- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 29 - 2009: Use or disclosure of genetic information in the private health sector
This information sheet is for health service providers in the private health sector. It relates to privacy and the use or disclosure of genetic information to lessen or prevent a serious threat to life, health or safety of a patient's genetic relatives.
Using and disclosing genetic information
The Privacy Act does not prevent a health service provider using or disclosing a patient's genetic information, if the patient has given informed consent. Where a health service provider has not been able to obtain consent from the patient, the Privacy Act allows the use and disclosure of genetic information where:
- the health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient and
- the use, or the disclosure to the genetic relative, is necessary to lessen or prevent that threat and
- the health service provider has complied with the guidelines issued under Section 95AA of the Privacy Act.
The guidelines assist health service providers to discuss the issues with their patient and emphasise seeking consent first.
Collecting or using contact details of a patient's genetic relatives
Where a decision has been made to use or disclose genetic information, with or without the patient's consent, the collection or use of the contact details of the patient's genetic relatives would generally need the consent of the relative.
The Privacy Commissioner has recognised that it would generally be impractical to gain consent of the relative in these circumstances and has issued a Temporary Public Interest Determination to allow this collection or use.
Health practitioners should update their privacy information for patients to include the possible use or disclosure of genetic information without consent.
About this information sheet
This information sheet provides guidance about genetic information and privacy under the National Privacy Principles (NPPs).
Part A explains how the Privacy Act applies to the use and disclosure of genetic information without consent - particularly NPP 2.1(ea) and section 95AA guidelines.
Part B explains how and when a health practitioner may collect or use the contact details of a patient's genetic relative, to inform the relative of the possible implications of the genetic information. Practitioners may do this with or without the patient's consent.
Who is this information sheet for?
This information sheet is for health practitioners who deal with genetic information and work in the private health sector.
The Privacy Act applies to all 'personal information' which is information about an individual whose identity is apparent, or can be reasonably ascertained.
'Sensitive information' is a sub-category of personal information, and includes all 'health information'.
The definition of health information specifically includes genetic information about an individual in a form that is, or could be, predictive of the health of an individual or a genetic relative of the individual.
Any personal information held by a health service provider is likely to be 'health information'. This may include information which is not necessarily of a clinical nature.
A patient's name and address will often be 'health information' when held by a health service provider. It may indicate that the individual has received a health service from that provider.
'Health information' is fully defined at the end of this information sheet.
A health service provider collects personal information if it gathers, acquires or obtains personal information from any source and includes this in a record. Collection includes personal information a health service provider keeps but has not asked for.
Use and disclosure
'Use' refers to the handling of health information within the organisation that collects it.
'Disclosure' of health information is the release of that information to someone outside the organisation, other than the individual concerned.
Who is a genetic relative?
A genetic relative is defined in the Privacy Act to mean an individual who is related by blood, including but not limited to a sibling, a parent or a descendant.
Please refer to section 95AA guidelines for further guidance on this term.
Part A - Using and disclosing genetic information
NPP 2 protects the use and disclosure of personal information. A health service provider must only use or disclose personal information about an individual for the primary purpose of collection, unless the individual has consented or a listed exception applies (NPP 2.1).
National Privacy Principle 2.1(ea)
NPP 2.1(ea) allows the use or disclosure of genetic information to a patient's genetic relatives, without the patient's consent, if the organisation reasonably believes that:
- there is a serious threat to life, health or safety of the relative and
- the use or disclosure is necessary to lessen or prevent that threat.
Under NPP 2.1(ea):
- the threat need not be 'imminent'
- genetic information may be used or disclosed without consent if the genetic information has been obtained in providing a health service to that patient
- disclosure of genetic information is not allowed to anyone other than the patient's genetic relatives
- use or disclosure of genetic information by a health practitioner without the patient's consent must be conducted in accordance with the National Health and Medical Research Council guidelines. These guidelines must be approved by the Privacy Commissioner under section 95AA of the Privacy Act (see below)
- disclosure of information is not required but provides the framework for this to occur under the appropriate circumstances.
Section 95AA guidelines
In the event that the patient has not given consent, and the requirements of NPP 2.1(ea) are met, using or disclosing a patient's genetic information is permitted only if done in accordance with the section 95AA guidelines.
The guidelines establish when, by whom and in what manner, use or disclosure of genetic information may take place without the patient's consent.
The guidelines outline the factors that health practitioners should consider when determining if use or disclosure of genetic information is necessary to lessen or prevent a serious threat to life, health or safety of a patient's genetic relatives.
The section 95AA guidelines require that reasonable steps must first be taken to obtain the consent of the patient to use or disclose their genetic information.
Giving notice to patients
Under the Privacy Act health service providers must give notice to their patients about certain matters when they first collect health information, including:
- why the information is being collected
- how it may be used
- who it may be disclosed to.
Health practitioners should update their privacy information for patients to include possible use or disclosure of genetic information without consent. Section 95AA guidelines provide a sample information leaflet.
Part B - Collection or use of contact details of a patient's genetic relatives
If a patient has not consented to the disclosure of their genetic information and the authorising medical practitioner decides to disclose in accordance with section 95AA guidelines, they will usually need to get the contact details for the patient's genetic relatives.
These contact details may also be needed where the patient consents to the disclosure but does not wish, or is unable, to make the disclosure themselves.
In these circumstances, the health practitioner may seek contact information for the patient's genetic relatives from publicly available records, or with the patient's consent, from the patient.
The collection of contact details of genetic relatives must comply with the Privacy Act. Under NPP 10.1, an organisation must not collect sensitive information about an individual unless:
- the individual has consented to the collection
- another exception applies.
Generally, this means a health practitioner could not collect the contact details of a genetic relative without that relative's consent.
The health practitioner would generally note these details in the patient's record. The contact details would then be linked to other information in the patient's record in such a way that it is possible to infer that:
- the person whose contact details are recorded is related to a person with a genetic condition and
- there is a possibility or statistical probability that the person whose contact details are recorded may also have a genetic condition.
The Privacy Commissioner considers that in these circumstances, the contact details of a genetic relative are likely to be 'health information'. However, the Commissioner recognises the impracticality of gaining the consent of the genetic relative.
The Privacy Commissioner has issued a Temporary Public Interest Determination (2009-1A) (TPID), which permits health practitioners to collect the contact details of a patient's genetic relatives in specified circumstances (see page 5).
In some cases, the health practitioner may become aware that they already have the genetic relative's contact details on file.
Example: The contact details were given to the health practitioner by the patient as a 'next of kin contact' in case of emergency or the genetic relative is also a patient.
Health practitioners may use these contact details for the secondary purpose of informing the genetic relative that they may be at risk of inheriting a genetic condition.
Under NPP 2.1, an organisation must not use or disclose an individual's personal information for a purpose other than the primary purpose of collection, unless the individual has consented or another exception applies.
The secondary use of the contact details of a genetic relative without their consent may breach NPP 2.1, regardless of whether or not the patient has consented to the disclosure of their genetic information.
The TPID permits health practitioners to use, in specified circumstances, the contact details of a patient's genetic relatives that they already hold.
How the Temporary Public Interest Determination Works
The TPID allows health practitioners to collect or use the contact details of a genetic relative of a patient in limited circumstances.
The TPID permits health practitioners to collect or use the contact details of a patient's genetic relatives where:
- it is impractical to gain the consent of the genetic relative of a patient and
- the contact details will be used to inform the relative of the potential consequences for the relative's own health of genetic information obtained from the patient and
- there is a reasonable belief that this is necessary to lessen or prevent a serious threat to the life, health or safety of the genetic relative.
Where consent for the disclosure of genetic information has not been obtained, the TPID specifies that the disclosure must be made in accordance with section 95AA guidelines.
Example: If a health practitioner intends to collect or use the contact details of a genetic relative without consent, they would need to comply with guidelines 4 and 5.
Guideline 4: (in summary) a medical practitioner must take responsibility for decision-making about use or disclosure, even if another professional, such as a genetic counsellor, is to disclose the information. The authorising medical practitioner should have a significant role in the care of the patient, and sufficient knowledge of the patient's condition, to take responsibility for decision-making about use or disclosure.
Guideline 5: (in summary) before making any decision concerning use or disclosure, the authorising medical practitioner must discuss the case with health practitioners who have the appropriate expertise to fully assess the situation.
The Privacy Commissioner suggests that section 95AA guidelines also provide a useful framework for practitioners where the patient does give consent to the disclosure of their genetic information.
Example: The guidelines give guidance on what may constitute a 'serious' threat to life, health or safety. This is relevant, whether the patient has given consent or not, to the use or disclosure of their genetic information.
Other National Privacy Principles obligations
NPPs 1 to 9 apply to contact details collected in these circumstances.
NPPs 1 and 3 to 10 apply to contact details used in these circumstances.
Health practitioners should also consider other NPP obligations if they intend to collect or use the contact details of a genetic relative. Some of these obligations are outlined below.
Under NPP 1.2 information must be collected only by lawful and fair means and in a way that is not unreasonably intrusive.
Example: Generally a health practitioner would not be permitted to obtain the genetic relative's contact details from other databases or records that they may have access to, such as a public hospital database.
Other uses and disclosures
NPP 2 protects the use and disclosure of personal information.
Generally, under NPP 2.1, personal information may only be used with consent or for the primary purpose of collection. In this case, the 'primary' or main purpose of collection of the (genetic relative's) contact details is to inform the relatives that they may be at risk of an inheritable condition.
A practitioner who collects the contact details of a genetic relative in the circumstances covered by the TPID, would not be permitted under the Privacy Act to use or disclose the contact details for any other purpose, unless another NPP 2.1 exception applies.
Under NPP 3 an organisation must take reasonable steps to make sure that the information it collects, uses or discloses is accurate, complete and up-to-date.
Using contact details that are inaccurate, incomplete or out-of-date could have serious consequences for individuals.
This is because the patient's genetic relative may remain unaware that they may be at risk from an inheritable condition or, if the information about genetic risk is sent to the wrong person, the individual receiving the information may become distressed.
If a health practitioner uses public sources of information such as a phone directory or the electoral roll to find contact details, they should take care to verify the accuracy of the information.
Definition of health information:
Health information is defined in section 6 of the Privacy Act as:
- '(a) information or an opinion about:
- (i) the health or a disability (at any time) of an individual; or
- (ii) an individual's expressed wishes about the future provision of health services to him or her; or
- (iii) a health service provided, or to be provided, to an individual; that is also personal information; or
- (b) other personal information collected to provide, or in providing, a health service; or
- (c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.
- (d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.'
More information is available from the Office of the Privacy Commissioner.
- Guidelines to the National Privacy Principles
- Guidelines on Privacy in the Private Health Sector
- Information sheets
- Frequently Asked Questions on Health
A consolidated version of the Privacy Act can be found at: www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/
Office of the Privacy Commissioner
Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges)
TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.
Private Sector Information Sheet 29
Web HTML and PDF published December 2009
© Commonwealth of Australia 2009
 The Office uses the term health service provider to refer to people or bodies who provide health services. See also explanation of the term 'health practitioner' in the section 95AA guidelines, p2 , available at: www.privacy.gov.au/law/act/genetic.
 The terms 'personal information' and 'sensitive information' are defined under section 6 of the Privacy Act.
 Genetic information that is not otherwise health information, such as the result of a parentage test, is defined under section 6 of the Privacy Act as 'sensitive information'
 The term 'record' is defined under section 6 of the Privacy Act.
 The term 'organisation' is defined in section 6C of the Privacy Act and includes individual health practitioners.
 See section 6 of the Privacy Act for the full definition.
 The 'primary purpose' is the main or dominant reason a health service provider collects information from an individual.
 The full notice requirements are set out in NPP 1.3 and NPP 1.5, available at: http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html
 At Appendix 3 of the guidelines.
 See also explanation of the term 'authorising medical practitioner' on page 2 of the guidelines.
 In some cases the patient may not be able to provide the current address details as, for example, they may be estranged from their genetic relative.
 The text of NPP 10.1 is available at: www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html
 See explanation of the term 'health information', p 2 of this information sheet.
 TPIDs 2009-1 and 2009-1A are effective from 15 December 2009 to 14 December 2010. The Government has indicated in its response to the Australian Law Reform Commission's review of privacy that it intends to amend the Privacy Act to permit the collection or use of a genetic relative's contact details in these circumstances.
 Such as NPP 2.1(g) which permits secondary use or disclosure of personal information if it is required or authorised by or under law.
 The section 95AA guidelines require that the initial information provided to genetic relatives be worded in general terms and not identify the genetic condition that has been identified. Nonetheless, the person receiving the letter may be distressed by information which indicates that they may be at risk of inheriting a condition.