Notification requirements for collecting personal information
APP 5 requires GPs to ensure patients are aware of the collection and potential use and disclosure of their health information.
It is not necessary to notify patients during every consultation, as it is clear information is being collected. Similarly, it is not necessary to notify patients if their health information will need to be disclosed when referring to a specialist.
There will be times when the collection of health information is not obvious to the patient. For example, in some practices with complex corporate structures, the organisation ultimately collecting and holding the information might not be obvious. It is recommended practices ensure their patient privacy forms are updated to reflect this situation.
Where necessary, as appropriate, when there is a significant change to the way the practice works or the needs of the patient change, your practice should obtain renewed consent.
The notification requirements referred to in APP 5 have administrative implications for incorporated practices and practices using cloud computing (refer to module on Information transferred overseas).
- When collecting health information, GPs must take steps to notify the patient.
- Notified information must include the practice’s details, the purpose for which the information was collected, who the health information can be disclosed to, and whether it will be disclosed to an overseas recipient (and if so, where).
- If your practice is using cloud computing, ensure you have updated your consent forms and notified patients.
Your practice should consider whether a standard privacy notice addressing APP 5 would be an appropriate method of notifying patients.
A privacy notice might include information about:
- sharing of information across a multidisciplinary medical team
- use and disclosure of de-identified data for medical research
- the use of patient information for GP professional development purposes or for quality improvement activities
- how information is used for referrals to other specialists.
In some situations, a practice might need to provide additional patient health information to third parties such as insurers and this should be included in your privacy notice. This helps practices meet the requirement to take reasonable steps to notify individuals on how their information is used8 and helps manage patient expectations, promote trust and support further uses of health information for secondary purposes. (refer to section on Use and disclosure of health information).
When used appropriately, privacy notices can support patients to understand how their health information is used and disclosed.