CPD Modules Available

Print this page

Meeting Your Duty of Care in the Digital Environment

1N CPD in Australia | 0.5G in New Zealand | 23 June 2017


This course was promoted in mivision July Issue 125 as being accredited for 2 CPD Points. However, Eye on CPD has reviewed the course and accredited it as a non-clinical learning activity with 1 CPD point.


By Dr. Kate Taylor and Alison Choy Flannigan

The evolving e-environment for collaborative care and clinical communication brings with it important issues of patient privacy and duty of care that optometrists and other clinicians must be aware of.

Recent media attention concerning the privacy breach by the Australian Red Cross Blood Service highlights privacy risks associated with health information.

The penalty for a serious or repeated interference of privacy under the Commonwealth Privacy Act 1988 (Cth) can be up to AU$1.8 million for a body corporate or $360,000 for an individual.

The increased use of technology is revolutionising modern medical practice. Health care providers are required to uphold high standards for protecting patient privacy, whether in hard copy or electronically. They need to ensure that they have appropriate privacy and security risk management strategies in place concerning how they collect, use and disclose personal information.

What is personal information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Sensitive information includes details about an individual’s: 

  • racial or ethnic origin
  • sexual orientation or practices
  • political opinions and membership of political associations, professional or trade associations or trade unions
  • religious beliefs or affiliations and other philosophical beliefs
  • criminal record.

Health information is included in ‘sensitive information’. As such, it requires a higher level of privacy protection than other personal information.

The Legal Framework Underpinning Changing Norms

The key legislation articulating the levels of protection required for all health information in the Australian private sector is the Privacy Act 1988 (Cth) (Privacy Act). There is also State and Territory legislation including the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Health Records (Privacy and Access) Act 1997 (ACT).1 There is also privacy legislation in place in New Zealand.2

The Australian Privacy Act regulates the collection, use and disclosure of ‘personal information’.

The Australian Privacy Principles apply to all private sector health service providers.

Under the Privacy Act, every private sector health care practitioner is required to have and make available a Privacy Policy setting out:

  • the kinds of personal information that the entity collects and holds;
  • how the entity collects and holds personal information;
  • the purposes for which the entity collects, holds, uses and discloses personal information;
  • how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  • how an individual may complain about a breach of the Australian Privacy Principles or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
  • whether the entity is likely to disclose personal information to overseas recipients;
  • if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Overseas disclosure may be relevant, for example, if the practitioner stores information using a cloud-based provider that stores information outside of Australia and the cloud-based provider is able to access the data. Potential issues were clearly brought to light in 2014, when it was reported3 that Luxottica Retail Australia lost its $33.5 million contract with the Australian Defence Force because of data storage in China, in breach of their contract.

Each practitioner must take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.

In addition to privacy obligations, health care practitioners owe obligations of confidentiality to their patients.

Sometimes, it is permitted under the Privacy Act to use health information and personal information for medical research, even in the absence of patient consent to the researchers involved, provided that researchers comply with stated guidelines. The rationale for this rests on the public benefit that comes from research.

New Zealand takes a similar approach. It draws on privacy principles and the NZ Health Information Privacy Code 1994, which specifically mentions optometrists as being governed by it, as well as primary health organisations, district health boards, rest homes, supported accommodation, doctors, nurses, dentists, pharmacists and private health insurers, amongst others.4

Details of the Privacy Principles

The NZ Privacy Act 1993 (NZ) applies to both the public and private sector ‘agencies’ (with some stated exceptions) and has twelve information privacy principles (IPPs).5 Schedule 1 of the Australian Privacy Act contains the thirteen Australian Privacy Principles (APPs).6

Required Steps to Protect Patient Privacy

The first step is an analysis of what personal information is collected and held, how it is used and what are the potential security risks. This should include a review of what legal requirements and industry standards apply and how the practice’s existing information systems and policies compare. Relevant polices should cover the practices, procedures, monitoring and reporting of data security, and management of complaints.

Coupled with these policies is the regular training of staff and designating accountability for the implementation, oversight and management of data breaches to a person or position within the practice.

It is also recommended to review options for technologies to enhance data security. These may include robust encryption and password protection, the protection of electronic and hard copy communications, access controls and intrusion detection.

Importantly, all of these steps should be regularly reviewed in light of new risks, the current and emerging standards of practice, and changes to compliance requirements.

Industry Codes and Guidelines Relating to Eye Care

Many medical professional organisations have guidelines relating to patient confidentiality and privacy, including in the emerging needs for electronic communications.

The Medical Board of Australia’s guideline, Good Medical Practice, A Code of Conduct for Doctors in Australia requires medical practitioners to ensure that their medical records are held securely and are not subject to unauthorised access (paragraph 8.4.2).

The Royal Australian and New Zealand College of Ophthalmologists’ (RANZCO) Professional Code of Conduct sets the policy framework on communication and electronic communications. It draws on the Codes of Conduct of Australia’s Medical Board, Australian Health Practitioner Regulation Agency (AHPRA) and the New Zealand Medical Association, clearly outlining the obligations to protect patient privacy, keep adequate records and ensuring continuity of care.

Under the RANZCO Code, in relation to record keeping, ophthalmologists are required to ensure that records documenting clinical assessment, decisions and plans for a patient are available. Ophthalmologists are required to:

  • maintain legible, contemporaneous patient records;
  • ensure that clinical notes are dated and that the author is identifiable;
  • ensure operation notes outline the procedure performed, including any specific problems encountered;
  • document a postoperative plan that includes treatment until the patient is next to be reviewed; and
  • comply with privacy legislation and ensure records are not subject to unauthorised access.

It is a breach of the Code to breach the confidentiality of the doctor patient relationship by making records available to others not involved in the care of the patient or without the patient’s permission (other than as may be required by law).

There are specific issues with email communications. In NZ, compliance requires robust processes to ensure their storage, security and destruction are adequately controlled.7

Industry Standards Specific to Optometrists

In Australia, the Optometry Board of Australia defines the requisite privacy protections and related standards of practice in its Code of Conduct.8 For optometrists in New Zealand, issues regarding privacy of information are determined by the code of ethics for optometrists as defined by the Optometrists and Dispensing Opticians Board.

Duty of Care in Relation to Medical Records and Referrals

In relation to communications between clinicians and patients, and communications between practitioners, clinicians have a number of legal duties. These centre around clearly informing patients of the importance of proposed management plans, following up on them and ensuring that the information communicated between health care providers is accurate. In more detail, practitioners’ duty of care can be summarised by the following:

(a) The law recognises that a medical practitioner has a duty to warn a patient of a material risk in the proposed treatment. A risk is material if, in the circumstances of the particular case, a reasonable person in the patient’s position, if warned of the risk, would be likely to attach significance to it or if the medical practitioner was or should reasonably be aware that the particular patient, if warned of the risk, would be likely to attach significance to it.9 Therefore, if the patient has a serious medical condition then the medical practitioner should advise them of the seriousness of the situation and the importance of attending further referred tests, and appointments etc.

(b) There is a duty to ensure that the medical records are accurate. This includes ensuring that medical records communicated to other clinicians are accurate.10

(c) A medical practitioner has a duty of care to find out the outcome of a test he or she has requested. He or she must be sure to know of the test results and to offer appropriate treatment to the patient in light of the report.10

(d) There is also a duty of care to follow up a patient who does not return for further testing or consultation despite being asked to do so. There can be two types of negligence. Under the first scenario, an allegation can be made that the practitioner was negligent by failing to tell the patient to return in the appropriate timeframe regardless of their ongoing symptoms. Under the second, the practitioner fails if he or she has not created a robust follow up system. However, the courts recognise that if a patient knows of the risks but makes his own decision not to undergo testing, then provided that the practitioner has established that they appropriately advised the patient of the risks, the practitioner will not be negligent.11

The standard required of a person practising a profession in Australia is that he or she must act in a manner that is widely accepted in Australia by peer professional opinion as competent professional practice at the time the service was provided. A person practising a profession (‘a professional’) does not incur a liability in negligence arising from the provision of a professional service if it is established that his or her behaviour conformed to that standard.12

What To Do in Case of a Data Breach

The Office of the Australian Information Commissioner offers a guide for managing data breaches of patient information.13 In New Zealand, the Office of the Privacy Commissioner provides a guide.14 In common are five key actions: 

  1. Prevention: Take a proactive approach to data security and privacy protection
  2. Containment: Assess the events that lead to a breach and if you can retrieve or secure the data
  3. Evaluation: Assess the risks that could or have arisen from the breach, including the potential harm that could result could be done to minimise them
  4. Notification: Determine if you will contact affected parties, and, if so, how. Determine if you should contact the relevant privacy authority (Office of the Australian Information Commissioner or the Office of the Privacy Commissioner in New Zealand)
  5. Future prevention: Identify what changes should be made in light of learning from this breach to prevent future issues and to better respond in case of a future breach

In neither country is it currently mandatory to notify affected individuals, though both countries have indicated intentions to change this. The current guidance is that it is considered good practice and highly recommended to communicate any breach that could harm affected individuals. The Australian Government passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 on 22 February 2017, which will commence within 12 months. 

Under the amendments, if there are reasonable grounds to believe there has been an “eligible data breach”, a private sector optometry practice must prepare a notification statement which complies with the Act as soon as practicable after it becomes aware of the breach. “Eligible data breaches” include unauthorised access to, unauthorised disclosure of, or loss of, personal information, that would likely result in serious harm to any of the individuals to whom the information relates.

All clinicians must review and update their privacy policies and procedures in preparation for mandatory data breach notification.

Further information on the mandatory data breach legislation is available in Holman Webb’s Health Law Update, May 2017: www.holmanwebb.com.au/blog/holman-webb-health-law-bulletin-may-2017

In both countries, the relevant privacy authorities have the power to investigate privacy complaints.

What Does the Future Hold?

Many optometrists have been early adopters of electronic health records. For example in 2014, 70 per cent of Australian GPs reported using electronic medical records exclusively (i.e. were paperless).15 The movement from sending letters and faxes, or handing papers to a patient, to electronic transmission, has been slower across the health care systems.

The Royal Australian College of General Practitioners (RACGP) has noted that today the majority of medical communication is not conducted through secure electronic channels. Looking ahead, the RACGP and Optometry Australia have called for wider use of secure messaging, with all correspondence to be sent through secure electronic systems.16 They have called for the end of faxing within three years.

In 2016, the National e-Health Transition Authority (NEHTA) was replaced by the Australian Digital Health Agency (ADHA). In New Zealand, oversight of digital health was shifted to the Office of the Government Chief Information Officer.

Both Governments are encouraging system-wide solutions with an emphasis on interoperability, meaning that different software packages can seamlessly and securely transmit information. The ADHA has specifically called for solutions to include allied health professionals, specifically naming optometrists.

Does The Means of Communication Change the Privacy Requirements?

Privacy obligations apply regardless of the mode of communication. Practitioners’ privacy obligations equally apply to the use of new technologies.

The Office of the Australian Information Commissioner has stated that “email is not a secure form of communication and you should develop procedures to manage the transmission of personal information via email.”17

What Does this Mean in the Context of Collaborative Care?

RANZCO, the OBA and Optometry Australia have called for collaborative care as a clinical and health systems priority.

Quality communication is critical for collaborative eye care.

Best practice in collaborative care will require modern, secure and accurate communication between all those involved in patient eye care – including, ophthalmologists, optometrists, GPs and hospital eye services and, in some cases, the patient themselves.

Clinical innovation and information technology offers significant advances in modern health care and improved communication with patient outcomes.

The use of secure messaging and secure cloud-based technologies, which enable practitioners to store and to send information securely, can assist practitioners with their duties of care. Such technologies can create additional opportunities to better identify patients, manage their health information and assist in tracking patient follow up, to clearly track patient attendances across health care providers, which can improve patient care and outcomes and decrease practitioners’ medico-legal risks.

Patients are demanding the best and latest technologies with appropriate privacy protection.

Additional Resources

In Australia

  • Australian Digital Health Agency, available at www.digitalhealth.gov.au
  • OAIC’s Resources for Health Services Practices, available at www.oaic.gov.au/agencies-and-organisations/faqs-for-agencies-orgs/health-service-providers/resources-for-health-service-providers

In New Zealand

  • Health Privacy Toolkit, available from www.privacy.org.nz/news-and-publications/guidance-resources/health-privacy-toolkit



Dr. Kate Taylor is the Chief Executive Officer, Oculo. Dr. Taylor initially trained in ophthalmology and was Fulbright scholar to Johns Hopkins University. Leaving clinical medicine, she joined McKinsey & Company, working as a business management consultant. Kate has spent nearly two decades working on innovative health partnerships, from the World Economic Forum, the International AIDS Vaccine Initiative, and GlaxoSmithKline Biologicals. She is currently the CEO of Oculo, a cloud-based platform for eye care used by almost 1,200 optometrists and 400 ophthalmologists in Australia. She also serves as a clinical and technical adviser to the Australian Digital Health Agency.  


Alison Choy Flannigan is a Partner of Health, Aged Care and Life Sciences, with Holman Webb Lawyers. She has over 20 years of corporate, commercial and regulatory experience with clients that include public and private hospital operators and health care providers, private health insurers, biotechnology, pharmaceutical and aged care / retirement living, not-for-profit and government clients. Ms. Choy Flannigan has been selected by her peers for inclusion on the Australian Best Lawyers list for Health and Aged Care every year since 2008.

1. Privacy Act 1988 (Commonwealth); My Health Records Act 2012 (Cth); Health Records (Privacy and Access) Act 1997 (ACT); Health Records and Information Privacy Act 2002 (NSW); and Health Records Act 2001 (Vic).
2. Privacy Act 1993 (NZ) www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html
3. www.news.com.au/national/luxottica-loses-contract-with-adf-after-sending-diggers-data-offshore/news-story/12ce2059969a116dcff308ce28293bf4
4. www.privacy.org.nz/the-privacy-act-and-codes/codes-of-practice/health-information-privacy-code/
5. www.privacy.org.nz/news-and-publications/guidance-resources/information-privacy-principles/
6. Privacy Act 1988 (Cth), see also www.oaic.gov.au/agencies-and-organisations/guides/australian-privacy-principles-and-national-privacy-principles-comparison-guide
7. www. privacy.org.nz/news-and-publications/guidance-resources/health-information-privacy-fact-sheet-5-storage-security-retention-and-disposal-of-health-information/
8. www.optometryboard.gov.au/Policies-Codes-Guidelines.aspx
9. Rogers v Whitaker (1992) CLR 479.
10. Kite v Malycha (1998) 71 SASR 321
11. Kite v Malycha (1998) 71 SASR 321; Grinham v Tabro Meats Pty Ltd & Anor; Victorian WorkCover Authority v Murray [2012] VSC 491
12. For example, Civil Liability Act 2002 (NSW), Section 50
13. www.oaic.gov.au/agencies-and-organisations/guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches
14. Office of the Privacy Commissioner: privacy.org.nz/news-and-publications/guidance-resources/data-safety-toolkit/
15. Britt H, Miller GC, et al. General practice activity in Australia 2013–14. General practice series no. 36. Sydney: Sydney University Press, 2014. Available at:ses.library.usyd.edu.au/bitstream/2123/11882/4/9781743324226_ONLINE.pdf
16. Royal Australian College of General Practitioners. www.racgp.org.au/download/Documents/e-health/RACGP-position-statement-The-use-of-secure-electronic-communication-within-the-health-care-system.pdf
17. www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information

Optometry Australia Privacy Resources and Assistance

By Luke Arundel

Dr. Taylor’s comprehensive article outlines the important changes that have occurred in the areas of patient privacy and duty of care which affect all practicing optometrists. With an increasing shift to paperless practices and the introduction of heavy fines for non-compliance in this area it is more important than ever to ensure that your practice has appropriate management strategies in place.

Optometry Australia can assist in this area with comprehensive resources to ensure you are up to date in complying with national and state legislation and protected in day to day practice.

Firstly, all members are provided with one of Australia’s most comprehensive professional indemnity policies, which covers actual or alleged breaches of confidentiality or privacy legislation, provided the act, error or omission by you is arising from the practice of your profession.

Useful Resources from Optometry Australia

Optometry Australia’s website (www.optometry.org.au/for-optometrists/professional-practice/privacy.aspx) contains a dedicated section including a simple checklist to assist you navigating the complex requirements involved with conforming to the Australian Privacy Principles (APPs).

Under the APPs, it is a mandatory requirement for optometry practices to have a clearly expressed and up-to-date privacy policy describing how it manages personal information. Optometry Australia has developed a template privacy policy for practices to use.

A clinical practice guide has been developed which provides advice on the release of spectacle and contact lens prescriptions including what details should be included on the prescription and when you can and cannot charge for this.

A second clinical practice guide has also been developed to provide guidance around requests from patients to access health records. This includes mandated timelines to respond, charging fees for access, requests from police and other useful information.

Optometry Australia’s professional indemnity insurance section of the website (www.optometry.org.au/for-optometrists/professional-practice/professional-indemnity.aspx ) delves deeper into risk management and some of the issues flagged in Dr. Taylor’s article including patient follow up, privacy and images on devices and when family disputes complicate issues of privacy.

Personal assistance for breaches of privacy is available 24/7 through AVANT’s medico-legal hotline on (AUS)1800 128 268 and during business hours from Professional Services Manager Luke Arundel on (AUS) 03 9668 8560. 

Luke Arundel is a qualified optometrist and the National Professional Services Manager at Optometry Australia.


' Health information is included in ‘sensitive information’. As such, it requires a higher level of privacy protection than other personal information '