The treatment of organisations under the Act was raised repeatedly in interviews as a constraint to effective use of Healthcare Identifiers. Currently the Act is interpreted as having the same provisions for organisations as for individuals and providers. The Privacy Act does not consider information about organisations to be personal information and the privacy provisions do not apply to information held about the organisational entity.
The OAIC was consulted about whether section 29(3) of the HI Act should be interpreted as intending that HPI-Os be defined as personal information for the purposes of section 29(3) of the HI Act as it relates to section 27(1)(h) of the Privacy Act. The OAIC believes that the reference to Healthcare Identifiers in section 29(3) was not intended to include HPI-Os and has provided reference to the Bills Digest for the Healthcare Identifiers Bill, which outlines the policy intent underlying the HI Act.
The Bills Digest states that “subclause 29(3) will allow the Privacy Commissioner to undertake audits of Healthcare Identifiers under the Privacy Act in relation to personal information". This suggests that the reference to Healthcare Identifiers in s 29(3) was not intended to include HPI-Os. The Bills Digest also indicates that the privacy and security considerations in drafting the HI Act were not intended to include HPI-Os, by referring to “individual Identifiers” and “healthcare recipient Identifiers”.
The OAIC does not believe the privacy and security requirements in the HI Act apply to organisations, and have recommended that this would be clarified by amendments to definitions in the Act.