Hi there. The collection and storage of personal information about individuals by a private sector health service provider is regulated by national laws, namely the Privacy Act 1988 (Cth). From the information you provided, your business would most likely be required to comply with these laws in collecting medical images of clients.

The Australian Privacy Principles (APPs) outline how your business must handle, use and manage personal information of clients. The APPs provide for open and transparent management of personal information, the use of anonymity and pseudonyms, notification that personal information is being collected, quality controls on collection, security of stored personal information, and access rights to personal information. The APPs place more stringent obligations on businesses that handle ‘sensitive information’, which includes personal information about an individual’s health.

If you are collecting medical images of clients, you will need to consider clients’ access rights to their records. Generally, you (as the provider who created the record) will own it. But this does not interfere with a client’s or patient’s right to access the record. Patients generally have a right to access all the information held about them and they may exercise these rights in a number of ways. However, there are some limited circumstances where a patient is prohibited from accessing their records (e.g. where access would pose a serious threat to the life and health of anyone, or where refusing access is required by law). Your business would need to know when it can and cannot grant access to patient records.

Your business should prepare a privacy policy that outlines how personal information of clients will be collected, managed and stored. This policy will need to comply with the APPs. The policy should also specify how clients can access their records if they so desire (i.e. submitting a request form, fees, timeframes, etc).

Privacy laws are regulated by the Office of the Australian Privacy Commissioner (www.oaic.gov.au). Individuals who have a complaint regarding privacy or the collection of their personal information can make a formal complaint to the Commissioner if they have been unable to resolve the matter directly with the relevant organisation.

Suggested way forward

It is important your business complies with privacy laws. While the above information is a basic overview of national privacy laws, there may be more specific or State-based rules that apply to your business, depending on its activities and industry. You should consider speaking to a lawyer who can help you understand your legal rights and responsibilities. By pressing the “Consult a Lawyer” button, LawAdvisor can help you search for experienced lawyers and obtain fee proposals for their services. Costs for legal advice and representation will vary between providers based on experience and the scope of services.