Information Sharing by Health Service Entities for Quality and Safety Purposes
Part 6B of the Health Services Act 1988 (Vic) (HS Act) provides legislative authority for health service entities to share confidential information about an individual within the health system for quality and safety purposes.
This guidance outlines the provisions in the Privacy and Data Protection Act 2014 (PDP Act) and the Health Records Act 2001 (HR Act) that facilitate this information sharing, and also outlines how organisations sharing information under Part 6B of the HS Act can adhere to their overarching privacy obligations.
For background and rationale on Part 6B HS Act, as well as specific guidance on the operation of this part, refer to the Department of Health FAQs.
This guidance was prepared in partnership with the Health Complaints Commissioner (HCC).
Interaction between Part 6B of the HS Act and the PDP Act and HR Act
To facilitate information sharing under Part 6B of the HS Act, section 15C was inserted into the PDP Act. Section 15C has the effect of exempting certain entities in the health sector from adhering to Information Privacy Principle (IPP) 1.4 and IPP 1.5, and any IPP relating to the collection of sensitive information to the extent that the IPP requires consent, when sharing information under Part 6B of the HS Act.
Additionally, section 14D was inserted into the HR Act. Section 14D exempts certain health sector entities from Health Privacy Principle (HPP) 1.3 and HPP 1.5, and any HPP relating to the collection, use or disclosure of health information, to the extent that the HPP requires the consent of the relevant person, when sharing information under Part 6B of the HS Act
The tables below explain the operation of these sections in greater detail.
Types of information that can be shared under Part 6B of the HS Act
Part 6B provides for the sharing of confidential information defined as:
- health information within the meaning of the HR Act; or
- personal information within the meaning of the PDP Act; or
- sensitive information within the meaning set out in Schedule 1 to the PDP Act; or
- unique identifiers within the meaning set out in Schedule 1 to the PDP Act; or
- identifiers within the meaning of the HR Act.
Entities that can share information under Part 6B of the HS Act
Health service entities, including public health services, public and private hospitals and day procedure centres (amongst others) can share confidential information with the Department of Health, Safer Care Victoria, the Victorian Agency for Health Information(VAHI), or another health service entity (where authorised by the Minister) for quality and safety purposes.
Health service entities can also share confidential information for a quality and safety purpose with a special adviser, appointed by the Secretary, Safer Care Victoria or VAHI.
The Minister has, by instrument, authorised the sharing of confidential information between health service entities for the purpose of a review of an adverse patient safety event where patient care was provided by multiple health service entities. The instrument was published in the Government Gazette on 23 July 2020.
For more information about information sharing under the new Part 6B, and what ‘quality and safety’ purposes are, refer to the Department of Health FAQs.
Consequences of sharing information inappropriately or without authorisation
Sharing confidential information in a way that is not authorised under Part 6B of the HS Act, or by the HPPs or IPPs may result in a data breach. There are protections available under Part 6B for individuals who may have shared confidential information without authorisation, where they have exercised reasonable care and acted in good faith. For more information about the protections available for practitioners sharing confidential information, refer to the Department of Health FAQs.
A data breach occurs when personal or health information held by an organisation is disclosed in a way that it shouldn’t have been (for example, where the organisation did not have the legal authority to disclose the information, or where the information is lost or stolen). More information about data breaches is available on OVIC’s website.
Data breaches may result in a privacy complaint. An individual can make a complaint to OVIC if they believe their personal information was shared inappropriately or mishandled. Similarly, an individual may make a complaint to the HCC if they believe their health information has been shared inappropriately or mishandled.
Further information on privacy obligations
There are a number of resources on OVIC’s and the HCC’s websites that can assist organisations understand their overarching privacy obligations under the PDP Act and HR Act, as not all privacy obligations are displaced when sharing information under the Part 6B. Organisations will still need to comply with other IPPs and HPPs when sharing confidential information under the scheme.
Resources for understanding obligations under the PDP Act are available from OVIC’s website and include:
- Guidelines to the Information Privacy Principles.
- Privacy Management Framework.
- Information Sharing and Privacy Guide.
Resources for understanding obligations under the HR Act are available on the HCC’s website.
How section 15C of the PDP Act and section 14D of the HR Act operate
| Privacy and Data Protection Act 2014 | |||
| IPP | Description | How IPPs operates under Part 6B of the HS Act | Section |
| IPP 1.4 | IPP 1.4 ordinarily provides that if it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual. | Nothing in IPP 1.4, (or any applicable code of practice relating to IPP 1.4), applies to the collection of personal information for the purposes of Part 6B by: • the Secretary, DHHS; • a quality and safety body; • a health service entity; or • a special adviser. |
15C(1) |
| IPP 1.5 | IPP 1.5 ordinarily provides that if an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in IPP 1.3 (notice of collection) except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual. | Nothing in IPP 1.5, (or any applicable code of practice relating to IPP 1.5) applies to the collection of personal information for the purposes of Part 6B by: • the Secretary, DHHS; • a quality and safety body; • a health service entity; or • a special adviser. |
15C(2) |
| All IPPs referring to consent | A number of IPPs refer to the concept of consent. Under these IPPs, consent may provide the legal authority to collect, use or disclose an individual’s personal information: • IPP 2 – Use and Disclosure. • IPP 7 – Unique Identifiers. • IPP 9 – Transborder Data Flows. • IPP 10 – Sensitive Information. |
Nothing in an IPP (or any relevant code of practice), applies to the collection of personal or sensitive information for the purposes of Part 6B by: • the Secretary, DHHS; • a quality and safety body; • a health service entity; or • a special adviser – to the extent that the IPP requires the consent of the person to whom the information relates for the collection of that information. This only provides for the displacement of the requirement to seek consent for the collection of information under Part 6B, not the use and disclosure. |
15C(3) |
| Health Records Act 2001 | |||
| HPP | Description | How HPPs operates under Part 6B of the HS Act | Section |
| HPP 1.3 | HPP 1.3 ordinarily provides that, where reasonable and practicable to do so, an organisation bound by the HR Act must collect health information about an individual only from that individual. | Nothing in HPP 1.3 (or any relevant code of practice) applies to the collection of health information for the purposes of Part 6B by: • the Secretary, DHHS; • a quality and safety body; • a health service entity; or • a special adviser. |
14D(1) |
| HPP 1.5 | HPP 1.5 ordinarily provides that where an organisation bound by the HR Act collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 (notice of collection) except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence (see HPP 1.7) | Nothing in HPP 1.5 (or any relevant code of practice) applies to the collection of health information for the purposes of Part 6B by: • the Secretary, DHHS; • a quality and safety body; • a health service entity; or • a special adviser. |
14D(2) |
| All HPPs referring to consent
|
A number of HPPs refer to the concept of consent. Under these HPPs, consent may provide the legal authority to collect, use, disclose or share an individual’s health information: • HPP 1 – Collection. • HPP 2 – Use and Disclosure. • HPP 7 – Identifiers. • HPP 9 – Transborder Data Flows. |
Nothing in an HPP (or any relevant code of practice) applies to the collection, use or disclosure of health information for the purposes of Part 6B by: • the Secretary, DHHS; • a quality and safety body; • a health service entity; or • a special adviser – to the extent that the HPP requires the consent of the person to whom the health information relates for the collection, use or disclosure of that information. This amendment is slightly different to the corresponding amendment to the PDP Act, as it provides for the displacement of the requirement to seek consent before the collection, use or disclosure of health information, rather than just collection. |
14D(3) |
