REGULATION
PRIVACY IN MARKETING
This article considers privacy in the context of how it is applied to marketing practice in private healthcare sectors.
Australia has legislation governing the collection of personal information, as set out in the Federal Privacy Act No. 119 of 1988 as amended. For the latest version visit the ComLaw website. Originally the Act applied to public sector organisations. In 2001, it was significantly amended to extend to most private sector organisations. The amendments are based around 10 National Privacy Principles (NPPs) which set out how organisations should collect, use, secure and disclose information about individuals. See NPPs Explained.
What is privacy and personal information?
The word 'privacy' means different things to different people. The type of privacy covered by the Privacy Act is the protection of people's personal information, however this is just one aspect. Other types of privacy can include territorial privacy and physical or bodily privacy and privacy of communications.
Personal information is information that identifies, or could identify a person. An obvious example is a person’s name, address or phone number. Personal information can also include medical records, date of birth, photos, and even their opinions or where they work - basically, anything that reasonably identifies an individual.
An organisation must take reasonable steps to make individuals aware that it is collecting personal information about them; the purposes for which it is collecting the information, and who it might pass the information on to.
What does the Privacy Act cover?
The Privacy Act begins to apply when an organisation collects personal information and enters that information into a record storage system such as a database. The Legislation regulates how personal information is handled. For example, it covers:
- how personal information is collected (e.g. the personal information provided when filling in a form)
- how it is then used and disclosed
- its accuracy
- how securely it is kept
- a persons general right to access their information.
Coverage
The private sector provisions of the Act apply to organisations (including not-for-profit organisations) with an annual turnover of $3million or more.
However, the provisions apply to all health service providers regardless of turnover. All health service providers in the private sector (‘providers’) must comply with the 10 National Privacy Principles (‘NPPs’) under the Commonwealth Privacy Act 1988 (‘the Privacy Act’) when handling personal information. Providers include general practitioners, mental health professionals and private sector nurses, other board-accredited specialists and private hospitals, as well as those providing allied and complementary healthcare. For example, physiotherapists, osteopaths and pharmacists. More information on health service providers covered by the Privacy Act can be found at http://www.privacy.gov.au/publications/hg_01.html - a21.
Health service providers in the state and territory public sectors (such as public hospitals and their staff) are not bound by the NPPs, but may have to comply with state and territory privacy laws.
National Privacy Principles Explained
The Act sets out minimum standards for privacy protection in 10 National Privacy Principles (NPPs), which legally bind organisations in the way they must handle personal information. The NPPs regulate how private sector organisations must collect, use, disclose, and keep secure the personal information of clients and suppliers. They also give individuals the right to know what information an organisation holds about them, and the right to correct it.
The 10 NPPs are as follows:
Collection (NPP 1): requires that an organisation must only collect personal information if it is necessary for one or more of their functions and must take reasonable steps to ensure the individual is aware of why their personal information has been collected, how it is to be used and stored, who it may be disclosed to, and that they have a right to access information that you hold about them.
An organisation may also only collect personal information about an individual from a third party with that individual’s consent.
Methods that providers can adopt to inform individuals about the collection of their personal information include adopting privacy statements; displaying privacy notices at their premises; linking their website to a privacy statement where there is electronic data collection. If information is collected over the phone, implement a pre-scripted statement or automated message about how any personal information will be handled.
Use and disclosure (NPP 2): regulates how organisations can use and disclose an individual’s personal information. This Principle makes an important distinction between use and disclosure undertaken for the primary purpose of collection, and use and disclosure undertaken for some other secondary purpose.
Generally speaking, an organisation must not use or disclose an individual’s personal information for a purpose (secondary purpose) other than the primary purpose of collection, unless the individual has consented or the individual would reasonably expect the organisation to use or disclose their personal information for the secondary purpose.
The Principal specifies other possible exceptions including clause (c) which states “if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individual’s consent before that particular use; and
(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and
(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and
(iv) in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and
(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically.”
Other subparagraphs under this clause with potential relevance to marketing activities address the use and disclosure of health information necessary for research, compilation or analysis of statistics, relevant to public health and safety, and where “use and disclosure may be necessary to lessen or prevent: (i) a serious and imminent threat to an individual’s life, health or safety; or (ii) a serious threat to public health or public safety” (for example through the use of medical alerts or product recalls).*
Data quality (NPP 3): requires that an organisation must take reasonable steps to ensure that all personal information they collect, use or disclose is accurate, complete and up-to-date.
What are considered to be reasonable steps vary depending on the circumstances. Factors for providers to consider include whether the kinds of personal information collected are likely to change over time, how recently the personal information was collected, and who provided the personal information.
Data security (NPP 4): requires that an organisation take reasonable steps to protect all personal information from loss, misuse and unauthorised access, modification or disclosure.
The types of security measures that providers could implement include physical security, such as preventing unauthorised entry to premises and locking filing cabinets that store paper-based personal information; computer and network security, such as preventing unauthorised access to networks, firewalls or secured login websites; communications security, such as protecting communications via data transmission, including email and voice, from interception; and personnel security, such as limiting access to personal information by authorised staff for approved purposes.
Openness (NPP 5): an organisation is required to make available on request a privacy policy setting out the organisation’s management of personal information it collects. The privacy policy must set out whether the organisation is bound by the NPPs or by its own privacy code approved by the Federal Privacy Commissioner; any exemptions under the Act that apply to that organisation; how the organisation collects, uses and discloses personal information; and that the individual can obtain more information upon request concerning the organisation’s handling of personal information.
Access and correction (NPP 6): generally requires that an organisation must allow individuals to access and correct personal information held about them. This access may include inspecting records, taking notes, or the provision of photocopies or printouts. There are limited situations where an individual can be prevented from accessing their personal information. These situations include if the information would breach another person’s privacy; if the information is a threat to the life or health of a person; where access would be unlawful; or where access would prejudice an organisation’s negotiations with the individual.
Identifiers (NPP 7): restricts an organisation’s use and disclosure of Commonwealth government identifiers such as Medicare and tax file numbers, unless the use is by the organisation (or agent) that assigned the number. Even then, only under prescribed circumstances and strict conditions apply. NPP 7 does not apply to identifiers issued by individual private practitioners or private organisations. It also does not apply to State and Territory assigned identifiers, however providers should check laws in relevant jurisdictions before use.*
Anonymity (NPP 8): states that wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
Transborder data flows (NPP 9): requires that when transferring an individual’s personal information overseas, an organisation must ensure the individual has consented, that the recipient is legally or contractually bound to handle the information in accordance with requirements substantially similar to the NPPs, or that the transfer is for the benefit of the individual and it is impracticable to obtain the individual’s consent, which they would be likely to give.
Sensitive information (NPP 10): places specific restrictions on an organisation when collecting sensitive information. ‘Sensitive information’ is a sub-category of personal information and includes ‘health information’ as well as information about race, religion, political and philosophical beliefs, and other personal things.
Health and medical information are especially important to a person’s privacy. Any personal information held by a health service provider is likely to be health information under the Privacy Act. The legislation recognises the particularly sensitive nature of health information and places extra protections around its handling. The Act has particular provisions that require that sensitive information be managed with particular care.*
Sensitive information should not be used for commercial direct marketing purposes under any circumstances.
How the Privacy Act works
The principles contained in the Privacy Act are not prescriptive. That is, they don't tell agencies and organisations what they must do in each situation. Rather, they offer principles about the way in which personal information should be handled, and each agency or organisation needs to apply those principles to its own situation.
In complying, organisations need to ensure that they have a Privacy Policy in place that adequately addresses the NPPs, and that individuals who deal with them are made aware of the privacy policy and their rights under the Act. The Privacy Act gives organisations the option of adopting a privacy code that meets it’s own particular privacy requirements. These need to be approved by the Office of the Australian Information Commissioner (OAIC) [formerly the 'Privacy Commission'], after which the organisations become bound by their own code.
If an agency or organisation breaches the privacy principles or a privacy policy, and an individual believes their information has been mishandled, the OAIC may investigate the matter.
Further Information
Respective professional associations are usually the best source of advice for healthcare providers on the application of privacy matters in specific fields. To assist health providers in understanding their obligations under the amended Privacy Act, the Office of the Australian Information Commissioner has also developed Guidelines on Privacy in the Private Healthcare Sector. This document and other related information can be found at http://www.privacy.gov.au/topics/health.
* Other recommended reading:
A full description of the National Privacy Principles (NPP) can be found at http://www.privacy.gov.au/publications/npps01.html
Privacy And Personal Information That Is Publicly Available - Private Sector Information Sheet 17 – 2003 http://www.privacy.gov.au/materials/types/infosheets/view/6549
The Australian Direct Marketing Association (ADMA) also maintains an industry code of ethics and offers its members a Privacy Policy template for use in all marketing material. To find out more about ADMA, go to http://www.adma.com.au.
This article was posted on 16/01/12
Disclaimer – information in this article is provided as editorial only and should not be considered legal advice. Healthcare Marketing Matters cannot offer legal advice. We strongly recommend that healthcare marketers seek formal legal reviews of any marketing programs or advertising material containing information about medicines, medical or other health services prior to public implementation or distribution.
