Glossary of common privacy terms used when managing health information
Australian Privacy Commissioner
The national regulator of privacy, conferred by the Privacy Act 1988 (Privacy Act) and other laws. The Australian Privacy Commissioner holds position within the OAIC. Their primary focus is on privacy, freedom of information and government information policy.
Refers to a set of obligations imposed through law or ethics. For example, a patient discloses confidential information to their general practitioner (GP) on the understanding the information will only be used within the practitioner–patient relationship. The National Health and Medical Research Council (NHMRC) defines ‘confidentiality’ as ‘the obligation of people not to use private information – whether private because of its content or the context of its communication – for any purpose other than that for which it was given to them’.2
De-identified health information
This refers to health information that is ‘no longer about an identifiable individual or an individual who is reasonably identifiable’.3 Care should be taken to ensure re-identification does not occur. If health information is de-identified, it falls outside of the privacy legislation. Health information includes information or opinions about the health or disability of an individual and a patient’s wishes about future healthcare. It also includes information collected during the provision of a health service (and therefore includes personal details such as names and addresses).3 Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protection for the way health information is handled.
This is defined by the Privacy Act as ‘information or opinion about an identified individual, or an individual who is reasonably identifiable’.3 Personal information includes an individual’s:
- name and address
- contact details
- birth date
- medical records
- bank account details.
Personal information might be held in any media. A general practice might record personal information on paper and in electronic records, X-rays, computed tomography (CT) scans, videos, photographs and audio recordings.
Use and disclosure
Generally, the term ‘use and disclosure’ refers to whether third parties are involved. Neither ‘use’ nor ‘disclosure’ are easily defined terms. A practice ‘discloses’ health information if it makes it accessible to persons, agencies or companies ‘outside the entity and releases the subsequent handling of the personal information from its effective control’.3 A GP may disclose health information if they discuss a patient’s conditions with other practitioners.