Book Now Book Now

Health Startup Considerations – Australian Privacy Law


The health industry is one of Australia’s more heavily regulated industries. As well as having to consider the regulatory requirements of the Therapeutic Goods Administration, and possibly AHPRA, health startups need to determine the applicability of Australian privacy laws.

Privacy Law in Australia

The legal framework for privacy in Australia, as it applies to the private sector, is the Privacy Act 1988 (the Privacy Act). The Privacy Act generally only applies to businesses that have an annual revenue exceeding $3,000,000. However, if your business falls into one of several industries, including the provision of health services, the Privacy Act will apply despite your revenue turnover (you can find a full list of specified industries covered by the Privacy Act here).

What is a Health Service?

Just because your business is playing in the health space, doesn’t necessarily mean you will be classed as a health service (although its likely). A service is defined as a health service under the Privacy Act if:

  • It is intended or claimed to:
  • Assess, maintain, improve or manage the recipients health;
  • The diagnose or treat an illness, disability or injury;
  • To record a person’s health for the purposes of assessing, maintaining, improving or managing their health;
  • It involves dispensing prescribed drugs.

The above services apply whether it is in relation to physical or psychological health. If you think your business is offering a service which may be caught by the above definition, but you’re unsure, we strongly recommend speaking with a startup lawyer to confirm your obligations. If your business is captured by the above, then you will need to comply with the Privacy Act. 

Complying with the Privacy Act

Compliance with the Privacy Act, for the most part, requires compliance with the 13 Australian Privacy Principles set out at Schedule 1 of the Privacy Act (APPs). The APPs are designed to ensure individuals have access, transparency and autonomy when it comes to their personal information. Examples of APPs include:

  • Where possible, enabling individuals to anonymise themselves with respect to certain matters;
  • Only collecting personal information that is necessary for one of the business’s activities;
  • Only collecting personal information through fair and lawful means;
  •  Notifying individuals that their information is being collected;
  • Only disclosing the information to third parties in permitted circumstances;
  • Deleting personal information when it is no longer required;
  • Having adequate security measures in place to protect personal information.

A good first step towards compliance is putting together a Privacy Act compliant privacy policy, as is required by APP 1.3. The specific contents of your privacy may differ depending on your industry, the services you are providing, the ways you are collecting information, etc, however APP 1.4 sets out the minimum information that a privacy policy must hold: 

  • How and why the business collects and holds personal information;
  • How an individual may access and correct their personal information;
  • How an individual may complain about a breach of an APP;
  • Whether their personal information is likely to be disclosed to overseas recipients and, if so, where are they likely to be located.

Sensitive Information

More onerous requirements apply when your business is collecting sensitive information, which is information about a person’s: 

  • Race or ethnicity;
  • Health, genetics or biometrics;
  • Political, religious or philosophical beliefs or affiliations;
  • Sexual orientation or practices;
  • Membership to a professional or trade association or trade union. 

As a health startup, it is highly likely that your business will be collecting information related to an individual’s health, genetics, biometrics, race or ethnicity, and possibly also their sexual orientation or practices. You should get in touch with a startup commercial lawyer who is experienced with health startups

The APPs set out how sensitive information must be treated differently to personal information. For example, a business may only collect personal information if it is reasonably necessary for one or more of its functions. However, it may only collect sensitive information if it is necessary for one or more of its functions AND if the individual consents. Similarly, a business may use personal information for direct marketing if the individual would reasonably expect the business to do so, and has a simple way to opt out of direct marketing. Conversely, it may only use sensitive information for direct marketing with the individual’s consent.

Where activities under the Privacy Act require an individual’s consent, such as in the examples given above, a privacy policy can be a great place to procure this consent. For more advice on what to include in a privacy policy, read here.

Get in touch

Here at Allied Legal, our commercial lawyers have assisted countless startups with navigating their privacy obligations under the Privacy Act. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at hello@alliedlegal.com.au

Related Articles

VIEW ALL VIEW ALL

Privacy Law in Fintech: Allied Legal's Guide to Startups and Fintech Companies

Privacy law is important for trust in fintech. Allied Legal explains why following privacy law is not just a legal obligation but also a strategic imperative for fintech companies. It helps build trust with customers and reduces risks to their reputation.

Robo-Advisors and Wealth Technology: Exploring the Evolution of Automated Investment Platforms in Australia

In recent years, Australia's financial landscape has undergone a remarkable transformation with the ascent of robo-advisors and other automated investment platforms. These technological innovations, often referred to as Wealth Technology (WealthTech), are reshaping how individuals invest, providing streamlined solutions, and democratising access to wealth management services.

In this blog post, we will delve into the phenomenon of robo-advisors and WealthTech, examining their rapid rise, regulatory considerations, benefits for investors, and opportunities for WealthTech startups with insights from Allied Legal's team of expert commercial lawyers.

Opportunities for Fintech Startups: ESG Investing and Sustainable Finance Solutions in Australia

As the fintech landscape continues to evolve, environmental, social, and governance (ESG) considerations are increasingly gaining prominence among startup fintech companies in Australia. In this comprehensive guide, we delve into the growing interest in ESG investing and sustainable finance solutions and how fintech can capture this opportunity to provide solutions to the finance industry.

Subscribe

Subscribe to our newsletter to receive exclusive offers and the latest news on our products and services.

First Name
Last Name
Email Address

Need some help?

If you need assistance, why not book a call with us today? Or fill out the form below to book in for a free confidential consultation.