Privacy Legislation and Disability Services
Disability Practitioners are usually quite familiar with Disability Discrimination legislation such as the Disability Discrimination Act (DDA) and The Disability Standards for Education (The Standards), but are often less familiar with the various pieces of Privacy legislation throughout the country, which can often have a significant impact on rights and responsibilities of clients and practitioners and the potential impact on practices. It is important that Practitioners are aware of these rights and responsibilities and that they make sure that their practices are consistent with their legislative obligations.
Trust is an essential component in the relationship between Disability Advisors (DAs) and students with disabilities, as well as between the Disability Practitioner and the Education Provider. The student with a disability must be able to trust that the DA will respect the confidentiality of the sensitive personal and health information provided to them, and act professionally, thoroughly and with integrity to ensure that adjustments provided are reasonable, appropriate, timely and based on clear medical evidence, consistent with legislation, institutional policies and procedures and good practice. The student has the right to be consulted at all stages (indeed this is enshrined in the DDA Standards for Education) and to give consent before any actions are taken on their behalf. Without such trust, students may be reluctant to disclose sensitive medical and personal information; This may create serious problems for the student, the practitioner and the educational institution where necessary information is not available in order to inform appropriate decision making and the development of appropriate strategies.
The consequences of inappropriate disclosure of sensitive personal information can be serious, potentially causing distress, aggravation of symptoms and delays in study or even abandonment of studies. I know of at least two instances where the inappropriate disclosure of sensitive medical information resulted in the students attempting suicide.
Also, failure to comply with obligations under Privacy legislation may place the practitioner and their institution at risk of complaint and litigation. While there is not a lot of Case Law in this area, it is not necessarily because there aren’t complaints and cases where Privacy Law has been breached, but rather that most of them do not get finalised in court. As with the DDA, most of the cases are either abandoned or settled before a final hearing, but unlike the DDA, these settled complaints are not published in the Privacy Legislation sector. However, the process of dealing with a complaint is very stressful for everyone involved. Like most legislative obligations, it is much better to ensure that your practices conform to the legislation, rather than learning about good practice by dealing with a complaint or being sued for breaches. Compliance with the law also ensures good practice, and much better educational experiences for students.
What complicates the issue is that there are different legislative regimes federally, and in different states, so what legislation applies to a particular circumstance will vary depending on which state or territory you are in and the legislation that is relevant to the case in question.
The good news is that there are many common principles across all of the legislation that can be addressed through instituting good practices in the way you deal with any personal, disability or health information that can mitigate any risk of successful litigation or complaint.
Another potential benefit of a clear and rigorous adherence to respecting the confidentiality of personal information, including sensitive information about health or disability, is that the Disability Service can act as an intermediary between the student and the wider educational institution, thus encouraging students to disclose this information in a safe environment, in order to develop appropriate adjustments and strategies, knowing that it will not be disclosed to the wider educational institution, where they may not be comfortable with such information being known.
All Australian Privacy legislation include a number of common principles that should be fundamental to the practice of Disability staff at all stages. This also applies to all staff in the educational institution, who should be aware of their obligations and follow privacy principles in their practice, but is particularly important for Disability staff, given the sensitive personal information they are dealing with and the additional complexities they entail.
Outlined below are suggestions for best practice regarding Privacy.
- Always seek Consent for any disclosure in writing. Informed consent is a fundamental principle of Privacy legislation and Practitioners should always explain to students what will be disclosed, how much, to whom and under what circumstances before seeking consent to disclose. Preferably, the service should have a consent form that outlines this information, which the student can sign. Where the matter is urgent, and consent has been given over the phone, for example, that consent should always be confirmed in writing, such as by email or text, BEFORE any action is taken. This is to ensure that the consent is understood and agreed to by the student, and is a key measure of protection for the student, the practitioner and the institution.
- Always ensure any information provided is accurate, and as complete as possible. Again, a common principle of Privacy legislation is that any information held and acted upon is accurate and verified as far as possible. A good practice is to seek appropriate medical documentation to verify the nature of the disability or medical condition, and to inform any strategies and adjustments to be implemented.
- Only EVER use the information provided for the purpose for which it was provided. That usually means in the education context, that the information should only be used for the purpose of determining and implementing the necessary strategies and reasonable adjustments to minimise disadvantage experienced by the student as a consequence of the effects of their disability or medical condition. The information should never be used for any other purpose, without the explicit written consent of the student. For example, a student may wish to participate in an external internship program designed for students with a disability, so may need the Disability Practitioner to provide details or support to the external body organising the internships. It is good practice to get the student to sign a consent form agreeing to the specifics of the authorised disclosure before taking action.
- Only ever disclose on a “need to know” basis. Only ever disclose personal or health information about the student to those who need to know, and then only as much as they need to know. Usually, academics and administrators at educational institutions only need to know that the student has a medically verified disability and the nature of the adjustments or strategies required to address any disadvantage caused by the disability. In certain instances, where the academic or administrator may need to know more information, such as if a student has a Learning Disability which will affect teaching and assessment strategies, such disclosure should only be made with student consent, after having explained the need for disclosure. The student always has the right to refuse consent, even if there may be adverse effects for their studies.
One positive effect of this generalised limited disclosure is that it becomes normal for academics and administrators to not be given explicit details of a student’s disability or medical condition, and therefore reduces pressure on Practitioners to inappropriately disclose sensitive medical information where the student chooses to retain confidentiality. If academics and administrators are used to receiving more detailed information about most students, then keeping such details confidential for some students may arouse suspicion, curiosity and demands for more information. However, if the usual practice is not to disclose detailed disability and health information, keeping such details confidential is just normal practice.
Practitioners should be comfortable relying on their professional judgement and integrity in assessing the documentation consulting the student and determining appropriate strategies and adjustments.
- NEVER disclose any information to anyone outside the educational institution without specific (written) consent from the student (with the exception of threats to Public Health and Safety –see below.) Australian Privacy Legislation tends to view external disclosure of personal information even more seriously than internal disclosure. With the exception of reasonable concerns about threats to Public Health and Safety (including the Health and Welfare of the student) no information should be disclosed to anyone outside the educational institution. In some instances, it may be argued that disclosure to any institution staff member is disclosure to the institution as a whole, but that can never be argued for any external person or body.
An interesting effect of this principle is that, when dealing with adult students, such as TAFEs and universities, student consent should be sought before even disclosing any information to the student’s parents. This may take some adjusting for parents and students who may have been used to discussing students with teachers when the students were minors. However, you need to resist pressure from parents to disclose, and seek written consent from the student as to whether, and what information you are permitted to disclose to parents before you disclose anything. If the student is under 18, then it is possible to disclose information directly to parents or legal guardians without explicit permission.
- Always keep student personal, disability and medical information secure. Paper files should be kept in secure filing cabinets when not in use, and electronic information should be kept in secure databases, accessible only to authorised personnel. This is to prevent the inadvertent disclosure of sensitive information to anyone not authorised to see it, Files of other students should not be left on your interview table or desk while consulting another student, and certainly should not be within reach if you have to leave the room momentarily. Computer screens should not show database information that could be seen by someone else who is in your office. That means before a student comes in for a consultation, you should either close file windows showing individual student files, or minimise them so they can’t be seen.
- ALWAYS keep comprehensive records in the student file of any interactions and records. This is as much a protection for the practitioner as it is a comprehensive reference and record of the student case. Every consultation, phone call, email, document or text message should be included in the records so that they are able to be referenced, and, if necessary, provided as evidence in any complaint or litigation. They can be subpoenaed by the complainant, or provided as evidence for the defence of your case. Comprehensive and detailed records can be your best friend, or your worst enemy if they are not sufficient.
- Remember that the student usually has the right to access their records and request changes where they believe they are not accurate. It is very important that you need to keep your records accurate and comprehensive so that the student has no cause for complaint. If there is inaccuracies of fact (e.g. medical information) then the student has the right to request that it be changed. However, the student does not have the right to say that you did not do something which you did. That is one reason why it is important to verify the contents of phone calls and discussions in writing with the student. After a phone call, send an email summarising the content of the call, asking the student to confirm the details before you take action on them. The same with consultations. Other activities such as emails or texts can usually be confirmed by physical records, but where possible, the student should be copied into correspondence.
- BE CAREFUL not to inadvertently disclose sensitive information in the wording of adjustments. While many disabilities are apparent, such as a wheelchair or a Guide Dog, usually well over 80 % of registered disability students have an invisible disability, so have a measure of choice about whether, how much and to whom they disclose their disability or medical condition. Sometimes the nature of adjustments may necessarily imply particular disability types, but wherever possible, generic or broad information should be used. Instead of “mental illness”, you might use something like “an episodic illness that can produce periods of severe symptoms which may require some flexibility in deadlines”. Students should be given the opportunity to approve the wording of adjustments, and, if they choose, to refuse some adjustments if they feel they disclose more information than they are comfortable disclosing.
Privacy Legislation in Australia
Outlined below are the major Privacy legislation regimes operating in different states and territories, their main principles and requirements.
Listed below are links to basic information about Privacy Legislation in the various Australian jurisdictions:
The Federal Privacy Act (1988) is the overarching Federal Privacy Act that applies to all Australian government departments and agencies as well as, to some extent, in the Northern Territory, The Australian Capital Territory, South Australia, Western Australia and Norfolk Island. The ACT and NT also have other Privacy legislation that will be dealt with later.
The Privacy Act is administered by the Office of the Australian Information Commissioner which would be the avenue for complaints under this legislation.
The Privacy Act has thirteen Principles that apply to Australian Privacy Principle Entities (APP Entities). APP Entities include “most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.” (OIPC). The only universities covered by the Federal Privacy Act are the ANU and private universities, although in some instances, universities can choose to be covered by the Act.
“The principles cover:
- an individual having the option of transacting anonymously or using a pseudonym where practicable
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
- how personal information can be used and disclosed (including overseas)
- maintaining the quality of personal information
- keeping personal information secure
- right for individuals to access and correct their personal information
There are also separate APPs that deal with the use and disclosure of personal information for the purpose of direct marketing (APP 7), cross-border disclosure of personal information (APP 8) and the adoption, use and disclosure of government related identifiers (APP 9).” (OIPC)
The Privacy Act also has more stringent requirements for dealing with what it calls “sensitive information” such as information about a person’s health, racial or ethnic origin, religious beliefs, criminal records and so on. This is especially relevant to Disability Services, since they usually collect health information for their clients.
This is not the avenue for a very detailed examination of the provisions of the Act. There is some very good information and guides at the OIPC website.
NSW has a number of pieces of Privacy legislation that cover different areas. The legislation is overseen by the Information and Privacy Commission which is an independent statutory authority that administers legislation dealing with privacy and access to government held information in New South Wales. There are two main Privacy Acts that are relevant to Disability Practitioners in the Tertiary Education sector.
The PPIP Act covers personal information held by arrange of government agencies, statutory bodies, local councils, TAFES and universities. It defines Personal Information as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not in a recorded form) about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
The PPIP Act does not cover Health information. That is covered by the Health Records and Information Privacy Act (HRIP Act).
The NSW PPIP Act has 12 Principles to be followed:
- Collection of information for a lawful purpose
- Collection of personal information directly from individual
- Requirements when collecting personal information (Including informing the individual about the collection, the purpose of the collection and who will be able to access it.)
- Other requirements relating to collection of personal information (including that the information be accurate, up to date and complete)
- Retention and security of personal information
- Information about personal information held by agencies requiring agencies to enable an individual to ascertain whether they hold personal information about them, what information they hold, the purpose the information is used for and how the individual can access the information.)
- Access to personal information held by agencies (requires the agency to provide access to the individual’s personal information with undue delay or expense.}
- Alteration of personal information (requires the amendment of the personal information to ensure it is accurate, relevant and complete and not misleading.)
- Agency must check accuracy of personal information before use
- Limits on use of personal information (personal information only to be used for the purpose for which it was given, with the consent of the individual or an imminent threat to the life and health of the individual or another person.)
- Limits on disclosure of personal information (limits disclosure to other persons or agencies unless the individual is aware of the disclosure, and is consistent with the purpose of collecting the information or the imminent threat to health and safety provision.)
- Special restrictions on disclosure of personal information (deals with a range of restrictions on disclosure of personal information and circumstances.)
The purpose of the HRIP Act is to “promote fair and responsible handling of health information by protecting the privacy of information about a person’s health, enabling individuals to gain access to any health information held about them and to provide a framework for handling complaints.
The provisions of the HRIP Act are similar to PPIP Act and Federal Privacy Act, but given the sensitivity of information about a person’s health, breaches of Privacy Principles tend to be viewed even more seriously than other privacy breaches. Since Disability Services hold health information about their clients, it is very important that the confidentiality of that information is respected and legislative obligations are followed.
There are 15 Health Privacy Principles (HPPs) contained in the Act:
Health Privacy Principles (From Health Privacy Principles (HPPs) explained for members of the public - Information and Privacy Commission)
1. Lawful. An agency or organisation can only collect your health information for a lawful purpose. It must also be directly related to the agency or organisation’s activities and necessary for that purpose.
2. Relevant. An agency or organisation must ensure that your health information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
3. Direct. An agency or organisation must collect your health information directly from you, unless it is unreasonable or impracticable to do so.
4. Open. An agency or organisation must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information, and any consequences if you decide not to provide it.
5. Secure. An agency or organisation must store your personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Access and accuracy
6. Transparent. An agency or organisation must provide you with details regarding the health information they are storing, why they are storing it and what rights you have to access it.
7. Accessible. An agency or organisation must allow you to access your health information without unreasonable delay or expense.
8. Correct. Allows a person to update, correct or amend their personal information where necessary.
9. Accurate. Ensures that the health information is relevant and accurate before being used.
10. Limited. An agency or organisation can only use your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise separate consent is required.
- Limited. An agency or organisation can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 11 applies). Otherwise separate consent is required.
Identifiers and anonymity
- Not identified. An agency or organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
- Anonymous. Give the person the option of receiving services from you anonymously, where this is lawful and practicable
Transferrals and linkage
11. Controlled. Only transfer health information outside New South Wales in accordance with HPP 14.
12. Authorised. Only use health records linkage systems if the person has provided or expressed their consent.
Government Information (Public Access) Act 2009 (GIPA Act)
While the GIPA Act is not, strictly speaking, Privacy legislation, Practitioners in NSW should be aware of its provisions. Under the GIPA Act, individuals are entitled to apply for any information about them to be provided. That includes Case notes, Student records, personnel files, emails, letters, notes, etc. In short, any information or records held by the institution referring to that individual must be produced on application by that individual. That means that any emails, letters, case notes or other records about individuals should be written with the view that they could be called on in a potential legal situation, either through subpoena, summons or GIPA application. That means that any information and records should be accurate, comprehensive, professional and respectful. Anything you write down or record should be something you are comfortable defending in a court, because that may be what happens.
It should also be noted that sins of omission can be equally damning in court. Incomplete, sketchy, inaccurate case notes or records can be viewed negatively by the courts, especially if other records such as emails or letters are omitted from the case notes. Personal comments and criticisms of individuals should be avoided.
As a general rule, practitioners should ensure that all records and communications are accurate, comprehensive, professionally dispassionate and treated as if they may be called as evidence in court, because that may be just what happens.
Just as with other Privacy legislation in Australia, the Victoria Privacy and Data Protection Act (PDP Act) has a number of Information Privacy Principles that must be followed by government departments, agencies and institutions such as universities and TAFEs.
The Office of the Victorian Information Commissioner (OVIC), which administers the PDP Act provides a plain English version of the PDP Act IPPs.
The Information Privacy Principles
- IPP 1 – Collection
- IPP 2 – Use and Disclosure
Personal information can only be used and disclosed for the primary purpose for which it was collected, or for a secondary purpose that would be reasonably expected. It can also be used and disclosed in other limited circumstances, such as with the individual’s consent, for a law enforcement purpose, or to protect the safety of an individual or the public.
- IPP 3 – Data Quality
Organisations must keep personal information accurate, complete and up to date. The accuracy of personal information should be verified at the time of collection, and periodically checked as long as it is used and disclosed by the organisation.
- IPP 4 – Data Security
Organisations need to protect the personal information they hold from misuse, loss, unauthorised access, modification or disclosure. An organisation must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed. For more information on what constitutes ‘reasonable steps’, please see the Guidelines to protecting the security of personal information: ‘Reasonable Steps’ under Information Privacy Principle 4.1.
- IPP 5 – Openness
- IPP 6 – Access and Correction
Individuals have the right to seek access to their own personal information and to make corrections to it if necessary. An organisation may only refuse in limited circumstances that are detailed in the PDP Act, for example where disclosure might threaten the safety of an individual. The right to access and correction under IPP 6 will apply to organisations that are not covered by the Freedom of Information Act 1982.
- IPP 7 – Unique Identifiers
A unique identifier is an identifier (usually a number) that is used for the purpose of identifying an individual. Use of unique identifiers is only allowed where an organisation can demonstrate that the assignment is necessary to carry out its functions efficiently. There are also restrictions on how organisations can adopt unique identifiers assigned to individuals by other organisations. Further information on unique identifiers.
- IPP 8 – Anonymity
Where lawful and practicable, individuals should have the option of transacting with an organisation without identifying themselves.
- IPP 9 – Transborder Data Flows
If an individual’s personal information travels outside Victoria, the privacy protection should travel with it. Organisations can only transfer personal information outside Victoria in certain circumstances, for example, if the individual consents, or if the recipient of the personal information is subject to a law or binding scheme that is substantially similar to the Victorian IPPs.
- IPP 10 – Sensitive Information
The PDP Act places special restrictions on the collection of sensitive information. This includes racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences or practices, and criminal record. Organisations can only collect sensitive information under certain circumstances.
Health Records Act (2001) (HR Act)
The HR Act is administered by the Victorian Health Complaints Commissioner. And provides protection of personal health information held by government and private institutions and agencies, including universities and TAFEs.
The Health Privacy Principles are set out in Schedule 1 of the HR Act. Because they are quite detailed, but broadly similar to the PDP Act IPPs, I won’t provide the details here.
Personal Information Protection Act 2004 (PIP Act)
The Tasmanian PIP Act has similar Privacy Principles to other jurisdictions, covering:
- Collection of Information
- Use and Disclosure
- Data Quality
- Data Security
- Access and Correction
- Unique Identifiers
- Disclosure of Information Outside Tasmania
- Sensitive Information
Right to Information Act (2009), while mainly designed to facilitate more open government by providing access to information held by government and its agencies, like the NSW GIPA Act, this legislation gives individuals the right to seek information about that individual held by the government or its agencies. Universities and TAFEs are included in these provisions, so, as I outlined before, as a general rule, practitioners should ensure that all records, case notes and communications are accurate, comprehensive, professionally dispassionate and treated as if they may be called as evidence in court, because that may be just what happens.
South Australian Legislation
South Australia does not have separate Privacy legislation, but generally operates under Commonwealth legislation. However, since 1989, there has been a Cabinet Administrative Instruction which outlines the Information Privacy Principles (IPPI) that government and its agencies are required to follow. Again, these IPPs follow the usual model covering the following topics:
- Collection of personal Information
- Storage of Personal Information
- Access to Personal Information
- Correction of Personal Information
- Use of Personal Information
- Disclosure of Personal Information.
One interesting aspect of the legislative framework in South Australia, is that, according to the South Australian Archives website on Privacy law in SA “universities are not covered by either the Commonwealth Privacy Act 1998 or the IPPI”, so privacy obligations are something of a grey area. The major issue would be relevant avenues for complaints about potential breaches of Privacy. The Commonwealth Privacy Act 1998 explicitly excludes universities from its provisions, except for the ANU and private universities. TAFEs would still be covered by the IPPI in SA. Universities can opt in to be covered by the Commonwealth Privacy Act.
Western Australian Legislation
Western Australia currently has no separate Privacy legislation. The Office of the Information Commissioner (WA) administers the Freedom of Information Act 1992 (WA) which includes some privacy principles, related to the disclosure and amendment of personal information held by Western Australian State and local government agencies.
The Health and Disability Services Complaints Office is an independent statutory authority that also handles complaints relating to health and disability services in Western Australia.
As with SA, universities are not covered by the Commonwealth Privacy Act (1998), but can opt in if they choose.
Northern Territory Legislation
The NT Information Act 2002 is basically a combined Freedom of Information Act and Privacy Act. In Schedule 1 of the Act, it outlines 10 Information Privacy Principles (IPPs) covering:
- Use and Disclosure
- Data Quality
- Data Security
- Access and Correction
- Transborder Data Flows
- Sensitive Information.
The Health and Community Services Complaints Commission also accepts complaints about health, disability and aged services in the Northern Territory.
The Queensland Office of the Information Commissioner receives privacy complaints under the Information Privacy Act 2009 (Qld) (IP Act) which covers the Queensland public sector, including Universities and TAFEs.
The Qld IP Act has 11 Information Privacy Principles (IPPs) covering:
- IPP 1—Collection of personal information (lawful and fair)
- IPP 2—Collection of personal information (requested from individual)
- IPP 3—Collection of personal information (relevance etc.)
- IPP 5—Providing information about documents containing personal information
- IPP 6—Access to documents containing personal information
- IPP 7—Amendment of documents containing personal information
- IPP 8—Checking of accuracy etc. of personal information before use by agency
- IPP 9—Use of personal information only for relevant purpose
- IPP 10—Limits on use of personal information
- IPP 11—Limits on disclosure.
The Information Privacy Act 2014 (ACT) (Information Privacy Act) regulates how Australian Capital Territory (ACT) public sector agencies handle personal information. It includes a set of Territory Privacy Principles (TPPs) which cover the collection, storage, use and disclosure of personal information, and an individual’s access to and correction of that information. The Commonwealth Office of the Australian Information Commissioner administers some of the aspects of the IP Act, including handling complaints and monitoring compliance with the legislation.
The 13 TPPS are similar to the Commonwealth Privacy Act IPPs.
As you can see, most of the Australian Privacy legislation has similar principles and coverage, so it makes it possible to provide general advice about how to ensure compliance with the legislation. The information in this article is not intended to be detailed and comprehensive, but is designed to primarily make Disability Practitioners aware of the various legislative regimes across the country. I would suggest that is advisable that Disability Practitioners familiarise themselves with the relevant legislative regime in their state or territory.
At the very least, Practitioners should be aware that, because they are dealing with sensitive personal and health information, they have significant responsibilities under Privacy legislation, and should ensure that their practice always follows these principles and legislation.
In general then, the operation of Privacy legislative obligations in Disability Practice could be reasonably summed up with the following:
- CONSULT with the student to ensure accuracy of information, extent (What, Who, Why, What circumstances, How Much?) of any disclosure, nature of adjustments, etc.
- CONSENT. Always obtain written consent for any disclosures, actions and strategies to be implemented.
- CONFIRM every consultation, conversation and phone call in writing.
- CONTAIN disclosures to the purpose the information was provided for, and only on a “need to know” basis.
- RECORD. Keep comprehensive records or all interactions, documents and forms. They may be called for in any complaint or litigation. Students also have the right to view their records and request corrections at any time.
- SECURE. Keep all records and information secure and safe from inadvertent disclosure to others
That way, you will not only ensure that this sensitive personal information is respected and treated appropriately, but you will also encourage students to disclose appropriately, protect them from unnecessary disclosure and potential misuse of that information as well as protecting yourselves and your institutions from the time-consuming, stressful and potentially extremely costly impacts of complaints and litigation. That cost can be measured in dollars, reputational damage and personal stress. It is best to avoid this if possible.
However, the main reason for ensuring compliance with Privacy Legislation is that it is simply good practice, that ensures the best service and outcomes for students, provides protection for staff and prevents stress and distress for everyone concerned.
Written by Trevor Allan