Chapters poster

Download your Mental Health Rights Manual poster here

print-text Print this section

Chapter 3 Section G: Confidentiality and privacy

Long before there was a specific Act of Parliament about privacy, there was a legal and ethical principle that records kept by health care professionals should be kept confidential.

There have always been exceptions to this principle, in particular when a party to a legal case in court asks through the court process for another party to produce medical records that are relevant to the court case (‘issues a subpoena’).

A failure to keep health records confidential may be a breach of confidentiality. It may also be a breach of specific privacy laws.

This section deals with:

3G.1: Breach of confidentiality in relation to personal health information

If you think a health care practitioner or a health care provider has breached the confidentiality of your health records or of any discussions you have had with them as part of your treatment and care, you can complain to the Health Care Complaints Commission.

You may, particularly if you suffer financial loss as a result of breach of confidentiality, also be able to take legal action in court for breach of confidentiality. The law is developing in this area, and there have been calls for new laws to give individuals a right to take legal action for breach of privacy.

Breach of confidentiality of patient records is usually dealt with as part of the disciplinary process for health care professionals such as doctors, dentists and pharmacists.

To find out more about where to get advice about your options to complain about a breach of confidentiality in relation to your health care, click here.

3G.2: Specific privacy laws

In Australia, there are specific pieces of legislation (‘Acts’ made by parliaments) that protect the privacy of personal information.

Generally speaking, Australian privacy laws are about how your personal information may be handled. For example, the Privacy Act 1988 (Cth), which applies across Australia, covers:

  • when and how your personal information is allowed to be collected, for example, the personal information you provide when you fill in a form;
  • how it can then be used and disclosed;
  • how its accuracy should be maintained;
  • how securely it should be kept;
  • how long it can be kept; and
  • your general right to access that information and correct any errors.

The Privacy Act 1988 (Cth) applies to the private sector as well as the public sector and in particular to health information, which includes medical and hospital records.

In NSW, the law that applies to health information in both the private and public health care sectors is the Health Records and Information Privacy Act 2002 (NSW).

This Act applies to health information, which is considered ‘sensitive information’ and which requires extra protection under privacy law.

If you are not sure if the Commonwealth or NSW Act applies to an organisation you want to complain about call either to the Commonwealth Privacy Commissioner or to the Information and Privacy Commission NSW.

3G.2.1: Privacy principles

The Privacy Act 1988 (Cth) includes the Australian Privacy Principles that apply to the Federal Government and some private sector agencies.

In NSW there is also a set of Health Privacy Principles that form part of that form part of Health Records and Information Privacy Act 2002 (NSW).

If you think a person or an organisation has not followed them, then you can complain either to the Commonwealth Privacy Commissioner or to the Information and Privacy Commission NSW.

If you think a health care provider has breached privacy principles in relation to your personal health information, you can complain. To find out more about privacy complaints, click here

Updated October 31, 2019