The health industry is one of Australia’s more heavily regulated industries. As well as having to consider the regulatory requirements of the Therapeutic Goods Administration, and possibly AHPRA, health startups need to determine the applicability of Australian privacy laws.
Privacy Law in Australia
The legal framework for privacy in Australia, as it applies to the private sector, is the Privacy Act 1988 (the Privacy Act). The Privacy Act generally only applies to businesses that have an annual revenue exceeding $3,000,000. However, if your business falls into one of several industries, including the provision of health services, the Privacy Act will apply despite your revenue turnover (you can find a full list of specified industries covered by the Privacy Act here).
What is a Health Service?
Just because your business is playing in the health space, doesn’t necessarily mean you will be classed as a health service (although its likely). A service is defined as a health service under the Privacy Act if:
- It is intended or claimed to:
- Assess, maintain, improve or manage the recipients health;
- The diagnose or treat an illness, disability or injury;
- To record a person’s health for the purposes of assessing, maintaining, improving or managing their health;
- It involves dispensing prescribed drugs.
The above services apply whether it is in relation to physical or psychological health. If you think your business is offering a service which may be caught by the above definition, but you’re unsure, we strongly recommend speaking with a startup lawyer to confirm your obligations. If your business is captured by the above, then you will need to comply with the Privacy Act.
Complying with the Privacy Act
Compliance with the Privacy Act, for the most part, requires compliance with the 13 Australian Privacy Principles set out at Schedule 1 of the Privacy Act (APPs). The APPs are designed to ensure individuals have access, transparency and autonomy when it comes to their personal information. Examples of APPs include:
- Where possible, enabling individuals to anonymise themselves with respect to certain matters;
- Only collecting personal information that is necessary for one of the business’s activities;
- Only collecting personal information through fair and lawful means;
- Notifying individuals that their information is being collected;
- Only disclosing the information to third parties in permitted circumstances;
- Deleting personal information when it is no longer required;
- Having adequate security measures in place to protect personal information.
A good first step towards compliance is putting together a Privacy Act compliant privacy policy, as is required by APP 1.3. The specific contents of your privacy may differ depending on your industry, the services you are providing, the ways you are collecting information, etc, however APP 1.4 sets out the minimum information that a privacy policy must hold:
- How and why the business collects and holds personal information;
- How an individual may access and correct their personal information;
- How an individual may complain about a breach of an APP;
- Whether their personal information is likely to be disclosed to overseas recipients and, if so, where are they likely to be located.
Sensitive Information
More onerous requirements apply when your business is collecting sensitive information, which is information about a person’s:
- Race or ethnicity;
- Health, genetics or biometrics;
- Political, religious or philosophical beliefs or affiliations;
- Sexual orientation or practices;
- Membership to a professional or trade association or trade union.
As a health startup, it is highly likely that your business will be collecting information related to an individual’s health, genetics, biometrics, race or ethnicity, and possibly also their sexual orientation or practices. You should get in touch with a startup commercial lawyer who is experienced with health startups
The APPs set out how sensitive information must be treated differently to personal information. For example, a business may only collect personal information if it is reasonably necessary for one or more of its functions. However, it may only collect sensitive information if it is necessary for one or more of its functions AND if the individual consents. Similarly, a business may use personal information for direct marketing if the individual would reasonably expect the business to do so, and has a simple way to opt out of direct marketing. Conversely, it may only use sensitive information for direct marketing with the individual’s consent.
Where activities under the Privacy Act require an individual’s consent, such as in the examples given above, a privacy policy can be a great place to procure this consent. For more advice on what to include in a privacy policy, read here.
Get in touch
Here at Allied Legal, our commercial lawyers have assisted countless startups with navigating their privacy obligations under the Privacy Act. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at hello@alliedlegal.com.au.
