Latest news on Commonwealth Privacy Act 1988

At the Commonwealth level, there have been recent changes made, and a number of significant changes proposed, to the Privacy Act 1988.

The Privacy Act 1988 was amended late last year to see the maximum penalties for serious or repeated privacy breaches increased to that which is the greater of $50 million, three times the value of any benefit obtained through the misuse of information or 30 per cent of a company’s adjusted turnover in the relevant period. Other measures adopted at this time included expanding the powers of relevant regulators, with the government considering a more extensive reform agenda for the future.

According to the Privacy Act Review Report recently released by the Commonwealth Attorney- General’s Department, it is likely significant changes will be made to Australia’s privacy laws. Some notable recommendations include:

• Broadening the definition of personal information – in particular, this would include defining personal information to mean information ‘relating to’ an individual (not just information ‘about’ an individual). The proposal is also to consider including a non-exhaustive list of information that may be personal information, including information such as location data and technical data.
• Strengthening consent and notice requirements, including requiring consent to collect, use, disclose and store precise geolocation data and including additional matters in consent notices
• Requiring Privacy Impact Assessments to be conducted for activities with high privacy risks
• Requiring retention periods to be documented for different types of personal information
• Introduction of a Children’s Online Privacy Code
• Having a 72 hour timeframe to notify the Australian Information Commissioner of serious data breaches
• The need for harmonisation with State and Territory privacy laws.

Latest news on data breaches

According to the latest report on data breaches published by the Office of the Australian Information Commissioner (OAIC), there was a concerning increase of 41% in the number of data breaches caused by malicious or criminal attacks for the July to December 2022 period. Data breaches caused by such attacks now constitute an astonishing 70% of the total number of data breaches for the period.

The top three types of malicious attacks were:

• Ransomware
• Compromised or stolen credentials (method unknown)
• Phishing (compromised credentials)

And the rest was made up of:

• Brute-force attacks (compromised credentials)
• Hacking
• Malware

Data breaches caused by human error constituted 25% of the total data breaches that occurred. Interestingly, almost half of all the human error breaches involved errors made when sending emails - 42% involved personal information being emailed to the wrong recipient and a further 6% failed to use ‘bcc’ when emailing.

Another interesting observation is the number of breaches being reported also increased significantly. There were 497 breaches for this period compared to 393 from January to June 2022.

The new Electronic Patient Health Information Sharing System in Victoria

Parliament has recently passed the Health Legislation Amendment (Information Sharing) Act 2023 (the Amendment Act).

This Act amends the Health Services Act 1988 to establish a centralised and Government maintained information sharing system (ISS) for participating health services to share health information about patients for providing medical treatment.

The Amendment Act will come into force on a day to be proclaimed (or on 7 February 2024 if not proclaimed prior to that date).

The Secretary to the Department of Health and Human Services is responsible for determining what health information must be stored on the ISS – referred to as ‘specified patient health information’. Specified patient health information must be given to the Secretary for inclusion in the ISS.

Consent from the patient is not required for the purpose of collecting, using or disclosing specified health information on the ISS. Also, patients cannot opt out or chose to restrict access to certain information.

Once information is stored within the ISS, access will be limited to authorised employees of participating health services for limited purposes, such as for the provision of medical treatment or for information security and data management. Access for unauthorised purposes or by unauthorised persons are offences under the Amendment Act.

A Privacy Management Framework (Framework) is to be established by the Minister in consultation with relevant groups or organisations that represent the interests of patients, carers and health care workers, relevant public sector bodies and participating health services. The Framework will include mechanisms safeguarding the information that may be sensitive in nature and processes safeguarding the identity of patients who may be at risk of harm. Also, patients will be able to access reports which specify who has accessed their health information through the ISS.

The Amendment Act also amends the Health Records Act 2001 (HR Act) so information can be collected from sources other than the patient themselves, and notice is not required to be given for such collection for the purpose of the ISS. Patients will also not have the right to access their information on the ISS, as otherwise provided for under Part 5 and HPP 6 of the HR Act.

It is interesting to note that the Amendment Act expressly excluded the operation of the Freedom of Information Act 1982. This means, in addition to not having the right of access under the HR Act, patients cannot access their records on the system by making a Freedom of Information (FOI) request for them.