Guide - Privacy and persons with reduced decision-making capacity
Read the document below or download it here: Guide - Privacy and persons with reduced decision-making capacity, updated November 2021
Privacy Commissioner’s foreword
Since this guide was first issued in 2004, there have been significant developments in NSW privacy and disability laws, as well as understanding of the privacy rights of persons with reduced decision-making capacity across Australia more broadly.
The shift in legal approaches and understanding of disability rights is in recognition of the ratification by Australia in 2008 as a State Party to the United Nations’ Convention on the Rights of Persons with Disabilities (CRPD). In 2012, the Commonwealth introduced the National Disability Insurance Scheme. In 2015, the Disability Inclusion Act 2014 commenced in NSW, and one of the objects of the Act is to support, to the extent reasonably practicable, the purposes and principles of the CRPD[1].
The Privacy Commissioner has oversight of the Privacy and Personal Information Protection Act 1998 (PPIP Act), and the Health Records and Information Privacy Act 2002 (HRIP Act). The lawful and respectful handling of an individual’s personal and health information is a key concern of the Information and Privacy Commission NSW (IPC) and central to the Privacy Commissioner’s role and functions.
Public sector agencies are expected to comply with these laws when dealing with the diverse needs and interests of individuals, including individuals with varying capacities to make decisions about their personal and health information.
The Privacy Commissioner has prepared this guide in line with the general functions given to the Commissioner under s. 36(2) of the PPIP Act and s. 58 of the HRIP Act. These functions include preparing and publishing guidelines relating to the protection of personal information, health information and other privacy matters.
This guide has been revised and updated to assist agencies’ compliance with their obligations in the Information Protection Principles (IPPs) under the PPIP Act and the Health Privacy Principles (HPPs) under the HRIP Act.
There are a range of matters to be considered by agencies to ensure fair and effective engagement with persons with reduced decision-making capacity. The guide suggests best practice tips for agencies when collecting, using and disclosing personal and health information about individuals with reduced decision-making capacity. These may assist NSW public sector agencies to meet their obligations in a manner that protects, and supports to the greatest extent possible, the privacy rights of adults with reduced decision-making capacity.
The Privacy Commissioner recognises that the regulatory oversight of disability, capacity and decision-making resides primarily with the NSW Trustee & Guardian, the NSW Public Guardian, and the Department of Communities and Justice. In developing this guide, the Commissioner has consulted these agencies and the NSW Ministry of Health and has included references to their published guidance on disability and decision-making.
Finally, the Privacy Commissioner recognises that some agencies have chosen to reference and include a link to the former 2004 version of this guide in their Privacy Management Plans which are required under s. 33 of the PPIP Act. It is anticipated that a link to this revised 2021 guide will be included in agencies’ Privacy Management Plans to ensure best practice when dealing with persons with reduced decision-making capacity.
Samantha Gavel
Privacy Commissioner
Information and Privacy Commission NSW
November 2021
The purpose of this guide
This guide is directed to NSW public sector agencies to assist them when dealing with people with reduced decision-making capacity in relation to the exercise of their functions under the PPIP Act and the HRIP Act.
The purpose of this guide is to highlight ‘reduced decision-making capacity’ as an important consideration that may arise when NSW public sector agencies engage with a diverse range of individuals, particularly when agencies collect personal and health information.
The primary focus of this guide is the ‘collection principles’ under the PPIP Act and the HRIP Act, however, the practical tips can be applied to the exercise of all IPPs and HPPs.
In Chapter 1, this guide identifies disability rights principles under the CRPD.
In Chapter 2, this guide explains the terms ‘capacity’ and ‘reduced decision-making capacity’.
In Chapter 3, this guide identifies how NSW privacy laws deal with the issue of capacity and reduced decision-making capacity.
In Chapter 4, this guide identifies considerations specific to collecting personal and health information from or about a person with reduced decision-making capacity.
In Chapter 5, this guide provides practical tips to assist agencies when dealing with or obtaining consent from persons with reduced decision-making capacity.
In Chapter 6, this guide refers agencies to other published guidance issued by the Privacy Commissioner as well as publications about capacity and decision-making issued by the NSW Trustee & Guardian and the Department of Communities and Justice.
What this guide does not do
The Privacy Commissioner has developed this guide to apply to personal and health information protection only and it does not cover the right of privacy generally or physical privacy. It is also not intended to apply to children who lack decision-making capacity only due to their age.
Agencies should be aware that this guide is not to be used by agencies to assess or determine whether a person has capacity or has reduced decision-making capacity.
For detailed guidance on legal capacity, agencies should refer to the links provided in this guide to the NSW Trustee and Guardian, the NSW Public Guardian, and the Department of Communities and Justice (Chapter 6).
1. Disability rights principles
Protection of personal information and privacy is fundamental to a person’s ability to enjoy their human dignity and autonomy.
The guiding principles in the international CRPD as set out in Article 3 are as follows:
- Respect for inherent dignity, individual autonomy including the freedom to make one’s own choices, and independence of persons
- Non-discrimination
- Full and effective participation and inclusion in society
- Respect for difference and acceptance of persons with disabilities as part of human diversity and humanity
- Equality of opportunity
- Accessibility
- Equality between men and women
- Respect for the evolving capacities of children with disabilities and respect for the right of children with disabilities to preserve their identities.[2]
With respect to capacity, privacy, and information access, the CRPD also requires:
- recognition that persons with disabilities enjoy legal capacity on an equal basis with others in all aspects of life, and that State Parties shall take appropriate measures to provide access by persons with disabilities to the support they may require in exercising their legal capacity (Article 12)
- the protection of the privacy of personal, health and rehabilitation information of persons with disabilities on an equal basis with others (Article 22)
- the right to access and receive information, including through accessible means, modes and formats of communication in official interactions (Article 21).
Section 4 of the Disability Inclusion Act 2014 contains general principles which are consistent with the CRPD including:
- the right to privacy and confidentiality for people with disability is to be respected
- people with disability have the right to access information in a way that is appropriate for their disability and cultural background, and enables them to make informed choices.
The law in NSW presumes that all individuals 18 years and over have full legal capacity, except in special circumstances where a court or the NSW Civil and Administrative Tribunal (NCAT) makes orders for a person who has limited legal capacity.
Further information on legal capacity can be obtained by following the link to the Capacity Toolkit provided at Chapter 6.
2. What is ‘capacity’ and ‘reduced decision-making capacity’?
The key terms used in this guide are ‘capacity’, ‘reduced decision-making capacity’, and ‘substituted decision-making’.
The term ‘capacity’ is a legal word used in this guide to refer to an adult’s ability to make a decision.
In this guide, the term ‘reduced decision-making capacity’ is concerned with cognitive ability and acknowledges that a person may not always be capable of making a decision about their personal or health information. This is relevant to whether a person is capable of providing their informed consent to certain agency actions under the PPIP Act and HRIP Act involving their personal or health information. The term ‘reduced decision-making capacity’ refers to a range of capacities, including persons who lack capacity to understand information and make any decisions, to persons whose decision-making ability is limited but may be assisted to make decisions with support.
These definitions are informed by the NSW Capacity Toolkit published by the Department of Communities and Justice. Agencies can access the Capacity Toolkit through the link provided in Chapter 6 of this guide.
The NSW Capacity Toolkit explains that when a person has capacity to make a particular decision, they are able to do all of the following:
- understand the facts involved
- understand the main choices
- weigh up the consequences of the choices
- understand how the consequences affect them
- communicate their decision.
An agency should not assume that a person lacks capacity just because they have a particular disability, or if the person does not necessarily communicate in a way that the agency clearly understands.
As a general principle, a person’s capacity should only be assessed by an appropriately qualified health professional. However, there will be situations where agencies will deal with people and make decisions that involve judgements about the person’s capacity.
With reference to the NSW Capacity Toolkit, the following four propositions are relevant to agencies weighing up when engaging with a person whose capacity may affect their ability to understand information, make a decision about their personal or health information, or give or withhold their consent to the agency.
- Capacity is unique to the individual
A wide range of conditions may affect a person’s capacity. A person’s capacity to make decisions may be reduced either temporarily or be ongoing because of a range of factors, such as a mental illness, cognitive impairment, intellectual disability, dementia, brain injury or stroke.
Capacity also varies widely among people, for example, two people with dementia or the ‘same’ mental illness can have very different degrees of capacity.
Decision-making capacity may be influenced by each person’s unique social circumstances, emotional and intellectual abilities. Whether the person has access to reasonable supports, including informal supports through a family member or friend, can assist a person with reduced decision-making capacity to understand information, or to communicate their decision.
- Capacity is not static
A person’s capacity may change over time. The ability to make decisions may be affected by factors that are pre-existing or acquired, temporary, episodic or chronic. For example, a person who has a mental illness may not be able to make particular decisions during periods when they are acutely unwell but can have capacity at other times. A person with dementia may have capacity in the early stages of dementia but lose capacity to make decisions about parts or all areas of their life as the condition progresses.
- Capacity is decision specific
A person can have capacity to make decisions about certain aspects of their lives but may not have capacity to make decisions about other matters, even with supports. For example, a person may have capacity to make decisions about basic health care and their lifestyle generally, such as where they want to live and with whom they choose to share their personal information, but may not have capacity to make some decisions about their financial affairs or major medical treatment.
Similarly, a person may not have capacity to make decisions about specific types of personal information (such as their financial information, or health information), but may still have capacity to make decisions involving other kinds of personal information that may be collected by an agency. This information could include, for example, their address and telephone number, or Medicare number.
- Capacity can depend on the support provided to make a decision
A person’s capacity to make decisions about their personal or health affairs or information can depend on whether appropriate support is provided, such as to enable the person to provide informed consent to an agency to collect their personal or health information.
A person may have support from a carer or relative, however an agency can also provide support to assist the person. For example, a person with an intellectual disability may require the agency to communicate to them in a way that is appropriate to their ability and this may involve using a method of communication with which they are familiar or can comfortably respond to.
In summary, a person’s capacity to make decisions about their personal and health information:
- can depend on the nature or sensitivity of the information, or the complexity of the decision to be made and how it may impact on their personal affairs
- can depend on the support provided to the person to assist their decision-making
- can depend on the ways or methods by which the agency communicates the information to help them to understand their privacy rights.
3. What do NSW privacy laws say about persons with reduced decision-making capacity?
Overview
The PPIP Act and the HRIP Act set the legal framework for how agencies protect and safeguard personal and health information records, and authorise agencies to deal with personal and health information in certain ways.
NSW privacy laws are also concerned with whether persons have been provided with sufficient information by the agency to allow them to make decisions about their personal and health information.
The IPPs under the PPIP Act and the HPPs under the HRIP Act tell agencies the legal requirements for:
- collection
- storage
- responding to requests for access and amendment/correction or deletion
- use
- disclosure.
The HPPs also contain the following additional distinct principles:
- Identifiers
- Anonymity
- Transfer of health information outside of NSW
- Linkage of health records.
Other NSW laws can determine when a person lacks legal capacity and may impact on agencies’ obligations under the PPIP Act and HRIP Act., These laws may even give lawful authority to allow an agency to depart from the IPPs and HPPs.
These legal circumstances for modifying compliance with NSW privacy laws are further discussed below.
PPIP Act
The PPIP Act’s obligations on agencies outlined in ss. 8-19 (IPPs 1-12) apply to protect the personal information about individuals that is held by agencies, but do not provide for different privacy protections or otherwise distinguish between persons with reduced decision-making capacity and others in the community.
The statutory exemptions from compliance with the IPPs do not have a specific or different application where the personal information concerns a person who lacks capacity or who has reduced decision-making capacity.
HRIP Act
The HRIP Act defines health information in s. 6 to include information about the individual’s mental health or a disability (at any time), or their express wishes about the future provision of health services.
The HRIP Act in s. 7 prescribes when a person lacks capacity to do any act under this legislation. Section 7(1) states that an individual is incapable of doing an act authorised, permitted or required by the HRIP Act if the individual is incapable (despite the provision of reasonable assistance by another person) by reason of age, injury, illness, physical or mental impairment of -
- understanding the general nature and effect of the act, or
- communicating the individual’s intentions with respect to the act.
Section 7(2) permits an “authorised representative” to act on the person’s behalf, by doing such an act on behalf of the individual who is incapable of doing that act. However, the HRIP Act in s. 7(3) confirms that an authorised representative may not do such an act on behalf of an individual who is capable of doing that act, unless the individual expressly authorises the representative to do that act.
An “authorised representative” acts as a substitute decision-maker for a person who lacks capacity under the HRIP Act. Section 8 defines an “authorised representative” as:
- an attorney for the individual under an enduring power of attorney, or
- a guardian within the meaning of the Guardianship Act 1987, or a person responsible within the meaning of Part 5 of that Act, or
- a person who is otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual.
An agency is permitted to collect health information from the authorised representative (cl. 4(5) of Sch. 1; HPP 4(5)). Where an agency reasonably believes that the individual is incapable of understanding the general nature of the matters concerning the collection of the information by the agency listed in cl. 4(1) of Sch. 1 (HPP 4(1)), the agency must take reasonable steps to inform the authorised representative of those matters.[3]
The requirements on agencies when collecting information from a person’s representative or another person is also dealt with in Chapter 4.
Codes of Practice and Public Interest Directions
Privacy Codes of Practice under the PPIP Act and Health Privacy Codes of Practice under the HRIP Act may also impact how agencies comply with the IPPs and HPPs in circumstances involving the personal or health information of persons with reduced decision-making capacity.[4]
Following consultation with the Privacy Commissioner, the Minister may make a Privacy Code of Practice under s. 31 of the PPIP Act, or a Health Privacy Code of Practice under s. 40 of the HRIP Act, that exempts or modifies how an agency is to comply with the IPPs or HPPs for certain matters.
The Privacy Commissioner may make a Public Interest Direction under s. 41 of the PPIP Act or
s. 62 of the HRIP Act. These can include that an agency is not required to comply with an IPP, HPP or Code of Practice, or that their application may be modified in particular circumstances. A Public Interest Direction can only be made if the Privacy Commissioner is satisfied that it is in the public interest to do so.
Other NSW laws which deal with persons with reduced decision-making capacity
NSW laws that apply to persons with reduced, limited, or a lack of decision-making capacity may also regulate how agencies handle personal or health information in the exercise of their functions. Where a person lacks legal capacity, the legal framework in NSW for obtaining substitute consent or decision-making on behalf of the person will apply.
While this guide does not provide guidance on agencies’ responsibilities or functions under laws other than the PPIP Act and HRIP Act, key legislation is outlined below to highlight how these laws may intersect with NSW privacy laws.
In NSW, the Guardianship Act 1987 provides the legal framework for permitting persons in NSW, or the NSW Public Guardian, to become a substituted decision-maker for a person who lacks legal capacity.
An agency may be permitted to deal with a substituted decision-maker on behalf of the person to whom the information relates, such as a guardian or enduring guardian under the Guardianship Act 1987. An agency is not subject to the requirements of the PPIP Act and HRIP Act for certain disclosures of information under the Guardianship Act 1987, where the disclosure would assist the functions of an enduring guardian.[5]
The Mental Health Act 2007 enables a person to become a designated carer or be recognised as the principal care provider for the person about whom the mental health information relates.[6] These designated carers can be lawfully provided with the individual’s health information in certain circumstances.
Other provisions in the Mental Health Act can also permit disclosure of a person’s health information in certain circumstances.
Agencies should seek legal advice before making decisions about information handling under these laws, or how these may apply to their obligations under the PPIP Act and HRIP Act when collecting or handling information. Agencies can also obtain further information from the links provided to the NSW Trustee & Guardian and to the NSW Ministry of Health website for further information on the Mental Health Act in Chapter 6.
4. How should agencies collect information from persons with reduced decision-making capacity?
Collection principles under the PPIP Act and HRIP Act
The key expectation for the collection of personal or health information from individuals is that agencies comply with the collection principles for personal or health information under these laws.[7] The collection principles generally require agencies to collect personal or health information directly from the person to whom the information relates.
An agency’s compliance with the collection principles can protect the privacy rights of persons with disabilities, illness or impairments affecting their decision-making who often do not enjoy the same control over their personal affairs as other people.
The provision of information to such persons in compliance with the collection principles informs their decision to provide their personal or health information to an agency. This supports their personal autonomy and dignity. It enables them to exercise greater control over whether their information becomes known to others, including government agencies, private organisations, professionals, and family and friends.
The basic standards for collection that are shared by the PPIP Act and HRIP Act include:
- only collect personal and health information for a lawful purpose
- only collect personal or health information if it is directly related to your organisation’s activities and necessary for that purpose
- ensure the personal and health information is relevant, accurate and up-to-date, and not excessive
- make sure the collection does not unreasonably intrude into the personal affairs of the individual
- generally, collect personal and health information directly from the person
- tell people you are collecting the personal or health information and why.
This is a summary of the collection principles in IPPs 1-4 and HPPs 1-4. Agencies should consult the specific provisions in ss. 8-11 of the PPIP Act (IPPs) and cl. 1-4 of Sch. 1 of the HRIP Act (HPPs).
The full text of the IPPs and HPPs is available in the link at Chapter 6.
Collection principle – privacy notification
The collection principles in s. 10 of the PPIP Act (IPP 3) and cl. 4 of Sch.1 of the HRIP Act (HPP 4) require agencies to inform a person of certain matters at the time of collection.
The collection principle in s. 10 of the PPIP Act (IPP 3) requires agencies to take reasonable steps to make an individual aware of all of the following matters:
(a) the fact that the information is being collected
(b) the purposes for which the information is being collected
(c) the intended recipients of the information
(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided
(e) the existence of any right of access to, and correction of, the information
(f) the name and address of the agency that is collecting the information and the agency that is to hold the information.
The collection principle in cl. 4(1) of Sch.1 of the HRIP Act (HPP 4(1)) requires agencies to take reasonable steps to make an individual aware of all of the following matters:
(a) the identity of the organisation and how to contact it
(b) the fact that the individual is able to request access to the information
(c) the purposes for which the information is collected
(d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind
(e) any law that requires the particular information to be collected
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
The purpose of notification under IPP 3 and HPP 4 is to ensure reasonable steps are taken to provide the opportunity to the person to make an informed decision about whether to provide or to withhold their personal or health information if provision of the information is not mandatory or compulsory.
Agencies may sometimes refer to these collection notification principles as ‘privacy notifications’ or ‘privacy notices’ which may be in the form of written statements or notices. While compliance with IPP 3 and HPP 4 does not require the agency to demonstrate that the person actually understood the notification given, agencies should aim to communicate this notice in a meaningful way, including by providing the information in a simple or specific way.
The ways that agencies can demonstrate compliance with the collection notification principle are by, for example, using a written privacy notice in Easy English that sets out the purpose of the collection to a person, and taking the time to assist the person to understand the collection process as well as their rights. A person with reduced capacity may also be assisted by a support person which means agencies may also include support persons when giving notification so that the person is assisted to understand.
The collection notification principle requires that the agency takes reasonable steps to make the person aware of certain matters and this may be demonstrated for persons with reduced capacity in the ways suggested above.
For some legal purposes, agencies may need to obtain a legally valid consent to collect, use or disclose personal or health information for specific purposes. In such cases, additional steps will generally be required so that the agency can demonstrate that the person or their substituted decision-maker understood the information provided to them and consented based on that information. Consent may be documented by a signed consent form. In some cases, a written record of a consent provided verbally may be acceptable.
For further guidance on obtaining consent under the PPIP Act and HRIP Act, agencies can refer to IPC guidance in the Fact Sheet – Consent and Bundled Consent.
Collection of personal or health information from someone else
The PPIP Act and HRIP Act require agencies to collect information directly from the individual to whom the personal or health information relates but do also permit collection from someone else according to specific requirements set out in the Acts. As identified in Chapter 3, some NSW laws for authorising and appointing substitute decision-makers also regulate how the substitute decision-maker may deal with the person’s health or personal information on their behalf.
Under the PPIP Act (s. 9(a); IPP 2), an agency is permitted to collect personal information about an individual from someone else, if the individual has authorised collection of the information from someone else. This might include, for example, an informal support person such as a family member or carer, who can assist the person with reduced decision-making capacity to understand information or help them communicate their decision.
Under the HRIP Act (cl. 3 of Sch. 1; HPP 3), an agency must collect health information about an individual only from that individual, but if it is unreasonable or impracticable to do so, the agency is permitted to collect the health information from someone else.
This would include, for example, collection where a person is not conscious, but may include circumstances where a person is injured and not able to communicate despite attempts to support the person.
If an agency collects health information about an individual from someone else, cl. 4(2) of Sch. 1 (HPP 4(2)) requires the agency to take any steps that are reasonable in the circumstances to ensure that the individual (such as a person with reduced decision-making capacity) is generally aware of the matters set out in the notification collection principles in cl. 4(1) of Sch. 1; HPP 4.
An agency must also take steps that are reasonable in the circumstances to ensure that any authorised representative of the individual is aware of those matters in HPP 4(1), where the agency is collecting information from an authorised representative of the individual under s. 8
(HPP 4(5)).
The Privacy Commissioner is given functions under cl. 4(3) of Sch. 1 to issue guidelines setting out the circumstances in which an organisation, such as an agency, is not required to comply with the obligation in cl. 4(2). Agencies can refer to the statutory guideline on collection of health information from third parties issued by the Privacy Commissioner under cl. 4(3).
When dealing with persons in situations where the agency is concerned that the person demonstrates a lack of capacity to understand information, it is best practice for the agency to check if there is a record of the authorisation of a substitute decision-maker. There may, however, be exceptional circumstances where it may not be practicable to confirm the record of authorisation of a substitute decision-maker, such as clinical emergencies.
For example, where clinicians need to act quickly or even urgently in collecting information from any person available to provide the information about the person who lacks decision-making capacity because they are unconscious – in such a situation, there may not be time to check records about authorisation.
Where an informal support person such as a family member or carer is involved in the collection circumstances, agencies should also seek the views of the person with reduced capacity as to whether they wish the other person to assist in the collection of the information.
5. Practical tips for agencies
Use appropriate communication when providing information
The disability rights principles set out in Chapter 1 and the explanation of ‘capacity’ in Chapter 2 highlight the importance of reasonable support. Agencies’ communication with a person with reduced decision-making capacity is a relevant part of supporting persons to understand their privacy rights.
Agencies should take reasonable steps to provide information about their collection of personal information through communication that responds to the person’s support needs and which also assists the person to be able to express their views and decisions.
For example, the use of Easy English formats for providing information in a privacy notice can assist the person to participate meaningfully in the collection of information and be able to express their views and preferences in decision-making. For an agency providing services to clients with an intellectual disability, this might include a pictorial or symbolic format that can be understood by people with an intellectual disability.
Consider whether a person has capacity
As a general principle, a person’s capacity should only be assessed by an appropriately qualified health professional.
When dealing with an individual, agencies should presume that a person has capacity to make decisions about their personal or health privacy unless the agency is informed that the person has been assessed by a health professional as lacking decision-making capacity. An agency should not assume a lack of decision-making capacity just because the person has a disability or illness and requires supports to communicate or convey their opinion.
However, in information collection situations, agencies may need to make decisions that involve judgements about a person’s capacity to understand or provide informed consent.
Agencies may be assisted by considering the following questions when dealing with persons who may lack capacity to understand their rights under NSW privacy laws:
- Can the person express a view about the conduct at the present time?
- Has the person been given an opportunity to express their views or opinions about how their personal/health information is handled?
- Has the person previously expressed a view or wish about their personal or health privacy of which the agency is aware or could reasonably make itself aware?
- Is there any reason why the person’s current wishes or previously expressed wishes cannot or should not be followed now?
- How has the person been provided with support that is appropriate to their capacities to enable them to be involved in decisions?
- Does the person have a preferred support person, if so, how is this person identified and contacted?
- Is it possible to seek the views or consent of the person’s support person?
Consider how to obtain informed consent
When communicating with a person with reduced capacity to obtain their consent, agencies should be mindful of the particular needs of persons with reduced decision-making.
When relying on a person’s consent or express consent to collect, use, or disclose personal or health information, there may be ways that agencies can better support persons with reduced decision-making capacity.
For example, agencies may need to consider whether the standard information collection notice is effective for collecting information from a person with a mild intellectual disability. A person may be able to understand a notification form but may require the agency to help explain the effects of a decision to consent to the use or disclosure of their sensitive personal information.
Agencies may also need to be particularly careful to identify whether the person with reduced decision-making capacity has consented to the agency taking certain action for a secondary purpose for the use and disclosure of their personal or health information.[8]
Both the PPIP Act and HRIP Act also require the agency to obtain a person’s “express consent” to take certain actions in relation to the personal and health information.
Express consent is consent where the person’s intention to give informed consent is clearly and unmistakably provided. It is preferable for agencies to obtain express consent in writing, but may be given orally, or in any other form where the consent is clearly communicated.
If a person gives their consent orally or by other means such as through a sign interpreter, agencies should document this in their records.
It is generally preferable to seek a person’s express consent because it may be difficult to demonstrate that an individual has genuinely consented if consent is merely inferred by an agency (implied consent).
The PPIP Act stipulates that express consent must be obtained by the agency before being authorised to take the following actions with the personal information:
- use their personal information for a purpose other than the purpose for which the information was collected (s. 17 (IPP 10))
- disclose their non-sensitive personal information (s. 18 (IPP 11))
- disclose their sensitive personal information (s. 19(1) (IPP 12)).
The exemption in s. 26(2) says that agencies do not have to comply with the usual obligations regarding notification (s. 10) and restrictions on disclosure of the information (ss. 18 and 19) if the person has expressly consented to non-compliance with the relevant IPPs.
The HRIP Act also requires express consent for certain actions to be taken about health information, including:
- not to be notified of certain collection matters in HPP 4, with the effect that the information may be collected from someone else
- including the health information in a health records linkage system (cl. 15 of Sch. 1; HPP 15)
- disclose an identifier of the individual to any person if the purpose is to include the information in a health records linkage system (cl. 15 of Sch. 1; HPP 15).
Implied consent is consent that can reasonably be inferred from an individual’s conduct or actions indicating their willingness to provide information or their consent for it to be used in some way.
The PPIP Act and HRIP Act rely on agencies making persons aware of certain things, including that:
- the personal information will be handled in line with the agency’s functions and purposes
- the person is properly informed of the requirements for conduct under the IPPs or HPPs, and is made aware of the expectations placed on agencies
- the person is properly informed about how their information is used and can make choices about how much information they are prepared to provide.
If a person has reduced decision-making capacity, they may not be able to give their express consent to certain matters impacting on their privacy rights and about their personal or health information.
Further, the impact of a disability, injury or illness on a person’s capacity may cause the person to lose their awareness or memory of matters for which they were previously made aware and may have also consented to. The same person may not be able to understand information at a later point in time where the agency may be required to obtain their consent.
Agencies should be careful not to assume (implied) consent as a basis for taking certain actions with respect to an individual’s personal or health information just because the person has not stated their objection to the proposed conduct. The person may not have heard, or may not have understood, the information to make an informed decision.
Consent is not implied just because the agency may assume that:
- the proposed conduct by the agency is disclosure of personal information to the person’s spouse or family member
- the benefits of consenting, from the agency’s perspective, suggest that the person would ‘probably’ consent if asked for their view
- most other people have consented to the same use or disclosure of the information
- the person has given consent in the past
- the person has communicated a response which might suggest consent is being given, but the agency is unsure or does not understand that the person is consenting.
Involve the person in decisions about their personal and health information
Individuals with reduced decision-making capacity will not always have the control over their privacy that others in the community may have. Agencies should always aim to directly involve persons with reduced decision-making capacity in decisions about their personal or health information.
However, agencies may be required to deal with a person who is authorised to make decisions on behalf of the person with reduced capacity, such as a person under s. 8 of the HRIP Act, which can include where the person is subject to a guardianship order or financial management order made by the NCAT.
In these situations, the agencies may be required to obtain consent from the authorised person as permitted by ss. 7 and 8 of the HRIP Act, or by the other law or legal arrangement that may apply to remove or modify the agency’s requirement to comply with the PPIP Act or HRIP Act (see Chapter 3).
It is best practice to check if the agency holds a record confirming the authorisation of another person to act on their behalf.
However, agencies should still involve the person as much as is possible in the decision-making process if this is reasonable in the circumstances.
A person’s wishes, opinions or preferences about their personal and health information privacy may still be identified and should be considered when making a decision about their personal or health information.
In conclusion, the key tips in this guide are as follows:
- Involve the person in the decision-making about their personal and health information as much as is possible and reasonable
- Provide information in a manner that is capable of being understood by the person with reduced decision-making capacity
- Use clear communication and employ techniques to support the person’s capacity to understand
- Consider the unique circumstances of the person and do not assume that the person has implied consent or that the person lacks consent to make decisions.
6. Other useful resources
Information and Privacy Commission NSW
The Privacy Commissioner makes publicly available a range of guidance for both agencies, the NSW community, and private health providers.
Agencies can consult the following publications:
- Fact Sheet on the IPPs for agencies
- Fact Sheet on the HPPs for agencies
- Fact Sheet on consent and bundled consent
- Statutory Guideline on collection of health information from a third party
- Guide for making privacy management plans
Department of Communities and Justice – Capacity Toolkit
The Department of Communities and Justice makes publicly available a guide for persons in NSW who may have concerns about the ability of a person to make decisions.
The Capacity Toolkit is a guide to assessing an adult person’s capacity to make legal, medical, financial and personal decisions. The Capacity Toolkit provides information about capacity, some general capacity principles, and guidelines on assessing a person’s capacity to make decisions.
Agencies are encouraged to consult the Capacity Toolkit available here: Capacity Toolkit (nsw.gov.au)
NSW Trustee & Guardian and NSW Public Guardian – Supported decision-making and Capacity resource
The NSW Trustee & Guardian is a statutory agency within the NSW Stronger Communities Cluster of the Department of Communities and Justice, comprising a group of NSW agencies working together to support vulnerable persons, such as in the appointment of a financial manager to guardian by the Guardianship Division of the NCAT or the Supreme Court of NSW.
The NSW Public Guardian is part of the NSW Trustee & Guardian and is a public official appointed by the Guardianship Division of the NCAT or Supreme Court to make substituted decision-making arrangements in healthcare, lifestyle and medical decisions for a person who lacks decision-making ability.
The NSW Trustee & Guardian also provides a resource called Supported decision-making and Capacity which explains supported decision-making as a human right. Supported decision-making assists a person to make their own decisions and have control over what happens to them.
Agencies can obtain further guidance here: https://www.tag.nsw.gov.au/guardianship/supported-decision-making-and-capacity.
NSW Ministry of Health
Agencies can consult the following publications:
- Privacy Manual: https://www.health.nsw.gov.au/policies/manuals/Pages/privacy-manual-for-health-information.aspx
- Mental Health Act guidebook: https://www.heti.nsw.gov.au/__data/assets/pdf_file/0009/457983/mental-health-act-2017-guidebook.pdf
- Information about designated carers and principal care providers: https://www.health.nsw.gov.au/mentalhealth/services/carers/pages/default.aspx
- NSW Health Consent to Medical and Healthcare Treatment Manual: https://www.health.nsw.gov.au/policies/manuals/Pages/consent-manual.aspx
NOTE: The information in this Guide is to be used by NSW agencies and private sector persons for guidance only. The IPC can give general advice on rights and compliance under privacy and information access legislation, but cannot give legal advice. Legal advice should be sought in relation to individual circumstances.
[1] Disability Inclusion Act 2014, s. 3(e).
[2] https://www.un.org/development/desa/disabilities/convention-on-the-rights-of-persons-with-disabilities/guiding-principles-of-the-convention.html
[3] HRIP Act, Sch. 1, cl. 4(5) (HPP 4).
[4] For more information, see Guidance on the preparation and assessment of Privacy Codes of Practice under the PPIP Act and HRIP Act (November 2019) on the IPC website.
[5] Guardianship Act 1987, ss. 6E(2B) and 2(C).
[6] Mental Health Act 2007, ss. 71-72A.
[7] Collection principles: ss. 8-11 of the PPIP Act (IPPs 1-4); Sch. 1, cl. 1-4 of the HRIP Act (HPPs 1-4).
[8] PPIP Act, s. 17(a); IPP 10; HRIP Act, cl. 10(1)(a); HPP 10 and cl. 11(1)(a); HPP 11.