Feature
Victoria's new health information privacy laws: voluntary compliance requested from 1 March
In brief: Some Victorian organisations are being asked to voluntarily comply with Victoria's Health Records Act from 1 March before the Act comes into effect on 1 July this year. These organisations - which include health service providers, businesses in the biotech, pharmaceuticals and healthcare industries and public sector bodies - may wish to implement their privacy compliance programs earlier than originally expected. Special Counsel Karin Clark explains.
The federal Privacy Act came into force recently and was discussed in a previous edition of Biotech News. Many Australian businesses have put into place privacy compliance programs to help them comply with the Privacy Act, as well as manage the risks and opportunities presented by the community's new awareness of privacy rights and issues.
Now the Victorian government has announced that it is encouraging organisations to comply with the new Health Records Act on a voluntary basis, from 1 March, even though the Act will not come into effect until 1 July this year. So businesses located in Victoria that haven't already done so now should review their privacy compliance programs to ensure that they also meet the new Victorian requirements.
This is particularly so for businesses that hold substantial amounts of health information, such as health service providers, businesses in the biotech, pharmaceuticals and healthcare industries, educational establishments and those that provide care for children or the elderly.
But the new Victorian legislation will also cover all businesses that hold other kinds of health information, such as in their employee records. Unlike the federal Privacy Act, the new Victorian Act does not exempt employee records or small businesses. So small businesses that may have previously been exempt from privacy legislation will need to start to put in place a privacy compliance program for any health information they hold, and all employers will need to ensure that any employment records they hold that contain health information also comply with the new Victorian law.
The new Act will apply to both the Victorian public, as well as private, sectors. It even extends to health information in documents held outside Victoria, but which are 'controlled' by an organisation in Victoria. There must be some question, however, as to the validity of this provision if the documents held outside Victoria don't relate to Victorians or any Victorian matters.
Many of the Act's Health Privacy Principles (HPPs) mirror the National Privacy Principles (NPPs) under the federal Privacy Act, but there are also some significant differences. Here are some examples.
- More of the Health Privacy Principles have a retrospective effect, for example HPP2, which will regulate the use and disclosure of health information, will also apply to information collected before July this year.
- Access rights under the Victorian Act are different in some ways from access rights under the Privacy Act. For example, many categories of health information collected before 1 July will be subject to access after 1 July under the Victorian Act, even if they are not subsequently used by an organisation (unlike under the Privacy Act). On the other hand, there is no right under the Victorian Act to access health information if it has been given by a third party in confidence, with a request that it not be communicated to the individual concerned.
- HPP9 places restrictions on the transfer of health information to another party outside Victoria in certain circumstances. From a practical perspective, this may not be an issue if the individual has consented to the transfer, or it is clear that the health information, when it is transferred to the other party, will be subject to substantially the same principles as the HPPs. This may not be the case where the information is transferred, for example, to a small business operator in another Australian state who is exempt from the provisions of the Privacy Act.
- The Victorian Act applies to persons who have been deceased for 30 years or less.
The Office of the Victorian Health Services Commissioner will administer and enforce the Act. The Health Services Commissioner has similar powers to the Federal Privacy Commissioner. Unlike the Privacy Commissioner, however, she has a right to audit records of health information held by an organisation to check whether they are being handled in accordance with the HPPs. She also has power to serve a compliance notice on an organisation if a practice constitutes a serious or flagrant contravention of the Health Records Act or is repeated on a number of occasions. If a body corporate does not comply with a compliance notice it can face a penalty of up to $300,000.
For more on the new privacy regime, see AAR's dedicated privacy site.
Allens Arthur Robinson's team of privacy specialists can provide as much or as little assistance as you need to assess the likely impact of the new Victorian law on your business, and to discuss cost-effective ways of complying.
Please contact us if you would like assistance or more information about the new Victorian Act.
IP law update
