Position Summary
Dentists and their staff must comply with their ethical and legal obligations with respect to privacy and confidentiality.
1 Background
1.1. Dentists and their staff have ethical and legal obligations to protect the personal and sensitive information of patients, including privacy and confidentiality obligations.
Privacy
1.2. Dentists are required to comply with all relevant privacy laws.
1.3. Dentists are required under relevant privacy laws to have a privacy policy and make that policy available to the public upon request
1.4. The principal legislation regulating dentists in private practice is the Privacy Act 1988 (Cth) (Privacy Act). There are also other State and Territory privacy laws; these are mainly consistent with the Privacy Act but may include some additional requirements.
1.5. The Privacy Act sets out in Schedule 1 of the Act, thirteen Australian Privacy Principles (APPs)1. The APPs govern how personal information, including health information, is collected, used and disclosed, and provides to patients a right to access their own personal information. The APPs should be read in conjunction with the Australian Privacy Principles guidelines2.
1.6. Dentists practising in the private sector and Commonwealth government agencies are required to comply with the following legislation;
(a) the Privacy Act including APPs;
(b) the My Health Records Act 2012 (Cth);
(c) the Healthcare Identifiers Act 2010 (Cth);
(d) in relation to practice in the Australian Capital Territory, the Health Records (Privacy and Access) Act 1997 (ACT) (private and public sector);
(e) in relation to practice in New South Wales, the Health Records and Information Privacy Act 2002 (NSW) (private and public sector); and
(f) in relation to practice in Victoria, the Health Records Act 2001 (Vic) (private and public sector).
1.7. Dentists practising in the public sector (for example, in public hospitals or clinics) are required to comply with the following legislation:
(a) the Healthcare Identifiers Act 2010 (Cth);
(b) the My Health Records Act 2012 (Cth);
(c) in relation to practice in South Australia, the Health Care Act 2008 (SA) & PC012 Information Privacy Principles Instruction 20 June 2016 (SA) (public sector only);
(d) in relation to practice in the Northern Territory, the Information Act 2003 (NT) (public sector only);
(e) in relation to practice in Queensland, the Information Privacy Act 2009 (Qld) (public sector only);
(f) in relation to practice in Tasmania, the Personal Information and Protection Act 2004 (Tas) (public sector only);
(g) in relation to practice in Western Australia, the Freedom of Information Act 1992 (WA) (public sector only);
(h) in relation to practice in the Australian Capital Territory, the Health Records (Privacy and Access) Act 1997 (ACT) (private and public sector);
(i) in relation to practice in New South Wales, the Health Records and Information Privacy Act 2002 (NSW) (private and public sector); and
(j) in relation to practice in Victoria, the Health Records Act 2001 (Vic) (private and public sector).
1.8. A request for access, correction and complaint in relation to a breach of privacy is dealt with under the Privacy Act and the APPs.
1.9. Dental practices must take reasonable steps to protect the personal information they hold from misuse, interference, loss, and unauthorised access, modification or disclosure.3 The Office of the Australian Information Commissioner provides a Guide to Securing Personal Information.4
1.10. The “Notifiable Data Breach Scheme” which commenced on 22 February 2018 requires the Australian Health Practitioner Regulation Agency to notify the National Health Practitioner Ombudsman and Privacy Commissioner and individuals affected by a data breach that is likely to result in serious harm.
Confidentiality
1.11. Confidentiality is a cornerstone of the dentist-patient relationship.
1.12. Respecting confidentiality demonstrates dentists’ respect for patients’ autonomy.
1.13. Patients have a right to expect that dentists will not disclose information provided by patients in the course of the dentist-patient relationship without their permission.
1.14. In addition to privacy, dentists have obligations of confidentiality to patients under common law.
1.15. The common law implies an obligation of confidentiality between dentists and their patients, and a breach of confidentiality may be actionable in the courts.
1.16. Further, breaching patient confidentiality may constitute unsatisfactory professional performance under Health Practitioner Regulation National Law.
1.17. Health care practitioners who work for dental practices also have obligations of confidentiality and fidelity to their employers.
1.18. Practice staff also have the right to expect that dentists and other staff will not disclose their personal information without their consent.
1.19. Dentists are also required to protect the confidentiality of personal and sensitive information collected in research. Persons participating in research have the right that dentists will not disclose their personal information without their consent.
1.20. There are circumstances identified in law where it is legitimate for dentists to disclose confidential patient information.
1.21. Exceptions to confidentiality are:
a) when a patient (or their legally authorised representative) consents to disclosure;
b) where clinical information needs to be shared amongst the treating team;
c) for internal quality assurance and health service evaluation;
d) disclosures which are permitted by law, for example under the privacy laws; and
e) disclosures which are required by law, for example:
• mandatory reporting of child abuse;
• notification of infectious diseases to relevant authorities;
• compliance with court orders such as subpoenas and search warrants such as requests from forensic odontology practitioners working in a recognised state forensic laboratory for dental records for a person reasonably believed to be deceased for purposes of forensic identification;
• mandatory reporting of health care practitioners whose impaired health may put the public at risk.
Definitions
1.22. PERSONAL INFORMATION means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information does not include de-identified data.
1.23. SENSITIVE INFORMATION means:
(a) information or an opinion about an individual’s:
• racial or ethnic origin;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union; or sexual preferences or practices; or
• criminal record; that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information.
1.24. HEALTH INFORMATION is:
(a) information or an opinion about:
• the health or a disability (at any time) of an individual;
• an individual’s expressed wishes about their future provision of health services to him or her;
or
• a health service provided, or to be provided, to an individual; that is also personal information;
(b) other personal information collected to provide, or in providing, a health service;
(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
• A HEALTH SERVICE is:
(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
• to assess, record, maintain or improve the individual’s health;
• to diagnose the individual’s illness or disability;
• to treat the individual’s illness or disability or suspected illness or disability; or
(b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
2. Position
2.1. Dentists should familiarise themselves and keep up to date with current privacy laws.
2.2. Dentists and their staff must comply with their ethical and legal obligations with respect to privacy and confidentiality.
2.3. Dental records should be securely stored and protected from unauthorised access or use. All filing cabinets should be locked and kept in a room which is not accessible to the general public. All computers should be password protected and screen visibility limited to staff members only. All computer systems should have appropriate and current security software installed.
2.4. If a health record is destroyed after the required retention periods, it must be destroyed in a secure manner.
1 Privacy Act 1988 (Cth). https://www.legislation.gov.au/Details/C2021C00024
2 Office of the Australian Information Commissioner, Australian Privacy Principles Guidelines. https://www.oaic.gov.au/privacy/australian-privacy-principlesguidelines/
3 Privacy Act 1988 (Cth), APP 11.
4 Office of the Australian Information Commissioner, Guide to Securing Personal Information. (5 June 2018) available at: <
https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information > accessed 6 April 2021.