THAT’S PRIVATE! Privacy and confidentiality protections

How is my personal information protected from onward disclosure or abuse? 

This question rings true for PLHIV, especially about the protection of HIV status. A common misconception is that there are many robust legal mechanisms that can address wrongful, careless or malicious onward disclosure of an individual’s status. However, the fact of the matter is that there are only a few, and they really depend on who holds the information and in what circumstances.

There is no over-arching provision declaring HIV to be subject to privacy or confidentiality but rather a patch-work of different laws relating to the issue.

Broadly, a person’s right to privacy and confidentiality is not absolute and there are only limited protections for individuals which can be found in:

1. The Privacy Act 1988 (Cth)
2. The Information Privacy Act 2009 (Qld)
3. The Public Health Act (Qld)
4. The Telecommunications Act 1997 (Cth)
5. The Invasion of Privacy Act 1971 (Cth)

The Acts which can relate to HIV status protection are found in the first three; the Privacy Act, the Information Privacy Act and the Public Health Act.

Before we look at each of the three acts, it is important to point out that privacy and confidentiality are two different concepts, but can both work together to protect your HIV status. Often, they are lumped together.

Privacy rights centre on protecting personal information and the right to be free from unnecessary intrusion. Eg, organisations may hold information about you, but they have duties to not make it readily available and/or only allow certain individuals access to it.

Confidentiality is about controlling personal information. Eg. Doctor may not disclose your health condition to anybody else (unless law tells them they need to).

So, where to privacy and confidentiality rights begin and who owes them?

Certain organisations- The Privacy Act

The Privacy Act protects personal information which includes sensitive information such as health information. This would include information about HIV status. There are limited situations where an organisation can collect, use or disclose personal information.

Who is bound by the Act?

1. Any private sector business (including an unincorporated association or trust) that:
   1. Has an annual turnover greater than $3,000,000.00
   2. Provides a health service to individuals or holds health information (Regardless of turnover. This would include private health practices); or
   3. Discloses or collects personal information about individuals for a benefit, service or advantage (regardless of turnover);
   4. A contracted organisation that provides services to government where the contract requires compliance
   5. Credit providers and credit reporting agencies
   6. Majority of Commonwealth, ACT and Norfolk Island government department and agencies.

How can I make a complaint?

It is advised to try and resolve the issue with the organisation that you believe has breached the privacy right first.

Failing resolution, a privacy complaint can be made to the Office of the Australian Information Commissioner (OAIC). If you are unsure about what constitutes a privacy breach, the OAIC has a Privacy fact checker tool.

Queensland Government-Information Privacy Act

Similar to the Privacy Act, personal information is protected. Under this Act personal information is very broad and covers almost any information that can be identified to an individual. 

Who is bound by the Act?

Queensland government departments and agencies. 

How can I make a complaint?

Similar to the Privacy Act, it is recommended that an individual attempts to address it with the particular agency or department.

Failing a resolution, a complaint to the Office of the Information Commissioner Queensland can be made.

Public Health Professionals-Public Health Act

The Public Health Act states that a person must not directly disclose confidential information unless:

• There is written consent of the person to whom the information relates
• It is about preventing or minimising the transmission of HIV (which also includes contract tracing)
• whether it is in the public interest; or
• authorised under an Act or another law.

Confidential information would include information about an individual’s HIV status.

Who is bound by the Act?

Health Service Employees. This covers public hospitals and clinics.

How can I make a complaint?

If an individual thinks their confidentiality has been breached, contacting a Privacy and Confidentiality officer of the particular health and hospital service would be the first option. 

What about individuals?

Outside of the examples listed above, there are not many other legal protections which would apply to individuals, such as where a friend, neighbour or family member was disclosing someone’s HIV status. Exploring legal options would require individual, tailored legal advice. Legal advice can be obtained through a community legal centre or through a private lawyer. In saying that, there is no easy fix or solution.

When deciding to disclose your status to someone, it is important to consider that there are little protections available for stopping an individual if they choose to disclose. When you are considering disclosing, consider the person who you are disclosing to and remember that you cannot control what the individual does with that information.

Unfortunately, often relationships break down or you find the person who you disclosed to has broken your trust. This is not to say that disclosure cannot reap many benefits! But, it is important to consider what you would do if someone breaks your trust. We have written some tips on disclosing your status, which cover some of the questions a person may wish to consider. We also have information for people supporting a loved one with HIV.

Remember, you are not alone.