Skip to Content

Protecting privacy while sharing information under the new Part 6B of the Health Services Act 1988: Guidance for practitioners

Background

In October 2019, the Health Legislation Amendment and Repeal Act 2019 was passed in the Victorian Parliament. The Act introduced a series of new information sharing provisions that inserted a new Part 6B into the Health Services Act 1988. The commencement date of these reforms is 27 August 2020.

The new Part 6B is designed to provide a legislative authority to share confidential information about an individual within the health system for quality and safety purposes.

This guidance outlines the changes to the Privacy and Data Protection Act 2014 (PDP Act) and the Health Records Act 2001 (HR Act) made under Part 6B. This guidance also outlines how organisations sharing information under Part 6B can adhere to their overarching privacy obligations.

For more background on the reforms and rationale for the new Part 6B, as well as specific guidance on the operation of the new reforms, please refer to the information on the Department of Health and Human Services’ (DHHS) website. 1

This guidance is jointly published by the Office of the Victorian Information Commissioner (OVIC) and the Health Complaints Commissioner (HCC).

How does Part 6B amend the PDP Act and HR Act?

The Health Legislation Amendment and Repeal Act 2019 inserts a new section 15C into the PDP Act. The new section 15C is titled ‘Exemption – information sharing for quality and safety purposes under the Health Services Act 1988’, and has the effect of exempting certain entities in the health sector from adhering to Information Privacy Principles (IPP) 1.4 and IPP 1.5 and any IPP relating to the collection of sensitive information to the extent that the IPP requires the consent of the relevant person, when sharing information under Part 6B.

Corresponding changes to the HR Act, with the insertion of a new section 14D – ‘Information sharing for quality and safety purposes under the Health Services Act 1988’, have a similar effect. Certain entities in the health sector will be exempt from Health Privacy Principles (HPP) 1.3 and HPP 1.5 and any HPP relating to the collection, use or disclosure of health information, to the extent that the HPP requires the consent of the relevant person, when sharing information under Part 6B.

The tables below explain the operation of these changes in greater detail.

What type of information can be shared under Part 6B?

Part 6B provides for the sharing of confidential information defined as:

  • health information within the meaning of the HR Act; or
  • personal information within the meaning of the PDP Act; or
  • sensitive information within the meaning set out in Schedule 1 to the PDP Act; or
  • unique identifiers within the meaning set out in Schedule 1 to the PDP Act; or
  • identifiers within the meaning of the HR Act.

Who can share information under the new Part 6B?

Health service entities, including public health services, public and private hospitals and day procedure centres (amongst others) can share confidential information with DHHS, Safer Care Victoria, the Victorian Agency for Health Information (VAHI), or another health service entity (where authorised by the Minister) for quality and safety purposes.

Health service entities can also share confidential information for a quality and safety purpose with a special adviser, appointed by the Secretary, Safer Care Victoria or VAHI.

The Minister has, by instrument, authorised the sharing of confidential information between health service entities for the purpose of a review of an adverse patient safety event where patient care was provided by multiple health service entities. The instrument was published in the Government Gazette on 23 July 2020.

For more information about information sharing under the new Part 6B, and what ‘quality and safety’ purposes are, see the FAQs available on DHHS’ website. 2

What happens if information is shared inappropriately or without authorisation?

Sharing confidential information in a way that is not authorised under the new Part 6B or by the HPPs or IPPs may result in a data breach. There are protections available under Part 6B for individuals who may have shared confidential information without authorisation, where they have exercised reasonable care and acted in good faith. More information about the protections available for practitioners sharing confidential information under Part 6B is available in the FAQs on DHHS’ website. 3

A data breach occurs when personal or health information held by an organisation is disclosed in a way that it shouldn’t have been (for example, where the organisation did not have the legal authority to disclose the information, or where the information is lost or stolen). More information about data breaches is available on OVIC’s website. 4

Data breaches may result in a privacy complaint. An individual can make a complaint to OVIC if they believe their personal information was shared inappropriately or mishandled. Similarly, an individual may make a complaint to the HCC if they believe their health information has been shared inappropriately or mishandled.

More information on making a privacy complaint about personal information is available on OVIC’s website. 5 More information about making a complaint to the HCC is available on the HCC’s website. 6

Where can organisations learn more about their privacy obligations?

There are a number of resources on OVIC’s and the HCC’s websites that can assist organisations understand their overarching privacy obligations under the PDP Act and HR Act, as not all privacy obligations are displaced when sharing information under the new Part 6B. Organisations will still need to comply with other IPPs and HPPs when sharing confidential information under the scheme.

Obligations under the PDP Act (where applicable)

  • For more information about the 10 IPPs under the PDP Act, practitioners should refer to the Guidelines to the IPPs, on OVIC’s website.7
  • OVIC’s Privacy Management Framework provides guidance on the policies and procedures that promote good privacy practices and good privacy governance overall.8
  • The Guidelines for sharing personal information offer practical guidance for organisations to understand their privacy obligations most engaged when sharing personal information.9

There are a number of other resources available for practitioners to refer to under the ‘For agencies’ tab on OVIC’s website. 10

Obligations under the HR Act

There is guidance available for practitioners on their overarching obligations to handle health information in accordance with HPPs on the HCC’s website.11

Overview of changes to privacy obligations under the new Part 6B

The following tables outline the amendments made to the IPPs and HPPs.

Privacy and Data Protection Act 2014
IPP Description What are the changes under Part 6B? Section
IPP 1.4 IPP 1.4 ordinarily provides that if it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual. Amendments to the PDP Act provide that nothing in IPP 1.4, (or any applicable code of practice relating to IPP 1.4), applies to the collection of personal information for the purposes of Part 6B by:
• the Secretary, DHHS;
• a quality and safety body;
• a health service entity; or
• a special adviser.
15C(1) PDP Act
IPP 1.5 IPP 1.5 ordinarily provides that if an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in IPP 1.3 (notice of collection) except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual. Amendments to the PDP Act provide that nothing in IPP 1.5, (or any applicable code of practice relating to IPP 1.5) applies to the collection of personal information for the purposes of Part 6B by:
• the Secretary, DHHS;
• a quality and safety body;
• a health service entity; or
• a special adviser.
15C(2) PDP Act
All IPPs referring to consent A number of IPPs refer to the concept of consent. Under these IPPs, consent may provide the legal authority to collect, use or disclose an individual’s personal information:
• IPP 2 – Use and Disclosure.
• IPP 7 – Unique Identifiers.
• IPP 9 – Transborder Data Flows.
• IPP 10 – Sensitive Information.
Amendments to the PDP Act provide that nothing in an IPP (or any relevant code of practice), applies to the collection of personal or sensitive information for the purposes of Part 6B by:
• the Secretary, DHHS;
• a quality and safety body;
• a health service entity; or
• a special adviser –
to the extent that the IPP requires the consent of the person to whom the information relates for the collection of that information.This amendment only provides for the displacement of the requirement to seek consent for the collection of information under Part 6B, not the use and disclosure as well.
15C(3) PDP Act

 

 

 

Health Records Act 2001
HPP Description What are the changes under Part 6B? Section
HPP 1.3 HPP 1.3 ordinarily provides that, where reasonable and practicable to do so, an organisation bound by the HR Act must collect health information about an individual only from that individual. Amendments to the HR Act provide that nothing in HPP 1.3 (or any relevant code of practice) applies to the collection of health information for the purposes of Part 6B by:
• the Secretary, DHHS;
• a quality and safety body;
• a health service entity; or
• a special adviser.
14D(1) HR Act
HPP 1.5 HPP 1.5 ordinarily provides that where an organisation bound by the HR Act collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 (notice of collection) except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence (see HPP 1.7) Amendments to the HR Act provide that nothing in HPP 1.5 (or any relevant code of practice) applies to the collection of health information for the purposes of Part 6B by:
• the Secretary, DHHS;
• a quality and safety body;
• a health service entity; or
• a special adviser.
14D(2) HR Act
All HPPs referring to consent

 

 

A number of HPPs refer to the concept of consent. Under these HPPs, consent may provide the legal authority to collect, use, disclose or share an individual’s health information:
• HPP 1 – Collection.
• HPP 2 – Use and Disclosure.
• HPP 7 – Identifiers.
• HPP 9 – Transborder Data Flows.
Amendments to the HR Act provide that nothing in an HPP (or any relevant code of practice) applies to the collection, use or disclosure of health information for the purposes of Part 6B by:
• the Secretary, DHHS;
• a quality and safety body;
• a health service entity; or
• a special adviser –
to the extent that the HPP requires the consent of the person to whom the health information relates for the collection, use or disclosure of that information.This amendment is slightly different to the corresponding amendment to the PDP Act, as it provides for the displacement of the requirement to seek consent before the collection, use or disclosure of health information, rather than just collection.This amendment only provides for the displacement of the requirement to seek consent for the collection of information under Part 6B, not the use and disclosure as well.
14D(3) of the HR Act
  1. More information about the information sharing reforms to the Health Services Act 1988 is available on DHHS’ website: https://www.dhhs.vic.gov.au/publications/privacy-policy.
  2. See DHHS’ FAQs, available here: https://www.dhhs.vic.gov.au/publications/privacy-policy.
  3. See DHHS’ FAQs, available here: https://www.dhhs.vic.gov.au/publications/privacy-policy
  4. See OVIC’s guidance about responding to data breaches: https://ovic.vic.gov.au/privacy/for-agencies/responding-to-data-breaches/.
  5. Information about making a privacy complaint involving personal information is available on OVIC’s website: https://ovic.vic.gov.au/privacy/for-the-public/complaints/.
  6. Information about making a privacy complaint involving health information is available on the HCC’s website: https://hcc.vic.gov.au/public/about-complaints
  7. The Guidelines to the IPPs are available in OVIC’s website: https://ovic.vic.gov.au/privacy/guidelines-to-the-information-privacy-principles/
  8. OVIC’s Privacy Management Framework is available on OVIC’s website: https://ovic.vic.gov.au/privacy/privacy-management-framework/.
  9. The Guidelines for sharing personal information are available on OVIC’s website: https://ovic.vic.gov.au/privacy/for-agencies/information-sharing/.
  10. Guidance for agencies on their privacy obligations is available on OVIC’s website: https://ovic.vic.gov.au/privacy/for-agencies/
  11. Guidance for agencies on their privacy obligations in relation to health information is available on the HCC’s website: https://hcc.vic.gov.au/public/health-records.
Back to top