Tasmanian Bills Tasmanian Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
TASMANIA
__________
PERSONAL INFORMATION PROTECTION
BILL 2004
__________
CONTENTS
PART 1 - PRELIMINARY
1. Short title
2. Commencement
3. Interpretation
4. Relationship of Act to other laws
5. Act binds Crown
PART 2 - APPLICATION AND EXEMPTIONS
Division 1 - Application
6. Application of personal information protection principles
Division 2 - Exemptions
7. Courts and tribunals
8. Public information
9. Law enforcement information
10. Employee information
11. Unsolicited information
12. Use of basic information
13. Application for exemptions
14. Determination of exemption
[Bill 52]-V
15. Revocation of exemption
PART 3 - PERSONAL INFORMATION PROTECTION
PRINCIPLES
16. Personal information protection principles
17. Compliance with personal information protection
principles
PART 4 - COMPLAINTS AND INVESTIGATIONS
18. Making of complaints
19. Preliminary assessment of complaints
20. Referral to other authorities
21. Dealing with complaints
22. Procedure on completion of investigation
PART 5 - MISCELLANEOUS
23. Regulations
24. Administration of Act
SCHEDULE 1 - PERSONAL INFORMATION
PROTECTION PRINCIPLES
2
PERSONAL INFORMATION PROTECTION
BILL 2004
(Brought in by the Minister for Justice and Industrial
Relations, the Honourable Judith Louise Jackson)
A BILL FOR
An Act to regulate the collection, maintenance, use
and disclosure of personal information relating to
individuals
Be it enacted by His Excellency the Governor of Tasmania,
by and with the advice and consent of the Legislative
Council and House of Assembly, in Parliament assembled,
as follows:
PART 1 - PRELIMINARY
Short title
1. This Act may be cited as the Personal Information
Protection Act 2004.
Commencement
2. This Act commences on a day to be proclaimed.
Interpretation
3. In this Act -
[Bill 52] 3
s. 3 No. Personal Information Protection 2004
"basic personal information" means the name,
residential address, postal address, date of
birth and gender of an individual;
"complaint" means a complaint made under Part 4;
"employee information" includes personal
information about an individual who is, was or
applies to be an employee relating to -
(a) the selection, employment, training,
discipline or resignation of the
individual; or
(b) the termination of the employment of
the individual; or
(c) the terms and conditions of employment
of the individual; or
(d) the performance or conduct of the
individual in carrying out the duties or
functions of employment; or
(e) the suitability of the individual for
appointment or for employment held by
the individual; or
(f) the hours of employment of the
individual; or
(g) the salary or wages of the individual; or
(h) the membership of the individual of a
professional association, trade
association or trade union; or
(i) the recreation leave, long service leave,
sick leave, personal leave, maternity
leave, paternity leave or other leave of
the individual; or
4
2004 Personal Information Protection No. s. 3
(j) information that supports employment
statistical reporting and personnel
planning; or
(k) information in relation to employees as
required by law;
"employment" includes appointment or
engagement to an office or position;
"health information" means -
(a) personal information or opinion about -
(i) the physical, mental or
psychological health at any time of
an individual; or
(ii) a disability at any time of an
individual; or
(iii) an individual's expressed wishes
about the future provision of
health services to him or her; or
(iv) a health service provided, or to be
provided, to an individual; or
(b) other personal information collected to
provide, or in providing, a health
service; or
(c) other personal information about an
individual collected in connection with
the donation, or intended donation, by
the individual of his or her body parts,
organs or body substances; or
(d) genetic information about an individual
that is or may be predictive of the health
5
s. 3 No. Personal Information Protection 2004
at any time of the individual or any of
his or her descendants -
other than prescribed information, a
prescribed class of information or information
contained in a prescribed class of documents;
"health service" means an activity, other than a
prescribed activity, performed in relation to an
individual that is intended or claimed by the
individual or the person performing it -
(a) to assess, maintain or improve the
individual's health; or
(b) to diagnose the individual's illness,
injury or disability; or
(c) to treat the individual's illness, injury or
disability or suspected illness, injury or
disability; or
(d) to dispense on prescription a drug or
medical preparation; or
(e) to provide a disability service, palliative
care service or aged care service; or
(f) to provide a prescribed service or a
prescribed class of service in conjunction
with any activity referred to in
paragraph (a), (b), (c), (d) or (e);
"identifier" means anything assigned by a personal
information custodian to identify an individual
for its operations, other than a name or ABN
number as defined in the A New Tax System
(Australian Business Number) Act 1999 of the
Commonwealth;
6
2004 Personal Information Protection No. s. 3
"law enforcement agency" means any of the
following:
(a) a police force or police service of -
(i) the Commonwealth; or
(ii) this State; or
(iii) any other State or a Territory of
the Commonwealth; or
(iv) any country;
(b) the Australian Crime Commission;
(c) a commission established or appointed
under any Act of this State or any other
State or a Territory of the
Commonwealth or of the Commonwealth
to investigate matters relating to
criminal activity generally or of a
specified class;
(d) a personal information custodian
responsible for the performance of
functions relating to -
(i) the prevention, detection,
investigation or prosecution of
criminal offences or other offences
that impose a penalty or sanction;
or
(ii) the management of property
seized or restrained under a law
relating to the confiscation of the
proceeds of crime or the
enforcement of such a law;
7
s. 3 No. Personal Information Protection 2004
(e) an agency established under the Public
Service Act 1999 of the Commonwealth
responsible for the performance of
functions relating to -
(i) the prevention, detection,
investigation or prosecution of
criminal offences or other offences
that impose a penalty or sanction;
or
(ii) the management of property
seized or restrained under a law
relating to the confiscation of the
proceeds of crime or the
enforcement of such a law;
(f) a personal information custodian or an
individual or body contracted by a
personal information custodian
responsible for the execution or
implementation of an order, decision or
determination of a court or tribunal;
(g) a personal information custodian -
(i) responsible for the issue of
warrants; or
(ii) that provides correctional services;
or
(iii) responsible for decisions relating
to the release of persons from
custody;
(h) a personal information custodian
responsible for the protection of public
revenue under any Act;
8
2004 Personal Information Protection No. s. 3
(i) a personal information custodian
responsible for the administration or
performance of a function under a law
that imposes a penalty or sanction;
(j) the Attorney-General;
(k) the Solicitor-General appointed and
holding office under the Solicitor-
General Act 1983;
(l) the Director of Public Prosecutions
appointed and holding office under the
Director of Public Prosecutions Act 1973;
(m) the Ombudsman;
(n) a prescribed organisation;
"law enforcement information" means
information referred to in section 28(1) of the
Freedom of Information Act 1991;
"Ombudsman" means the person appointed and
holding office under the Ombudsman Act
1978;
"personal information" means any information or
opinion in any recorded format about an
individual -
(a) whose identity is apparent or is
reasonably ascertainable from the
information or opinion; and
(b) who is alive or has not been dead for
more than 25 years;
"personal information contract" means a
contract between a personal information
custodian and another person (whether a
9
s. 3 No. Personal Information Protection 2004
personal information custodian or not)
relating to the collection, use or storage of
personal information;
"personal information custodian" means any of
the following:
(a) a public sector body;
(b) a council;
(c) the University of Tasmania;
(d) any body, organisation or person who
has entered into a personal information
contract relating to personal
information;
(e) a prescribed body;
"personal information protection principles"
means the personal information protection
principles referred to in section 16;
"public information" means any personal
information that is -
(a) contained in a publicly available record
or publication; or
(b) taken to be public information under
any Act;
"public sector body" means any of the following:
(a) an Agency as defined in the State
Service Act 2000;
(b) a statutory board;
(c) a holder of a statutory office;
10
2004 Personal Information Protection No. s. 3
(d) a Government Business Enterprise
under the Government Business
Enterprises Act 1995;
(e) a Minister;
(f) a body whose members, or a majority of
whose members, are appointed by the
Governor or a Minister;
(g) a prescribed body;
"record" means a record in any format;
"sensitive information" means -
(a) personal information or an opinion
relating to personal information about
an individual's -
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political
association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or
trade association; or
(vii) membership of a trade union; or
(viii) sexual preferences or practices; or
(ix) criminal record; and
(b) health information about an individual.
11
s. 4 No. Personal Information Protection 2004
Relationship of Act to other laws
4. If a provision of this Act is inconsistent with a provision
made by or under any other Act -
(a) that other provision prevails; and
(b) the provision of this Act has no effect to the
extent of the inconsistency.
Act binds Crown
5. (1) This Act binds the Crown in right of Tasmania and,
so far as the legislative power of Parliament permits, in all
its other capacities.
(2) The Crown in any of its capacities is not liable to
be prosecuted for an offence under this Act.
12
2004 Personal Information Protection No. s. 6
PART 2 - APPLICATION AND EXEMPTIONS
Division 1 - Application
Application of personal information protection
principles
6. (1) Clauses 1, 7, 8 and 10 of Schedule 1 apply only in
relation to information collected after the commencement
of this Act.
(2) Clauses 2, 3, 4, 5, 6 and 9 of Schedule 1 apply in
relation to information collected before or after the
commencement of this Act.
Division 2 - Exemptions
Courts and tribunals
7. The following are exempt from the provisions of this
Act:
(a) a court or tribunal in the performance or
exercise of judicial or quasi-judicial functions
or powers;
(b) the holder of a judicial or quasi-judicial office
or other office pertaining to a court or tribunal
in the capacity of the holder of that office;
(c) the Solicitor-General appointed and holding
office under the Solicitor-General Act 1983;
(d) any person employed in relation to the
functions of the Solicitor-General;
13
s. 8 No. Personal Information Protection 2004
(e) the Director of Public Prosecutions appointed
and holding office under the Director of Public
Prosecutions Act 1973;
(f) any person employed in relation to the
functions of the Director of Public
Prosecutions;
(g) the registry or other office of a court or
tribunal in relation to any matter relating to
the judicial or quasi-judicial functions of that
court or tribunal;
(h) any person employed in such a registry or
other office in relation to any such matter.
Public information
8. This Act does not apply to public information.
Law enforcement information
9. Clauses 1(3), (4) and (5), 2(1), 5(3)(c), 7, 9 and 10(1)(a),
(b), (c) and (e) of Schedule 1 do not apply to any law
enforcement information kept or made by a law
enforcement agency if it considers that non-compliance is
reasonably necessary -
(a) for the purpose of any of its functions or
activities; or
(b) for the enforcement of laws relating to the
confiscation of the proceeds of crime; or
(c) in connection with the conduct of proceedings
in any court or tribunal.
14
2004 Personal Information Protection No. s. 10
Employee information
10. Clauses 1(4) and (5), 7 and 10 of Schedule 1 do not
apply to any employee information.
Unsolicited information
11. Clause 1 of Schedule 1 does not apply to unsolicited
information received by a personal information custodian.
Use of basic information
12. A personal information custodian may use or disclose
personal information about an individual for a purpose
other than the primary purpose of collection without the
individual's consent if -
(a) it is a public sector body; and
(b) the information is basic personal information;
and
(c) the use or disclosure is reasonably necessary
for the efficient storage and use of that
information; and
(d) the information is only used by, or disclosed to,
another public sector body.
Application for exemptions
13. (1) A personal information custodian may apply to the
Minister for an exemption from compliance with any or all
provisions of this Act.
(2) An application is to -
15
s. 14 No. Personal Information Protection 2004
(a) specify the provision or provisions to which the
application relates; and
(b) specify the information or class or classes of
information to which the application relates;
and
(c) specify the personal information custodian or
custodians or class or classes of personal
information custodians to which the
application applies; and
(d) specify the reasons for the exemption; and
(e) specify any public benefit involved; and
(f) specify any relevant law, code of practice or
other instrument under which it proposes to
operate; and
(g) include any other information the Minister
determines.
Determination of exemption
14. (1) The Minister may determine to -
(a) approve an application if satisfied that the
public benefit outweighs to a substantial
degree the public benefit from compliance with
the personal information protection principles;
or
(b) refuse to approve the application if not so
satisfied.
(2) The Minister may approve an application subject
to any conditions the Minister considers appropriate.
16
2004 Personal Information Protection No. s. 15
(3) The Minister is to publish the determination and
the details of the application in the Gazette.
Revocation of exemption
15. (1) The Minister may revoke a determination to
approve an application for an exemption -
(a) if satisfied that -
(i) the reasons for granting that exemption
no longer apply; or
(ii) section 14(1)(a) no longer applies; or
(b) at the request of the applicant.
(2) The Minister is to publish the details of a
revocation in the Gazette.
17
s. 16 No. Personal Information Protection 2004
PART 3 - PERSONAL INFORMATION
PROTECTION PRINCIPLES
Personal information protection principles
16. The personal information protection principles that
apply in Tasmania are those specified in Schedule 1.
Compliance with personal information protection
principles
17. (1) A personal information custodian must comply
with the personal information protection principles.
(2) Subsection (1) does not apply to anything done
by a personal information custodian before the second
anniversary of the commencement of this Act that is
necessary for the performance of a contract entered into by
the personal information custodian before the
commencement of this Act.
18
2004 Personal Information Protection No. s. 18
PART 4 - COMPLAINTS AND INVESTIGATIONS
Making of complaints
18. (1) A person may make a complaint to the
Ombudsman in relation to a matter referred to in
subsection (2) if the person -
(a) has raised the matter with the relevant
personal information custodian; and
(b) is not satisfied with the response from the
personal information custodian.
(2) A complaint may be made by a person in relation
to the alleged contravention by a personal information
custodian of a personal information protection principle
that applies to the person.
(3) A complaint may be in writing or verbal, but the
Ombudsman may require a verbal complaint to be put in
writing.
(4) The Ombudsman may -
(a) require information about a complaint to be
provided by the complainant in a particular
manner or form; and
(b) require a complaint to be verified by statutory
declaration.
(5) A complaint must be made within 6 months or
any further period the Ombudsman may allow from the
time the complainant first became aware of the matter
which is the subject of the complaint.
(6) A complainant may amend or withdraw a
complaint.
19
s. 19 No. Personal Information Protection 2004
Preliminary assessment of complaints
19. (1) The Ombudsman may conduct a preliminary
assessment of a complaint for the purpose of deciding
whether to deal with the complaint.
(2) The Ombudsman may decide not to deal with a
complaint if satisfied that -
(a) the complaint is frivolous, vexatious, lacking
in substance or is not in good faith; or
(b) the subject matter of the complaint is trivial;
or
(c) the subject matter of the complaint relates to a
matter permitted or required under any law.
(3) If the Ombudsman declines to deal with a
complaint, the Ombudsman is to advise the complainant of
the reasons for so declining.
Referral to other authorities
20. (1) The Ombudsman, subject to subsection (3), may
refer a complaint for investigation or other action to any
person, body or authority the Ombudsman considers
appropriate in the circumstances.
(2) The Ombudsman may only refer a complaint -
(a) after appropriate consultation with the
complainant and the relevant person, body or
authority; and
(b) after taking their views into consideration.
(3) The Ombudsman may refer a complaint relating
to a matter arising under the State Service Act 2000 to the
State Service Commissioner.
20
2004 Personal Information Protection No. s. 21
Dealing with complaints
21. (1) If the Ombudsman decides to deal with a
complaint, the Ombudsman is to conduct any
investigations in relation to the complaint in accordance
with Division 3 of Part III of the Ombudsman Act 1978.
(2) The Ombudsman may conduct an investigation
into any general issue or matter under this Act.
Procedure on completion of investigation
22. (1) If, on completion of an investigation of a
complaint, the Ombudsman is of the opinion that a
personal information custodian has contravened a
personal information protection principle, the
Ombudsman -
(a) is to advise the complainant and the personal
information custodian in writing of that
opinion and the reasons on which it is based;
and
(b) may make any recommendations the
Ombudsman considers appropriate in relation
to the subject matter of the complaint.
(2) The Ombudsman is to give the Minister a copy of
the advice and any recommendations.
(3) The Minister is to table the advice and any
recommendations in both Houses of Parliament within 5
sitting days of its receipt.
21
s. 23 No. Personal Information Protection 2004
PART 5 - MISCELLANEOUS
Regulations
23. The Governor may make regulations for the purpose
of this Act.
Administration of Act
24. Until provision is made in relation to this Act by order
under section 4 of the Administrative Arrangements Act
1990 -
(a) the administration of this Act is assigned to
the Minister for Justice and Industrial
Relations; and
(b) the department responsible to that Minister in
relation to the administration of this Act is the
Department of Justice.
22
2004 Personal Information Protection No. sch. 1
SCHEDULE 1 - PERSONAL INFORMATION
PROTECTION PRINCIPLES
Sections 6, 9, 10, 11 and 16
Collection
1. (1) A personal information custodian must not collect
personal information unless the information is necessary
for one or more of its functions or activities.
(2) A personal information custodian must collect
personal information only by lawful means.
(3) Before collection, during collection or as soon as
practicable after collection of personal information about
an individual from the individual, the personal
information custodian must take any reasonable steps
necessary to ensure that the individual is aware of the
following:
(a) its identity and how to contact it;
(b) the individual's right of access to the
information;
(c) the purposes for which the information is
collected;
(d) the intended recipients or class of recipients of
the information;
(e) any law that requires the information to be
collected;
(f) the main consequences for the individual if all
or part of the information is not provided.
(4) If it is reasonable and practicable to do so, a
personal information custodian must collect personal
information about an individual only from that individual.
23
sch. 1 No. Personal Information Protection 2004
(5) If a personal information custodian collects
personal information about an individual from someone
else, it must take reasonable steps to ensure that the
individual is made aware of the matters referred to in
subclause (3) unless doing so would pose a serious threat
to the life, safety, health or welfare of any individual.
Use and disclosure
2. (1) A personal information custodian must not use or
disclose personal information about an individual for a
purpose other than the purpose for which it was collected
unless -
(a) both of the following apply:
(i) that purpose is related to the primary
purpose and, if the personal information
is sensitive information, that
information is directly related to the
primary purpose;
(ii) the individual would reasonably expect
the personal information custodian to
use or disclose the information for that
purpose; or
(b) the individual has consented to the use or
disclosure; or
(c) if the use or disclosure is necessary for
research or the compilation or analysis of
statistics in the public interest, other than for
publication in a form that identifies any
particular individual -
(i) it is impracticable for the personal
information custodian to seek the
24
2004 Personal Information Protection No. sch. 1
individual's consent before the use or
disclosure; or
(ii) the personal information custodian
reasonably believes that the recipient of
the information is not likely to disclose
the information; or
(d) the personal information custodian reasonably
believes that the use or disclosure is necessary
to lessen or prevent -
(i) a serious threat to an individual's life,
health, safety or welfare; or
(ii) a serious threat to public health or
public safety; or
(e) the personal information custodian has reason
to suspect that unlawful activity has been, is
being or may be engaged in, and uses or
discloses the personal information as a
necessary part of its investigation of the
matter or in reporting its concerns to relevant
persons or authorities; or
(f) the use or disclosure is required or authorised
by or under law; or
(g) the personal information custodian reasonably
believes that the use or disclosure is
reasonably necessary for any of the following
purposes by or on behalf of a law enforcement
agency:
(i) the prevention, detection, investigation,
prosecution or punishment of criminal
offences or breaches of a law imposing a
penalty or sanction;
25
sch. 1 No. Personal Information Protection 2004
(ii) the enforcement of laws relating to the
confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation
or remedying of conduct that is in the
opinion of the personal information
custodian seriously improper conduct;
(v) the preparation for, or conduct of,
proceedings before any court or tribunal
or implementation of any order of a
court or tribunal;
(vi) the investigation of missing persons;
(vii) the investigation of a matter under the
Coroners Act 1995; or
(h) the Australian Security Intelligence
Organisation (ASIO) or the Australian Secret
Intelligence Service (ASIS), in connection with
its functions, has requested the personal
information custodian to disclose the personal
information and -
(i) the disclosure is made to an officer or
employee of ASIO or ASIS appropriately
authorised in writing to receive the
disclosure; and
(ii) an officer or employee of ASIO or ASIS
so authorised certifies that the
disclosure is connected with the
performance by ASIO or ASIS of its
functions; or
(i) the personal information is to be used as
employee information in relation to -
26
2004 Personal Information Protection No. sch. 1
(i) the suitability of the individual for
appointment; or
(ii) the suitability of the individual for
employment held by the individual; or
(j) the personal information is employee
information which is being transferred from
one personal information custodian to another
personal information custodian for use as
employee information relating to the
individual; or
(k) subclause (4) or section 12 applies.
(2) If a personal information custodian uses or
discloses personal information under subclause (1)(g), it
must make a written note of the use or disclosure.
(3) Subclause (1) applies to personal information
collected by a personal information custodian that is a
body corporate from a related body corporate as if the
primary purpose of that collection were the primary
purpose for which the related body corporate collected the
information.
(4) A personal information custodian that provides a
health service to an individual may disclose health
information about the individual to a person who is
responsible for the individual if -
(a) the individual is -
(i) physically or legally incapable of giving
consent to the disclosure; or
(ii) physically unable to communicate
consent to the disclosure; and
27
sch. 1 No. Personal Information Protection 2004
(b) the natural person providing the health
service for the personal information custodian
is satisfied that the disclosure -
(i) is necessary to provide appropriate care
or treatment of the individual; or
(ii) is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish -
(i) expressed by the individual before the
individual became unable to give or
communicate consent; and
(ii) of which the natural person is aware, or
of which he or she could reasonably be
expected to be aware; and
(d) the disclosure is limited to the extent
reasonable and necessary for the purpose
mentioned in paragraph (b).
(5) A person is responsible for an individual if the
person -
(a) is a parent of the individual; or
(b) is a child or sibling of the individual and at
least 18 years of age; or
(c) is a spouse of the individual; or
(d) is in a personal relationship, within the
meaning of the Relationships Act 2003, with
the individual; or
(e) is a relative of the individual, at least 18 years
of age and a member of the individual's
household; or
(f) is a guardian of the individual; or
28
2004 Personal Information Protection No. sch. 1
(g) is exercising enduring power of attorney
granted by the individual that is exercisable in
relation to decisions about the individual's
health; or
(h) is nominated by the individual to be contacted
in case of emergency.
Data quality
3. A personal information custodian must take reasonable
steps to ensure that, having regard to the purpose for
which the personal information is to be used, the personal
information it collects, uses, holds or discloses is accurate,
complete, up-to-date and relevant to its functions or
activities.
Data security
4. (1) A personal information custodian must take
reasonable steps to protect the personal information it
holds from misuse, loss, unauthorised access, modification
or disclosure.
(2) A personal information custodian must take
reasonable steps to destroy or permanently de-identify
personal information if it is no longer needed for any
purpose.
(3) A personal information custodian, the records of
which are subject to the Archives Act 1983, must take the
reasonable steps referred to in subclause (2) only with the
approval of the State Archivist.
29
sch. 1 No. Personal Information Protection 2004
Openness
5. (1) A personal information custodian must clearly set
out in a document its policies on its management of
personal information.
(2) A personal information custodian must make the
document available to anyone who asks for it.
(3) On request by a person, a personal information
custodian must take reasonable steps to advise the person,
in general terms, of -
(a) the sort of personal information it holds; and
(b) the purposes for which it holds the
information; and
(c) how it collects, holds, uses and discloses that
information.
Access and correction
6. (1) If a personal information custodian holds personal
information about an individual, it must provide the
individual with access to the information in accordance
with Parts 2 and 3 of the Freedom of Information Act 1991,
as if it were subject to that Act, and as if a reference to an
agency or Minister in that Act were a reference to a
personal information custodian.
(2) An individual may request amendment of his or
her personal information in accordance with Part 4 of the
Freedom of Information Act 1991 if that information is
incorrect, incomplete, out of date or misleading, whether
or not the personal information custodian is subject to that
Act, as if a reference to an agency or Minister in that Act
were a reference to a personal information custodian.
30
2004 Personal Information Protection No. sch. 1
Unique identifiers
7. (1) A personal information custodian must not assign a
unique identifier to an individual unless it is necessary for
it to carry out any of its functions efficiently.
(2) A personal information custodian must not adopt
as its own unique identifier of an individual a unique
identifier that has been assigned to the individual by
another personal information custodian unless -
(a) that adoption is necessary for it to carry out
any of its functions efficiently; or
(b) it has obtained the consent of the individual to
the use of the unique identifier; or
(c) it is a body, an organisation or an individual
adopting the unique identifier created by a
personal information custodian in the
performance of its obligations to the personal
information custodian under a personal
information contract.
(3) A personal information custodian must not use
or disclose a unique identifier assigned to an individual by
another personal information custodian unless -
(a) the use or disclosure is necessary for it to fulfil
its obligations to the other personal
information custodian; or
(b) clause 2(1) applies.
(4) A personal information custodian must not
require an individual to provide a unique identifier in
order to obtain a service unless the provision -
(a) is required or authorised by law; or
31
sch. 1 No. Personal Information Protection 2004
(b) is in connection with the purpose, or a directly
related purpose, for which the unique
identifier was assigned.
Anonymity
8. Wherever it is lawful and practicable, individuals must
have the option of not identifying themselves when
entering transactions with a personal information
custodian.
Disclosure of information outside Tasmania
9. A personal information custodian may disclose personal
information about an individual to another person or other
body who is outside Tasmania only if -
(a) the personal information custodian reasonably
believes that the recipient of the information
is subject to a law, binding scheme or contract
that has principles for fair handling of the
information that are substantially similar to
the personal information protection principles;
or
(b) the individual consents to the disclosure; or
(c) the disclosure is necessary for -
(i) the performance of a contract between
the individual and the personal
information custodian; or
(ii) the conclusion or performance of a
contract concluded in the interest of the
individual between the personal
information custodian and a third party;
or
32
2004 Personal Information Protection No. sch. 1
(d) the personal information custodian has taken
reasonable steps to ensure that the
information which it has disclosed is not to be
held, used or disclosed by the recipient of the
information inconsistently with the personal
information protection principles; or
(e) the disclosure is authorised or required by any
other law.
Sensitive information
10. (1) A personal information custodian must not collect
sensitive information about an individual unless -
(a) the individual has consented; or
(b) the collection is required or permitted by law;
or
(c) the collection is necessary to prevent or lessen
a serious and imminent threat to the life or
health of any individual and the individual to
whom the information relates -
(i) is physically or legally incapable of
giving consent to the collection; or
(ii) physically cannot communicate consent
to the collection; or
(iii) is subject to a guardianship order under
the Guardianship and Administration
Act 1995 or the Mental Health Act 1996;
or
(d) the information is collected in the course of the
activities of a non-profit personal information
custodian that has only racial, ethnic,
33
sch. 1 No. Personal Information Protection 2004
political, religious, philosophical, professional,
trade or trade union aims and -
(i) the information relates solely to the
members of that personal information
custodian or to individuals who have
regular contact with it in connection
with its activities; and
(ii) at or before the time of collection, the
personal information custodian
undertakes to the individual to whom
the information relates that it will not
disclose the information without the
individual's consent; or
(e) the collection is necessary for the
establishment, exercise or defence of a legal or
equitable claim; or
(f) subclause (2), (3), (4) or (6) applies.
(2) A personal information custodian may collect
sensitive information about an individual if -
(a) either of the following applies:
(i) the collection is necessary for research
or the compilation or analysis of
statistics in the public interest and any
resulting publication does not identify
the individual;
(ii) the information relates to an
individual's racial or ethnic origin and is
collected for the purpose of welfare or
educational services funded by
government; and
34
2004 Personal Information Protection No. sch. 1
(b) there is no reasonably practicable alternative
to collecting the information for a purpose
referred to in paragraph (a); and
(c) it is impracticable for the personal information
custodian to seek the individual's consent to
the collection.
(3) A personal information custodian may collect
sensitive information that is health information about an
individual if -
(a) the information is necessary to provide a
health service to the individual; and
(b) the information is collected -
(i) as required by law, other than this Act;
or
(ii) in accordance with rules established by
competent health or medical bodies that
deal with obligations of professional
confidentiality which bind the personal
information custodian.
(4) A personal information custodian may collect
sensitive information that is health information about an
individual if -
(a) the collection is necessary for any of the
following purposes:
(i) research relevant to public health or
public safety;
(ii) the compilation or analysis of statistics
relevant to public health or public
safety;
35
sch. 1 No. Personal Information Protection 2004
(iii) the management, funding or monitoring
of a health service; and
(b) that purpose cannot be served by the collection
of information that does not identify the
individual or from which the individual's
identity cannot reasonably be ascertained; and
(c) it is impracticable for the personal information
custodian to seek the individual's consent to
the collection; and
(d) the information is collected -
(i) as required by law, other than this Act;
or
(ii) in accordance with rules established by
competent health or medical bodies that
deal with obligations of professional
confidentiality which bind the personal
information custodian.
(5) If a personal information custodian collects
sensitive information that is health information about an
individual in accordance with subclause (4), it must take
reasonable steps to permanently de-identify the
information before disclosing it.
(6) A personal information custodian may collect
sensitive information that is health information from an
individual about another person without the consent of
that other person if both the following apply:
(a) the collection is necessary for the provision of
any health service provided to the individual;
(b) the information is relevant to the social or
family history of the individual.
36 Government Printer, Tasmania