH RECORDS AND INFORMATION PRIVACY BILL

Page: 2958

    Bill introduced and read a first time.
    Second Reading

    The Hon. MICHAEL EGAN (Treasurer, Minister for State Development, and Vice-President of the Executive Council) [9.30 p.m.]: I move:
        That this bill be now read a second time.
    I am pleased to bring before the House the Health Records and Information Privacy Bill. The bill is a culmination of extensive consultation on health privacy issues begun by the Government in June 2000. I consider the legislation to be an important step forward in establishing clear rights and protections for the community in relation to the management and accessing of personal health information.

    As honourable members will be aware, debates about the right to privacy and the right to privacy of information have been increasing in the community over recent years. This debate has often centred on the potential misuse of health information, which can include sensitive and personal details about a person's health or mental health. Much community concern has also been generated by the opportunities offered by new technologies to link the records of individuals held by different agencies or organisations.

    The Health Records and Information Privacy Bill is a result of the recommendations of the Ministerial Advisory Committee on Privacy and Health Information. This independent committee, chaired by the New South Wales Privacy Commissioner, Mr Chris Puplick, reviewed issues relating to the privacy of health information in the context of the development of the linked electronic health record. The committee concluded that a strong regulatory regime was essential to protect health information and address community concerns about the privacy risks associated with electronic records. As such, it recommended the introduction of a Health Records and Information Privacy Act in New South Wales.

    The bill has been drafted in accordance with the recommendations of the committee, and establishes a comprehensive regime for the management and protection of health information across both the private and public sectors in New South Wales. The development of this legislation has also been guided by three additional principles. The first is to recognise obligations already imposed on service providers and health service providers by the existing laws, such as the Federal Privacy Act. The second principle is to draw together the best elements of existing privacy legislation at a local, national and international level. In this regard, particular attention has been given to the obligations currently imposed on the public sector in New South Wales under the Privacy and Personal Information Protection Act, as well as the reforms recently introduced in Victoria in the Health Records Act.

    The experience to date in other jurisdictions has been useful to the development of this bill. It reinforces the need for a flexible and adaptive legislative scheme capable of accommodating the complexities arising in the management of health information. The third principle is the aim to ensure a readily accessible and usable set of principles having due regard to both individual rights and the special needs arising in the management and use of health information. In this regard the bill endeavours to strike an appropriate balance between the desire of consumers for privacy on the one hand, and the need to safeguard the health and safety of individuals and the public, and promote safe and effective health service delivery on the other.

    I will now give a general overview of the bill. Under clauses 5 and 6 "health information" is defined as information about an individual's health or a health service obtained by an individual, and from which his or her identity can reasonably be ascertained. Health information includes information or opinions about a person's physical or mental health and information collected in relation to organ donation or genetic information, as well as information about a health service provided to a person. "Health service" is defined to cover a broad range of services including medical, hospital and nursing services, as well as services provided by both registered and unregistered health practitioners.

    The key provisions of the bill are contained in 15 health privacy principles. Health privacy principles 1, 2, 3 and 4 deal with the collection of health information. Principle 1 requires that information must not be collected unless it is for a lawful purpose directly related to a function or activity of the organisation. Principle 2 requires that the collection of information should be relevant and accurate and should not intrude unreasonably on the personal affairs of an individual. Principle 3 states that information should, unless it is unreasonable and impracticable to do so, be collected from the individual to whom it relates, while principle 4 outlines the information that must be given to a person when collecting information.

    Principle 5 requires that information can only be kept for a reasonable period of time and must, while held, be stored securely. Principles 6, 7 and 8 establish an individual's right to have access to personal health information, and a right to have that information amended. Principle 9 requires holders of health information to ensure health information they propose to use is accurate, complete and up to date. Principles 10 and 11 set out the list of purposes for which holders of health information can use and disclose health information. Principle 12 establishes limits on the use of identifiers. Principle 13 allows people to access health services anonymously, provided it is lawful and practicable to do so. Principle 14 sets out specific circumstances and requirements for the cross-border flow of data.

    In addition, and for the first time in Australia, health privacy principle 15 also establishes specific obligations in relation to the linkage of medical records via an electronic health records system. As honourable members will be aware, while there are strong arguments for the considerable benefit that will flow from linked systems, it also remains important that the individual patient retain control over the decision to participate in any such linkages. Health privacy principle 15 therefore establishes this right in law, requiring an organisation, whether public or private, to obtain an express consent from a person before they can be added to a linked system of health records.

    The bill also provides for the handling and management of complaints about breaches of the health privacy principles. Complaints about public sector agencies will be dealt with through the complaints mechanisms already established under the Privacy and Personal Information Protection Act. This legislation, which has been operational in the public sector for nearly two years, regulates the public sector's management of all personal information. The complaints mechanisms under that Act include an internal review by the agency in question, a role for the New South Wales Privacy Commissioner in assessing complaints, and a right to take an alleged breach of privacy to the Administrative Decisions Tribunal.

    Part 6 of the Act creates a complaints regime for the private sector, establishing the New South Wales Privacy Commissioner as the main complaints-handling body, providing for that office to receive, investigate and, where possible, conciliate complaints. Where the Privacy Commissioner concludes that there is a clear breach of a health privacy principle, an individual will also have the right to take his or her complaint to the Administrative Decisions Tribunal. In determining a complaint, the tribunal will have the same powers, irrespective of whether the complaint is made against a private or public sector body. This will include the power to order the respondent to refrain from the conduct in question, remedy a loss resulting from the breach and impose a monetary penalty.

    An exposure draft Health Records and Information Privacy Bill 2001 was released by the Department of Health in November 2001 and circulated widely to health interest groups and stakeholders. The intention was to provide the community with an opportunity to consider the proposed legislation and allow the Government to revise and adjust the bill in response to any concerns raised during the consultation period. I am pleased to report to the House that the consultations over the last six months have been valuable, with the submissions addressing a broad range of issues and highlighting a number of areas for further review. The process has allowed the provisions of the exposure draft bill to be revised and simplified to make the final Health Records and Information Privacy Bill 2002 stronger and more practical legislation.

    I will now turn to some of the issues raised during the consultations. The relationship of the bill to the existing private sector provisions of the Federal Privacy Act was one matter raised in various submissions. This Government considers consistency in the area of privacy legislation to be highly desirable, particularly across the private and public sector, between State and Territory jurisdictions and at a national level. It is for this reason that the Health Records and Information Privacy Bill covers both the private and public sector in New South Wales, that New South Wales has had particular regard to new legislation on privacy in Victoria, and that the bill was developed, and has been further refined during the consultation period, to ensure general consistency with the Federal Privacy Act.

    There are two reasons for this last approach. First, it is important to ensure that the State legislation operates within the Federal Constitution, and to address any concerns of possible constitutional invalidity. Second, from an operational perspective it is also important to ensure that the Health Records and Information Privacy Bill will not impose additional and unjustifiable burdens on the private sector, above and beyond the obligations already imposed under the Federal Act. Having due regard to these concerns, a number of adjustments have been made to the exposure draft bill, to bring it more into line with the Federal Act. Many of the changes were a simple readjustment of language and finetuning.

    The most notable change relates to employment information. As honourable members may be aware, certain defined "employment records" are exempt from the Federal Act. During the consultation there was concern that without a similar exemption, the ambit of the State legislation and the potential burden on the private sector was being considerably expanded. To address this concern, clause 5 of the bill, which defines "personal information", now excludes employee records as defined under the Federal Privacy Act. I am aware that some privacy advocates have misgivings with such an exemption but they consider that while the Federal Act retains the exemption, New South Wales should also adopt it to minimise inconsistency and confusion for the private sector.

    The consultation period also provided the opportunity for the provisions of part 4 and part 6 to be streamlined and simplified. In particular, in part 4 the specific obligations on the private sector in relation to retaining, amending and granting access to records have been revised to recognise other legal obligations. The timeframes imposed in that part have also been standardised. In part 6 the provisions relating to access to the Administrative Decisions Tribunal have been simplified to allow procedural issues to be addressed through the tribunal's own legislation.

    Provisions have been added to ensure that matters already addressed and litigated under the Federal Privacy Act will not be relitigated at the State level. Clause 48 of the bill now prevents the tribunal from hearing a matter that is currently before the Federal Privacy Commissioner, or a matter on which the Federal Commissioner has made a determination. Clause 43 also gives the State Privacy Commissioner a discretion to refuse to deal with such a complaint.

    The monetary penalty provisions in clause 54 of the bill have also been varied to recognise that corporations have considerably greater capacity than an individual to pay a fine. While a penalty of $40,000 will be available against a corporation, the penalty for an individual respondent will be $10,000. The change has been made in response to concerns raised on behalf of individual health service providers. As honourable members may be aware, various other pieces of health legislation, including the Medical Practice Act, apply different levels of penalties on corporations and individuals, and such a solution would also appear reasonable in this case.

    There is one final, broad policy proposal that was raised during the consultations, which I would now seek to address. A number of submissions suggested that the legislation should include schemes for compulsory compliance audits. The view expressed in these submissions was that it was inadequate to rely solely on a complaints-based regulatory system to ensure compliance, particularly when dealing with complex structural matters such as security and linkage of records. It was argued that compliance mechanisms would enhance both cultural change and community confidence in the regulatory regime and electronic systems developed under it.

    While these arguments are persuasive, the Minister was also aware of other equally valid concerns suggesting a more cautious approach to compliance procedures. The issues to be considered here are complex and, while European legislation is well developed in this area, the issues have not been addressed in an Australian jurisdiction before. They also have the potential to impose a financial burden on both the private and public sectors in complying, suggesting that before progressing such a policy, extensive consultation would be required.

    As such, the Minister is not proposing to introduce in this bill provisions requiring the conduct of compliance audits or, indeed, a compliance approach to enforcement of the provisions of the Act at this time. The Minister is, however, prepared to recognise that as policy and practice develop in the area of privacy legislation, such an approach may well merit consideration. To this end, the Minister is proposing to include in the bill a power for regulations to be made to establish such processes. This will enable further detailed consideration of any such proposal prior to its introduction. It will also ensure consideration of the costs as well as the benefits of compliance requirements, and will ensure that any proposals are subject to a regulatory impact statement process that will include extensive consultation with affected stakeholders.

    At this point I emphasise that the Government recognises that ongoing education will be one of the keys to the ultimate success of this legislation. In this regard NSW Health will conduct an extensive education program in the public sector. The training programs will be developed in conjunction with the Office of the New South Wales Privacy Commissioner, which will also provide information and training for the private sector.

    I turn now to some of the consequential amendments to the Privacy and Personal Information Protection Act as proposed in schedule 3 to the bill. During the consultation issues were raised in relation to some of the procedural and technical provisions of the bill, which were equally relevant to the Privacy and Personal Information Protection Act. As such, the opportunity has been taken in this bill to make some consequential amendments to that Act. Each of the amendments is relatively minor, and reflects the substantive provisions of the Health Records and Information Privacy Bill.

    Before concluding I thank the individuals from a range of community, business and professional organisations who made submissions on the exposure draft bill. I particularly thank the Office of the New South Wales Privacy Commissioner for its extensive assistance and advice in the development of the bill and throughout the consultation process. I also thank the representatives of various stakeholder groups, particularly those representing consumers and health professionals, who gave considerable time to Department of Health officers in commenting and advising on the legislation. The Minister believes that their assistance and support will ensure that the Health Records and Information Privacy Bill will be a sound base on which to take the regulation of health information into the future. I commend the bill to the House.

    Debate adjourned on motion by the Hon. Don Harwin.


Last modified 05/12/2007 16:38:27   :   Update this page