AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2003 >> [2003] PrivLawPRpr 3

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Stapleton, Alan --- "Draft National Health Privacy Code: when can we expect delivery" [2003] PrivLawPRpr 3; (2003) 9(8) Privacy Law and Policy Reporter 156

Draft National Health Privacy Code: when can we expect delivery?

Alan Stapleton

On 1 December 2002, Senator Kay Patterson, Minister for Health and Ageing, and Daryl Williams AM QC MP, Attorney-General, announced the commencement of the consultation process for a proposed National Health Privacy Code:

Senator Patterson and her State and Territory colleagues have agreed to ,release the draft Code for a series of ,public consultations which will run ,until April 2003.

The Federal Privacy Commissioner, Malcolm Crompton, responded on ,5 December 2002:

The release of the draft National Health Privacy Code, by the Australian Health Minister’s Advisory Council, for public comment is a great opportunity for Australia to build on the national approach to privacy established by ,the Privacy Act.

This article looks at some of the complex hurdles that the proposed ,Code faces.

Co-regulatory privacy codes

A privacy code means a written code regulating acts and practices that affect privacy.[1]

In a wider context, privacy codes were introduced by the Privacy Amendment (Private Sector) Act 2000 (Cth), which adopted:

... a co-regulatory approach to privacy regulation. The Government decided that the privacy concerns of consumers could best be addressed if organisations were allowed some room to negotiate an appropriate privacy standard with its customers. The co-regulatory approach provides an effective and comprehensive data protection framework for the private sector in Australia but still allows some flexibility of application.[2]

When can we expect delivery?

There is no definitive answer; however, the following seven points demonstrate the some of the complex political, legislative and practical work that needs to be completed before the Code is approved and implemented.

1. Completion of ,consultation process

The public consultation process will run until April 2003.[3] Note that both ,the Code and consultation paper are described as ‘draft’.

2. Incomplete or further matters referred to in the draft Consultation Paper

The National Health Privacy Code Draft Consultation Paper prepared by the Australian Health Ministers’ Advisory Council National Health Privacy Working Group in December 2002, makes the following three comments.

Relationship with electronic ,health record efforts

Additional legislation or standards may ,be required to support specific e-health initiatives. Examples are, the development of the proposed national health record system HealthConnect, and the Better Medication Management System (BMMS).[4]

These two systems have very long lead in times.[5]

Further legislation

When the Code is finalised, Governments will need to consider whether changes ,to their current laws or administrative practices are required, to ensure that the one uniform set of rules established in the Code regarding health information can apply across the public and private sectors.[6]

Practical solutions

Potential implementation mechanisms are to be discussed by the Privacy Working Group in more detail once the content of the Code has been agreed.[7]

To meet its objectives, the proposed Code will require further legislation at the Commonwealth, State and Territory levels. Furthermore, both the Health Minister’s Council and the Privacy Working Group need to provide various practical solutions to implement the Code.

Public consultation will also have an effect. The Privacy Commissioner’s draft Guidelines on both Health Privacy and National Privacy Principles were each over 140 pages in length,[8] but after public consultation were reduced to just over 40 pages in their final forms.[9]

3. Insufficient industry ,experience to build on

The draft Consultation Paper states:

It is also important to build on the practical experience in addressing confidentiality and privacy issues in the health sector ... It can include making more explicit, or variations from, laws such as the National Privacy Principles ,in the Privacy Act.[10]

There is a problem with this approach. The NPPs, in respect of those small business organisations that collect and use health information, do not apply until after the ‘delayed application period’, namely 20 December 2002.[11] As such, experience of the application of the NPPs has yet to begin for many.

4. Difficulties or impossibility of unifying existing privacy regimes

The draft Consultation Paper lists ,four Commonwealth Acts (excluding ,the Freedom of Information Act 1982) and eight State and Territory health privacy regimes. This number of ,existing or proposed health privacy schemes may make it impossible to ‘ensure that the one uniform set of ,rules in the Code regarding health information can apply across the ,public and private sectors’.[12]

To complicate matters further, some professional organisations or relevant councils have already released privacy guidelines. Further guidelines have been approved and issued under both the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic) (HRA).[13]

The American experience is not really ,a helpful indicator of how well the proposed Code may meet its object. Dixon describes this issue of piecemeal privacy rules in the US and Australia ,as follows:

As in Australia, one of the strongest drivers of a national privacy regime in the United States is the concern of business groups to avoid a patch work of incon-sistent states based privacy laws ...[14]

The equivalent American remedy derives from Health Insurance Portability and Accountability Act of 1996 Public Law 104-191 (HIPAA). The specific instrument is the Standards for Privacy ,of Individually Identifiable Health Information (HIPAA Privacy Rule).[15] Subject to certain circumstances, the HIPAA Privacy Rule will pre-empt state laws.[16] However, the HIPAA Privacy Rule does not require compliance until ,14 April 2003.[17]

In any event, the American privacy regime has been described as ‘a lot of law, but there is not much protection’.[18]

Thus, at this time we cannot seek guidance from the success of similar efforts in the US.

5. Mandatory or voluntary membership of Code

The draft Consultation Paper asks whether the Code should be mandatory or voluntary.[19]

Now, it is not apparent how being bound to the Code could be mandatory, and allowed under the Privacy Act.

The co-regulatory regime set out in ,Pt IIIAA of the overarching Privacy Act provides for the approval of privacy codes. However, s 18BB(2)(c) excludes mandatory or compulsory adherence ,to a code. Section 18BB(2)(c) states:

The Commissioner may approve a privacy code if, and only if, the Commissioner is satisfied ... that only organisations that consent to be bound by the code are, or will be, bound by the code [emphasis added].

Thus, the Federal Privacy Commis-sioner can only approve the National Health Privacy Code, if membership is ,by consent or voluntary. The Draft Code Development Guidelines (April 2001) ,and Revised Version of the Code Development Guidelines (September 2001) confirm this view.[20]

Some health service providers may not want to be bound to the Code. By ,Code approval date, many may have successfully implemented the existing and proposed federal, State and Territory privacy regimes, and patients may also come to accept and understand these regime.

In essence, by the time the Code is approved, a culture may exist where many will say: ‘If it ain’t broke, why ,fix it?’.

6. Consumer and patient resistance

Will patients want to be part of the Code?

On the one hand, patients may ,perceive that the Code provides enhanced protection of their health information. On the other hand, patients may not want the Code complaint procedure to determine any complaint they have raised against a Code member.

One reason why some patients may ,not want their health privacy complaints dealt with under the Code is a perception that it has been developed ‘in order to provide a symbolic response to complaints or avoid a more onerous regulatory regime’.[21] Further reasons for a refusal may be a perception that the Code is not as independent as the Privacy Commissioner is or that the Code complaint process acts as a hurdle to having the complaint dealt with by the Commissioner, possibly discouraging under-resourced patients from pursuing ,a breach of privacy any further than complaining to the Code.

Section 36(1A) of the Privacy Act supports the view that if the health professional is bound to a code, then ,so is the patient. If the code ‘contains a procedure for making and dealing with complaints’ (s 36(1A)(a)), then the patient losses the statutory right (s 36(1)) to complain directly to the Commissioner.

The Privacy Commissioner may decide not to investigate or may defer investigation where the complaint is ‘frivolous or vexatious’ (s 41(1)(c)). These terms, in civil proceedings, include res judicata. Sir James Wigram stated rule of res judicata in Henderson v Henderson:

... the Court ... will not ... open the same subject ... which might have been bought forward ... but was not put forward ...,res judicata ... applies to every point which the parties ... might have bought forward.[22]

In principle, if a complainant does not bring a complaint forward to the Code for adjudication, then an attempt to bring it forward to the Commissioner could render the complaint vulnerable to the doctrine of res judicata and disposal as frivolous and vexatious.

It could be said that Health Ministers must sell the proposed Code to patients; no doubt s 18BB(2)(f) of the Privacy Act will come into play. Section 18BB(2)(f) requires that before the Privacy Commissioner approves a code, the Commissioner must be satisfied ‘that members of the public have been given ,an adequate opportunity to comment ,on a draft of the code’.

However, whether or not a consultation process and publicity ,drive effectively brings patients and consumers on side is academic, ,because (in respect of the handling of complaints) once the health service provider is bound to the Code, so is the patient — the choice is made for them.

It must also be noted that the Revised Version of the Code Development Guidelines (September 2001) declares ,at point 4.5 that ‘in most cases, the Commissioner will still consider a ,code to be voluntary when an industry association makes compliance with the code a condition of membership’.

But that is not the end of the matter. If patients do not want to be bound by all or any part of the Code, then they may attempt to persuade their health service provider to cease to be bound to the Code (see s 18BB(2)(d), which requires that a code must set out a ‘procedure by which an organisation may cease to be bound ,by the code and when the cessation takes effect’). Thus, practitioners may face conflicts between their patients and professional associations.

7. ACT and Victorian ,Health Records Acts

Unlike the Privacy Act, there is no statutory basis in either of these Health Record Acts for the approval of a privacy code. While the Health Records (Privacy and Access) Act 1997 (ACT) and the Health Records Act 2001 (Vic) (HRA) commenced before the Privacy Amendment (Private Sector) Act 2000 (Cth) — which introduced the co-regulatory regime — neither included ,any process to include a mechanism that approved separate privacy codes.

For example, s 51(h)(i) of the HRA recognises that the Health Services Commissioner may decide to decline to entertain a complaint where the health service provider ‘has dealt with, or is dealing, adequately with the complaint’. Arguably, the use of an intermediary or an appropriate ADR process would fall within this expression. As such, a code complaint procedure could also fall within this expression.

However, s 51(h)(i) of the HRA is identical to s 41(2)(a) of the Privacy Act.

Because the HRA has effectively included s 41(2)(a) of the Privacy Act, but not the Privacy Code provisions in Div 3 and Pt IIIAA of the Privacy Act, the exclusion is presumed to be deliberate. As such, Victorian legislation makes it clear that separate health privacy codes will not be approved ,in that state.


From the seven points above, we ,can see that there are some significant obstacles to overcome before the proposed National Health Privacy Code is approved and implemented. These are not the only issues. Some, but by no means all, further issues include the following.

Issues not expressed in the draft Consultation Paper


Will health service providers pay to be members of the Code? Who will fund complaint handling?

Further auditing

Do health service providers need to take additional steps to comply with the Code, for example, pass a standard or ,an audit?

Compliance with overarching ,privacy laws

Is the membership of the Code sufficient to guarantee that compliance with the Code will protect the health service provider from the many other provisions of the overarching legislation? Note the Privacy Act alone is 245 pages in length.

Transactions covered

It is clear that the Code foresees application across the private and public sectors, in each jurisdiction. However, it is not apparent whether the Code will apply to public sector/private sector transactions alone, or whether the Code will also apply to private sector/private sector transactions.

Issues expressed in the ,draft Consultation Paper


Of three options, the Code follows the option where it:

... would apply to the health sector, as ,well as to other public and private sector bodies ... who hold some information even though they do not provide a health service as such.

However, the draft Consultation Paper continues:

[T]his issue is under still under consideration, the Code will be revised ,if a decision is made to limit the coverage primarily to the health sector.[23]

Complaints handling procedures

On this issue, the draft Consultation Paper leaves part of the answer for each jurisdiction:

Ultimately, the complaints mechanism that applies to the Code will depend in part on how each State and Territory decides to implement the Code.[24]

In summary, it is clear that there is a wide range of issues to address, before the proposed Code can be approved and then implemented. Because most Australians have some form of health information, the proposed Code is of national importance. As such, it would be preferable that the Health Ministers take extra steps than the statutory minimum set under s 18BB, in respect of giving the members of the public an ‘adequate opportunity to comment on a draft of the Code’. An extra step would be to give members of the public an adequate opportunity to comment on the all those issues that have not been resolved in the draft Code and draft Consultation Paper.

Alan Stapleton is a sole practitioner and principal of i-privacy Pty Ltd, Health Information Consultants. He is primarily concerned with information law.

[1] Privacy Act 1988 (Cth) s 6.

[2] Office of the Federal Privacy Commissioner Draft Code Development Guidelines April 2001.

[3] Senator the Hon Kay Patterson Minister for Health and Ageing Daryl Williams AM QC MP Attorney-General, Media release, 1 December 2002.

[4] Australian Health Ministers’ Advisory Council National Health Privacy Working Group National Health Privacy Code Draft Consultation Paper December 2002 p 9.

[5] See above note 4 p 12.

[6] Above note 4 p 9.

[7] Above note 4 p 15.

[8] Office of the Federal Privacy Commissioner Draft Health Privacy Guidelines, A consultation document issued by the Office of the Federal Privacy Commissioner 14 May 2001; Office of the Federal Privacy Commis-sioner Draft National Privacy Principle Guidelines, A consultation document issued by the Office of the Federal Privacy Commissioner 7 May 2001.

[9] Office of the Federal Privacy Commissioner Guidelines on Privacy in the Private Health Sector 8 November 2001; and Office of the Federal Privacy Commissioner Guidelines to the National Privacy Principles September 2001.

[10] Above note 4 p 13.

[11] Privacy Act 1988 s 16D.

[12] Above note 4 p 9.

[13] To see details of existing privacy items go to: <>.

[14] Dixon T ‘Preparing for the new privacy legislation’ 2001 CyberLRes 7, point 5.1, available at <>.

[15] See <>.

[16] See <>.

[17] See <>.

[18] Agre and Rotenberg Technology and Privacy: The New Landscape The MIT Press 1997, p 113.

[19] Above note 4 p16.

[20] See <>; and <>.

[21] Agre and Rotenberg above note 18 p 115.

[22] [1843] EngR 917; (1843) 3 Hare 100 at 115.

[23] Above note 4 p 16.

[24] Above note 4 p 45.

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback