Other legislation
Contributed by
AjunthaThinakaran and current to 27 July 2018
My Health Records
The Australian government’s digital health record system is known as the My Health Record system is. It contains online summaries of an individual’s health information, such as medicines they are taking, any allergies they may have and treatments they have received. In the past they were known as Personally Controlled Electronic Health Record (PCEHR) or eHealth record. Currently they are now referred to as My Health Records.
A My Health Record allows an individual’s doctors, hospitals and other healthcare providers (such as physiotherapists) to view the individual’s health information within the limitation of their individual access controls. Individuals are also able to access their record online.
The My Health Record system opt-out period commenced on 16 July 2018. Individuals have until 15 October 2018 to advise the Australian Digital Health Agency if they do not want a My Health Record to be automatically created for you. Every individual with a Medicare or Department of Veterans’ Affairs card who does not already have a record will now be automatically registered to have a My Health Record, unless they opt-out and choose not to have one.
For further information about the My Health Record and what to do if you don’t want a record created, visit the My Health Record website or call the My Health Record Help line on 1800 723 471. You can also read the OAIC’s opt-out FAQs.
The
My Health Records Act 2012 (My Health Records Act), My Health Records Rule 2016 and
My Health Records Regulation 2012 create the legislative framework for the Australian Government’s My Health Record system.
The
My Health Records Act limits when and how health information included in a My Health Record can be collected, used and disclosed. Unauthorised collection, use or disclosure of My Health Record information is both a breach of the
My Health Records Act and an interference with privacy.
Pharmaceutical Benefits Scheme and Medicare Program Guidelines
Gives the Australian Information Commissioner responsibility for the regulation of the handling of certain health information within the Medicare Program and the Pharmaceutical Benefits Scheme. The Guidelines cover the storage, use, disclosure, and retention of individual claims information, and limit the matching of information, held by the Pharmaceutical Benefits Scheme and the Medicare Program. A breach of the Guidelines constitutes an “interference with privacy” under the Privacy Act.
[Reference:
https://www.oaic.gov.au/privacy-law/other-legislation/medicare-and-pharmaceutical-benefits ]
Healthcare Identifiers
Implements a national system for assigning unique identifiers to individuals, healthcare providers, and healthcare provider organisations. The identifiers are assigned and administered through the Healthcare Identifiers Service (HI Service), currently operated by the Chief Executive Medicare.
The handling of healthcare identifiers is regulated through the
Healthcare Identifiers Act 2010, the
Healthcare Identifiers Regulations 2010 and the
Privacy Act and healthcare identifiers may only be accessed, used and disclosed for limited purposes. The
Healthcare Identifiers Act imposes a high standard of privacy on healthcare identifiers and if a healthcare identifier is used or disclosed in circumstances not permitted by the
Healthcare Identifiers Act or Healthcare Identifiers Regulations, criminal and civil penalties may apply. Unauthorised use or disclosure of healthcare identifiers will also be an interference or breach of privacy under the Privacy Act. The independent regulator of the privacy aspects of the
Healthcare Identifiers Act and the Healthcare Identifiers Regulations is the OAIC. As the privacy regulator, the OAIC has a range of functions and enforcement powers to ensure compliance with privacy requirements relating to healthcare identifiers.
[Reference:
https://www.oaic.gov.au/privacy-law/other-legislation/healthcare-identifiers ]
Govenrment Data Matching & TFNs
The
Data-matching Program (Assistance and Tax) Act 1990 (Cth) (the Data-matching Act) accompanied the extension of the tax file number (TFN) system into the administration of federal government assistance payments. Under the Act, TFNs are used by Centrelink and the Department of Veterans’ Affairs to match data with taxpayer information held by the Australian Tax Office (ATO) to detect inappropriate payments. OAIC is responsible for monitoring compliance with guidelines issued under section 12(2) of the
Data-matching Act and must include in his or her office’s Annual Report an assessment of the 33: Privacy Rights 541 extent of the program’s compliance with the
Data-matching Act, the guidelines and the
Privacy Act.
Spent Convictions
A person is able to disregard some old criminal convictions, and is protected against unauthorised use and disclosure of this information. This is known as the Commonwealth Spent Convictions Scheme. A “spent” conviction is a conviction which satisfies the following conditions:
- it is 10 years since the date of conviction (or 5 years for juvenile offenders);
- the sentence imposed was a fine, bond, community service order, or term of imprisonment not greater than 30 months;
- the individual has not been convicted of a further offence committed during the 10 (or 5) years waiting period; and
- an exclusion does not apply (see below).
What types of offences?
The Scheme covers all convictions for minor federal or territory offences. It also covers convictions for minor state and foreign offences when dealing with Commonwealth authorities. Some states (not including Victoria) have their own spent conviction schemes. The Scheme also covers pardons and quashed convictions.
Protections under the Scheme
The Scheme offers the following protections:
- the individual does not have to disclose a spent conviction;
- the individual can claim on oath that they were not convicted of an offence; and
- any other person who knows, or ought reasonably to know, about the spent conviction is prohibited from taking into account the conviction or disclosing the conviction.
Complaints of breaches of the Scheme may be made to the Federal Privacy Commissioner.
Exclusions
Exclusions under the Spent Convictions Scheme are limited to specific organisations needing to know about particular offences for special purposes. For example, if a person is applying for a position involving the care and control of children, the potential employer can find out about any sex offence convictions, or convictions for offences where the victim was a child.
If an agency has an exclusion, it should explain this fact, and what it means for the person concerned. Details of exclusions are available from the Federal Privacy Commissioner’s office.
[Reference:
https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-41-commonwealth-spent-convictions-scheme ]
For specific legislation in relation to Spent Convictions legislation at the State level, see below under State Privacy Legislation;
Telecommunication sector
- Telecommunications Act 1997 (Cth)
The telecommunications sector is regulated by both the
Privacy Act and specific obligations set out in the
Telecommunications Act 1997 (Cth) and the
Telecommunications (Interception and Access) Act 1979. Those specific obligations include prohibitions on the disclosure of personal information by a telecommunications provider, subject to limited exemptions.
The
Telecommunications Act provides for the registration of telecommunications codes under a self-regulatory framework. These codes are developed by industry through the Australian Communications Industry Forum (ACIF), in consultation with the Australian Information Commissioner, and may be registered with the Australian Communications Authority (ACA).
In March 2015, the Australian parliament passed legislation to introduce a data retention scheme into Part 5-1A of the
Telecommunications (Interception and Access) Act 1979. providers of telecommunications services in Australia (service providers) are required to collect and retain specified types of telecommunications data (sometimes called ‘metadata’) for a minimum period of two years. Importantly, Part 5-1A requires all service providers that collect and retain telecommunications data under the data retention scheme to comply with the Privacy Act in relation to that data.
[Reference:
https://www.oaic.gov.au/privacy-law/other-legislation/telecommunications ]
Personal Property Security
The PPS Register provides an avenue for lenders and businesses to register their security interests over personal property. For example, when a lender (secured party) takes an interest in personal property of a borrower (grantor of the security), as security for a loan or other obligation, a personal property security is created. The PPS Register includes data about the grantor's personal property. For individual grantors’ the data may include the grantor's name and date of birth. Persons can search the PPS Register for limited purposes, including to find out if a security interest is registered over personal property.
The PPS Act has a number of mechanisms to protect individual grantors and other members of the public from misuse of the PPS Register. For example the PPS Act provides that a secured party’s failure to give notice to an individual grantor in relation to the addition, amendment or removal of information from the PPS Register (s 157(4) of the PPS Act), or an unauthorised search of the PPS Register, or unauthorised use of personal information obtained from a search of the PPS Register (s 173(2) of the PPS Act) will be an interference with the privacy of an individual for the purposes of
s 13 of the
Privacy Act 1988 (Privacy Act).
An individual may make a complaint by an individual under
s 36, and an investigation by the Office of the Australian Information Commissioner under
s 40 of the
Privacy Act. The 'interference with privacy' provisions cover any entity or individual whether or not they are otherwise subject to the
Privacy Act.
[Reference: https://www.oaic.gov.au/privacy-law/other-legislation/personal-property-securities-register ]
- Anti-money laundering legislation
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), and the Anti-Money Laundering and Counter-Terrorism Financing Rules (AML/CTF Rules) aim to prevent money laundering and the financing of terrorism by imposing a number of obligations on the financial sector, gambling sector, remittance (money transfer) services, bullion dealers and other professionals or businesses (known as ‘reporting entities’) that provide particular services (known as ‘designated services’). These obligations include collecting and verifying certain ‘know your customer’ (KYC) information about a customer's identity when providing those services. Businesses that are required to comply with the AML/CTF Act are also required to comply with the
Privacy Act 1988 when handling personal information collected for the purposes of compliance with their AML/CTF Act obligations.
The Australian Government agency responsible for ensuring compliance with the AML/CTF Act is the Australian Transaction Reports and Analysis Centre (AUSTRAC).
Entities which are required to comply with the anti-money laundering legislation include:
- Small businesses (defined in the Privacy Act as having an annual turnover of $3 million or less)
- A Credit Reporting Body is authorized to prepare the use and disclose specific particulars of personal information held by it to a reporting entity for the purpose of verifying the individual’s identity under the AML/CTF Act.
A breach by a Credit Reporting Body or a reporting entity amounts to an interference with the privacy of the individual under the Privacy Act. An individual affected by an alleged breach may complain to the Office of the Australian Information Commissioner.
[Ref: https://www.oaic.gov.au/privacy-law/other-legislation/anti-money-laundering ]
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.