CONTACT US
CONTACT US

Health Startup Considerations – Australian Privacy Law


The health industry is one of Australia’s more heavily regulated industries. As well as having to consider the regulatory requirements of the Therapeutic Goods Administration, and possibly AHPRA, health startups need to determine the applicability of Australian privacy laws.

Privacy Law in Australia

The legal framework for privacy in Australia, as it applies to the private sector, is the Privacy Act 1988 (the Privacy Act). The Privacy Act generally only applies to businesses that have an annual revenue exceeding $3,000,000. However, if your business falls into one of several industries, including the provision of health services, the Privacy Act will apply despite your revenue turnover (you can find a full list of specified industries covered by the Privacy Act here).

What is a Health Service?

Just because your business is playing in the health space, doesn’t necessarily mean you will be classed as a health service (although its likely). A service is defined as a health service under the Privacy Act if:

  • It is intended or claimed to:
  • Assess, maintain, improve or manage the recipients health;
  • The diagnose or treat an illness, disability or injury;
  • To record a person’s health for the purposes of assessing, maintaining, improving or managing their health;
  • It involves dispensing prescribed drugs.

The above services apply whether it is in relation to physical or psychological health. If you think your business is offering a service which may be caught by the above definition, but you’re unsure, we strongly recommend speaking with a startup lawyer to confirm your obligations. If your business is captured by the above, then you will need to comply with the Privacy Act. 

Complying with the Privacy Act

Compliance with the Privacy Act, for the most part, requires compliance with the 13 Australian Privacy Principles set out at Schedule 1 of the Privacy Act (APPs). The APPs are designed to ensure individuals have access, transparency and autonomy when it comes to their personal information. Examples of APPs include:

  • Where possible, enabling individuals to anonymise themselves with respect to certain matters;
  • Only collecting personal information that is necessary for one of the business’s activities;
  • Only collecting personal information through fair and lawful means;
  •  Notifying individuals that their information is being collected;
  • Only disclosing the information to third parties in permitted circumstances;
  • Deleting personal information when it is no longer required;
  • Having adequate security measures in place to protect personal information.

A good first step towards compliance is putting together a Privacy Act compliant privacy policy, as is required by APP 1.3. The specific contents of your privacy may differ depending on your industry, the services you are providing, the ways you are collecting information, etc, however APP 1.4 sets out the minimum information that a privacy policy must hold: 

  • How and why the business collects and holds personal information;
  • How an individual may access and correct their personal information;
  • How an individual may complain about a breach of an APP;
  • Whether their personal information is likely to be disclosed to overseas recipients and, if so, where are they likely to be located.

Sensitive Information

More onerous requirements apply when your business is collecting sensitive information, which is information about a person’s: 

  • Race or ethnicity;
  • Health, genetics or biometrics;
  • Political, religious or philosophical beliefs or affiliations;
  • Sexual orientation or practices;
  • Membership to a professional or trade association or trade union. 

As a health startup, it is highly likely that your business will be collecting information related to an individual’s health, genetics, biometrics, race or ethnicity, and possibly also their sexual orientation or practices. You should get in touch with a startup commercial lawyer who is experienced with health startups

The APPs set out how sensitive information must be treated differently to personal information. For example, a business may only collect personal information if it is reasonably necessary for one or more of its functions. However, it may only collect sensitive information if it is necessary for one or more of its functions AND if the individual consents. Similarly, a business may use personal information for direct marketing if the individual would reasonably expect the business to do so, and has a simple way to opt out of direct marketing. Conversely, it may only use sensitive information for direct marketing with the individual’s consent.

Where activities under the Privacy Act require an individual’s consent, such as in the examples given above, a privacy policy can be a great place to procure this consent. For more advice on what to include in a privacy policy, read here.

Get in touch

Here at Allied Legal, our commercial lawyers have assisted countless startups with navigating their privacy obligations under the Privacy Act. If you need a privacy policy drafted, or if you have any queries about your privacy obligations under Australian law, gives us a call on 03 8691 3111 or email us at hello@alliedlegal.com.au

Related Articles

VIEW ALL VIEW ALL

Understanding Startup Equity Vesting Schedules and Share Options

Understanding startup equity can be daunting. This blog demystifies vesting schedules and share options, offering clear guidance on fair ownership distribution. Learn about time-based, milestone-based, and hybrid vesting, as well as the benefits and types of share options like ISOs, NSOs, and RSUs.

Legal Considerations for Co-Founders: Equity Splits, Roles, and Responsibilities

Navigating the complexities of co-founder relationships is crucial for startup success. This article delves into key legal considerations, including equity splits, roles, and responsibilities. Explore various equity distribution methods, such as equal splits, performance-based splits, and negotiated splits. Understand the importance of clearly defined roles, from CEO to COO, to ensure smooth operations.

The Risks of Clients Using ChatGPT to Review Legal Documents

Discover the potential dangers of using ChatGPT for legal document review in our latest article. With generative AI's rise, many clients turn to ChatGPT for instant feedback, unaware of the risks involved. We delve into concerns like information accuracy, confidentiality breaches, privacy issues, and copyright violations. Learn practical strategies for mitigating these risks, including independent verification, data protection, and compliance with legal standards.

Subscribe

Subscribe to our newsletter to receive exclusive offers and the latest news on our products and services.

First Name
Last Name
Email Address

Need some help?

If you need assistance, why not book a call with us today? Or fill out the form below to book in for a free confidential consultation.