Health information is considered sensitive information under the Privacy Act 1988 (Cth). So, greater protections apply to that information than to general personal information. Use and disclosure of health information is defined in the Privacy Act 1988 (Cth) under APP6, which states that an organisation must not use or disclose personal information about an individual for a purpose other than the ‘primary purpose’ of collection, except for a number of limited circumstances. Those limited circumstances include the following:
- where the person would reasonably expect the information to be disclosed for a secondary purpose (If the information is health information and, therefore, considered sensitive, any disclosure must be directly related to the primary purpose of collection. If the information is not health information and, therefore, not considered sensitive, any disclosure must still be related to the primary purpose.)
- to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, where it is unreasonable or impractical to gain consent
- to take appropriate action in relation to suspected unlawful activity or serious misconduct
- where to do so is reasonably necessary for establishing, exercising or defending a legal or equitable claim
- to locate a person reported as missing
- where to do so is necessary to prevent a serious threat to the life, health or safety of a genetic relative (special conditions apply).