Privacy Law Compliance and Telehealth
Download a PDF copy here.
Our members have been contacting us concerned about providing Telehealth services and wanting advice about what platform to use. There has been a lot of misinformation going around about which platforms are compliant with Australian Law. We summarise below what you need to be aware on in choosing a compliant platform so that you can make an informed choice. Note this is a personal decision for each Psychologist. There are many decisions to be made during the process and you will need to document carefully for each decision you make.
When looking at compliance of Psychologists in Australia we look at the Privacy Act 1988
We have attached the details for a document from the Office of the Australian Information Commissioner that is very easy to read and interpret. Note this is not the Privacy Act (which can be sources very easily online) but explains the principles in full and the OAIC is the body that investigates any breaches of Privacy in Australia.
A big factor in your decision making is going to be getting informed consent from your clients regarding using these platforms with them. The client needs to have all the information available to them when deciding whether to engage with you in this manner. Written or verbal consent is acceptable but must be fully documented. Consent means ‘express consent or implied consent’ . The four key elements of consent are:
- the individual is adequately informed before giving consent •the individual gives consent voluntarily
- the consent is current and specific, and
- the individual has the capacity to understand and communicate their consent. If they cannot, you need to consider what they want, what their carers want etc. Capacity will vary according to time and circumstance.
NOTE consent can be withdrawn at any time and you will need to change the way you work with that client if they withdraw consent. Consent also needs to be updated regularly. Just because someone consents at one point in time does not mean they will always consent.
Likely overseas disclosures
An APP entity is required to set out in the policy only likely disclosures of personal information to overseas recipients, and not likely uses of personal information by the entity. For example, routing personal information, in transit, through a server located outside Australia would usually be considered a ‘use’.
When making decisions about what teleconferencing platform to use you do need to consider whether your clients information will be transmitted outside of Australian and for what purpose and whether their data can be de-identified so that if viewed by another party outside of Australia whether they would be able to be reasonably identified.
- Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.
- An APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs.
- There are exceptions to the requirement to take reasonable steps and to the accountability provision. The requirement to ensure that an overseas recipient does not breach the APPs is qualified by a ‘reasonable steps’ test. It is generally expected that an APP entity will enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the Australian Privacy Principles. This includes any cloud based storage that you use or that any platform you use operates with.
Disclosing personal information to an overseas recipient that is subject to a substantially similar law or binding scheme
You may disclose personal information to an overseas recipient where the entity reasonably believes that:•the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way the Australian Privacy Principles protect the information, and mechanisms can be accessed by the individual to enforce that protection of the law or binding scheme. It is the responsibility of an APP entity to be able to justify its reasonable belief.
Law or binding scheme
An overseas recipient may be subject to a law or binding scheme, where, for example, it is:
- bound by a privacy or data protection law that applies in the jurisdiction of the recipient
- required to comply with another law that imposes obligations in relation to the handling of personal information, for example some taxation law includes provisions that expressly authorise and prohibit specified uses and disclosures, permit the retention of some data, require destruction after a certain period of time and under particular circumstances, and include a right of access to an individual’s personal information
- subject to an industry scheme or privacy code that is enforceable once entered into, irrespective of whether the recipient was obliged or volunteered to participate or subscribe to the scheme or code
- subject to Binding Corporate Rules (BCRs). BCRs allow multinational corporations, international organisations and groups of companies to make intra-organisational transfers of personal information across borders in compliance with EU Data Protection law.
Substantially similar to
A substantially similar law or binding scheme would provide a comparable, or a higher level of privacy protection to that provided by the APPs. Each provision of the law or scheme is not required to correspond directly to an equivalent APP. Rather, the overall effect of the law or scheme is of central importance.
Whether there is substantial similarity is a question of fact. Factors that may indicate that the overall effect is substantially similar, include:
- the law or scheme includes a comparable definition of personal information that would apply to the personal information disclosed to the recipient
- the law or scheme regulates the collection of personal information in a comparable way
- the law or scheme requires the recipient to notify individuals about the collection of their personal information
- the law or scheme requires the recipient to only use or disclose the personal information for authorised purposes
- the law or scheme includes comparable data quality and data security standards
- the law or scheme includes a right to access and seek correction of personal information
Disclosing personal information to an overseas recipient with the individual’s consent after the individual is expressly informed
You may disclose personal information to an overseas recipient where:
- the APP entity expressly informs the individual that if they consent to the disclosure, this principle will not apply, and
- the individual then consents to the disclosure
You need to provide the individual with a clear written or oral statement explaining the potential consequences of providing consent. At a minimum, this statement should explain that if the individual consents to the disclosure and the overseas recipient handles the personal information in breach of the Australian Privacy Principles:
- the entity will not be accountable under the Privacy Act
- the individual will not be able to seek redress under the Privacy Act
The statement should also:
- be made at the time consent is sought
- not rely on assumed prior knowledge of the individual.
The statement could also explain any other practical effects or risks associated with the disclosure that the APP entity is aware of, or would be reasonably expected to be aware of.
These may include that:
- the overseas recipient may not be subject to any privacy obligations or to any principles similar to the APPs
- the individual may not be able to seek redress in the overseas jurisdiction
- the overseas recipient is subject to a foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority
You need to ensure your staff are compliant!
If you have taken reasonable steps to ensure your clients data is protected and you have documented fully informed consent then you will have discharged your responsibilities.
Available platforms in Australia that are worth investigating are;
Bottom line, if you do not feel comfortable that you are compliant under National Laws or do not feel comfortable using these platforms do not use them. There are telephone items you can use that would be more suitable for your circumstances. We have also seen a relaxing of legislation in our American colleagues with their HIPPA compliance regulations being relaxed at this time. We will update you further if this is going to occur in Australia.