This business resource explains the requirements under the Privacy Act 1988 (Cth) (Privacy Act) for private sector health service providers or other private sector organisations who are seeking to collect, use or disclose health information without consent for research or statistical purposes relevant to public health or public safety. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.
Under Australian Privacy Principle (APP) 3, an organisation generally can only collect health information where it is reasonably necessary for its functions or activities, and the individual concerned consents to the collection. However, an organisation may collect health information without consent if an exception applies.
One of the exceptions allows collection where it is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and:
- the particular purpose cannot be served by collecting de-identified information
- it is impracticable to obtain the individual’s consent, and
- the collection is either:
- required by or under an Australian law (other than the Privacy Act)
- in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
- in accordance with guidelines issued by the CEO of the National Health and Medical Research Council and approved by the Commissioner under s 95A of the Privacy Act (s 16B(2)).