Victorian Current Acts Victorian Current ActsSchedule 1––The Health Privacy Principles
1 Principle 1—Collection
When health information may be collected
1.1 An organisation must not collect health information about an individual unless the information is necessary for one or more of its functions or activities and at least one of the following applies—
(a) the individual has consented;
(b) the collection is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law);
(c) the information is necessary to provide a health service to the individual and the individual is incapable of giving consent within the meaning of section 85(3) and—
(i) it is not reasonably practicable to obtain the consent of an authorised representative of the individual within the meaning of section 85; or
(ii) the individual does not have such an authorised representative;
(d) the information is disclosed to the organisation in accordance with HPP 2.2(a), (f), (i) or (l) or HPP 2.5;
(e) if the collection is necessary for research, or the compilation or analysis of statistics, in the public interest—
(i) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and
(ii) it is impracticable for the organisation to seek the individual's consent to the collection; and
Sch. 1 cl. 1.1(e)(iii) amended by No. 22/2016 s. 232(a).
(iii) the information is collected in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this subparagraph;
Sch. 1 cl. 1.1(f) amended by No. 22/2016 s. 232(b).
(f) the collection is necessary to prevent or lessen—
Sch. 1 cl. 1.1(f)(i) amended by No. 23/2017 s. 19(1).
(i) a serious threat to the life, health, safety or welfare of any individual; or
(ii) a serious threat to public health, public safety or public welfare—
and the information is collected in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph;
(g) the collection is by or on behalf of a law enforcement agency and the organisation reasonably believes that the collection is necessary for a law enforcement function;
(h) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;
(i) the collection is in the prescribed circumstances.
How health information is to be collected
1.2 An organisation must collect health information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 If it is reasonable and practicable to do so, an organisation must collect health information about an individual only from that individual.
1.4 At or before the time (or, if that is not practicable, as soon as practicable thereafter) an organisation collects health information about an individual from the individual, the organisation must take steps that are reasonable in the circumstances to ensure that the individual is generally aware of—
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.5 If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence [7] .
1.6 An organisation is not required to notify the individual of the identity of persons, or classes of persons, to whom health information may be disclosed in accordance with HPP 2.2(f).
Information given in confidence [8]
1.7 If personal information is given in confidence to a health service provider about an individual by a person other than—
(a) the individual; or
(b) a health service provider in the course of, or otherwise in relation to, the provision of health services to the individual—
with a request that the information not be communicated to the individual to whom it relates, the provider must—
(c) confirm with the person that the information is to remain confidential; and
(d) if the information remains confidential—
(i) record the information only if it is relevant to the provision of health services to, or the care of, the individual; and
(ii) take reasonable steps to ensure that the information is accurate and not misleading; and
(e) take reasonable steps to record that the information is given in confidence and is to remain confidential.
2 Principle 2—Use and Disclosure [9]
2.1 An organisation may use or disclose health information about an individual for the primary purpose for which the information was collected in accordance with HPP 1.1.
2.2 An organisation must not use or disclose health information about an individual for a purpose (the secondary purpose ) other than the primary purpose for which the information was collected unless at least one of the following paragraphs applies [10] —
(a) both of the following apply—
(i) the secondary purpose is directly related to the primary purpose; and
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) the use or disclosure is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law); or
(d) all of the following apply—
(i) the organisation is a health service provider providing a health service to the individual; and
(ii) the use or disclosure for the secondary purpose is reasonably necessary for the provision of the health service; and
(iii) the individual is incapable of giving consent within the meaning of section 85(3) and—
(A) it is not reasonably practicable to obtain the consent of an authorised representative of the individual within the meaning of section 85; or
(B) the individual does not have such an authorised representative; or
(e) all of the following apply—
(i) the organisation is a health service provider providing a health service to the individual; and
(ii) the use is for the purpose of the provision of further health services to the individual by the organisation; and
(iii) the organisation reasonably believes that the use is necessary to ensure that the further health services are provided safely and effectively; and
Sch. 1 cl. 2.2(e)(iv) amended by No. 22/2016 s. 232(c).
(iv) the information is used in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or
(f) the use or disclosure is for the purpose of—
(i) funding, management, planning, monitoring, improvement or evaluation of health services; or
(ii) training provided by a health service provider to employees or persons working with the organisation—
and—
(iii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the individual's consent to the use or disclosure; or
(iv) reasonable steps are taken to de‑identify the information—
and—
(v) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication; and
Sch. 1 cl. 2.2(f)(vi) amended by No. 22/2016 s. 232(d).
(vi) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this subparagraph; or
(g) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest—
(i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and
(ii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and
Sch. 1 cl. 2.2(g)(iii) amended by No. 22/2016 s. 232(e).
(iii) the use or disclosure is in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this subparagraph; and
(iv) in the case of disclosure—
(A) the organisation reasonably believes that the recipient of the health information will not disclose the health information; and
(B) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained; or
Sch. 1 cl. 2.2(h) amended by No. 22/2016 s. 232(f).
(h) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent—
Sch. 1 cl. 2.2(h)(i) amended by No. 23/2017 s. 19(2).
(i) a serious threat to an individual's life, health, safety or welfare; or
(ii) a serious threat to public health, public safety or public welfare—
and the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or
Sch. 1 cl. 2.2(i) amended by No. 22/2016 s. 232(g).
(i) [11] the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities and, if the organisation is a registered health practitioner, the use or disclosure would not be a breach of confidence; or
Sch. 1 cl. 2.2(j) amended by No. 22/2016 s. 232(h).
(j) [12] the organisation reasonably believes that the use or disclosure is reasonably necessary for a law enforcement function by or on behalf of a law enforcement agency and, if the organisation is a registered health practitioner, the use or disclosure would not be a breach of confidence; or
(k) the use or disclosure is necessary for the establishment, exercise or defence of a legal or equitable claim; or
(l) the use or disclosure is in the prescribed circumstances.
Note
Nothing in HPP 2 requires an organisation to disclose health information about an individual. An organisation is always entitled not to disclose health information in the absence of a legal obligation to disclose it.
2.3 If an organisation discloses health information under paragraph (i) or (j) of HPP 2.2, it must make a written note of the disclosure.
2.4 Despite HPP 2.2, a health service provider may disclose health information about an individual to an immediate family member of the individual if—
(a) either—
(i) the disclosure is necessary to provide appropriate health services to or care of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(b) the disclosure is limited to the extent reasonable and necessary for the purposes mentioned in paragraph (a); and
(c) the individual is incapable of giving consent to the disclosure within the meaning of section 85(3); and
(d) the disclosure is not contrary to any wish—
(i) expressed by the individual before the individual became incapable of giving consent and not changed or withdrawn by the individual before then; and
(ii) of which the organisation is aware or could be made aware by taking reasonable steps; and
(e) in the case of an immediate family member who is under the age of 18 years, considering the circumstances of the disclosure, the immediate family member has sufficient maturity to receive the information.
2.5 Despite HPP 2.2, an organisation may use or disclose health information about an individual where—
(a) it is known or suspected that the individual is dead; or
(b) it is known or suspected that the individual is missing; or
(c) the individual has been involved in an accident or other misadventure and is incapable of consenting to the use or disclosure—
and the use or disclosure is to the extent reasonably necessary—
(d) to identify the individual; or
(e) to ascertain the identity and location of an immediate family member or other relative of the individual for the purpose of—
Sch. 1 cl. 2.5(e)(i) amended by No. 37/2014 s. 10(Sch. item 77.4).
(i) enabling a police officer, a coroner or other prescribed organisation to contact the immediate family member or other relative for compassionate reasons; or
(ii) to assist in the identification of the individual—
and, in the circumstances referred to in paragraph (b) or (c)—
(f) the use or disclosure is not contrary to any wish—
(i) expressed by the individual before he or she went missing or became incapable of consenting and not withdrawn by the individual; and
(ii) of which the organisation is aware or could have become aware by taking reasonable steps; and
Sch. 1 cl. 2.5(g) amended by No. 22/2016 s. 232(i).
(g) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph.
3 Principle 3—Data Quality
3.1 An organisation must take steps that are reasonable in the circumstances to make sure that, having regard to the purpose for which the information is to be used, the health information it collects, uses, holds or discloses is accurate, complete, up to date and relevant to its functions or activities.
4 Principle 4—Data Security and Data Retention
4.1 An organisation must take reasonable steps to protect the health information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 A health service provider must not delete health information relating to an individual, even if it is later found or claimed to be inaccurate, unless—
(a) the deletion is permitted, authorised or required by the regulations or any other law; or
(b) the deletion is not contrary to the regulations or any other law and occurs—
(i) in the case of health information collected while the individual was a child, after the individual attains the age of 25 years; or
(ii) in any case, more than 7 years after the last occasion on which a health service was provided to the individual by the provider—
whichever is the later.
4.3 A health service provider who deletes health information in accordance with HPP 4.2 must make a written note of the name of the individual to whom the health information related, the period covered by it and the date on which it was deleted.
4.4 A health service provider who transfers health information to another individual or organisation and does not continue to hold a record of that information must make a written note of the name and address of the individual or organisation to whom it was transferred.
4.5 An organisation other than a health service provider must take reasonable steps to destroy or permanently de-identify health information if it is no longer needed for the purpose for which it was collected or any other purpose authorised by this Act, the regulations made under this Act or any other law.
5 Principle 5—Openness
5.1 An organisation must set out in a document—
(a) clearly expressed policies on its management of health information; and
(b) the steps that an individual must take in order to obtain access to their health information.
The organisation must make the document available to anyone who asks for it.
5.2 On request by an individual, an organisation must take reasonable steps—
(a) to let the individual know—
(i) whether the organisation holds health information relating to the individual; and
(ii) the steps that the individual should take if the individual wishes to obtain access to the information; and
(b) if the organisation holds health information relating to the individual, to let the individual know in general terms—
(i) the nature of the information; and
(ii) the purposes for which the information is used; and
(iii) how the organisation collects, holds, uses and discloses the information.
6 Principle 6—Access and Correction
Access [13]
6.1 If an organisation holds health information about an individual, it must provide the individual with access to the information on request by the individual in accordance with Part 5, unless—
Sch. 1 cl. 6.1(a) amended by No. 22/2016 s. 232(j).
(a) providing access would pose a serious threat to the life or health of any person under section 26 and refusing access is in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or
Sch. 1 cl. 6.1(b) amended by No. 22/2016 s. 232(k).
(b) providing access would have an unreasonable impact on the privacy of other individuals and refusing access is in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or
Sch. 1 cl. 6.1(c) amended by No. 69/2009 s. 54(Sch. Pt 1 item 29.3).
(c) the information relates to existing legal proceedings between the organisation and the individual and the information would not be accessible by the process of discovery in those proceedings [14] or is subject to legal professional privilege or client legal privilege; or
(d) providing access would reveal the intentions of the organisation in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the organisation unreasonably to disadvantage; or
(e) the information is subject to confidentiality under section 27; or
(f) providing access would be unlawful; or
(g) denying access is required or authorised by or under law; or
(h) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(i) providing access would be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency; or
(j) a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia; or
(k) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or
(l) the individual has been provided with access to the health information in accordance with Part 5 and is making an unreasonable, repeated request for access to the same information in the same way.
6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than access to the information.
Note
An organisation breaches HPP 6.1 if it relies on HPP 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where HPP 6.2 does not apply.
6.3 If access is refused on the ground that it would pose a serious threat to the life or health of the individual, the procedure in Division 3 of Part 5 applies.
6.4 Without limiting sections 26 and 27, nothing in this Principle compels an organisation to refuse to provide an individual with access to his or her health information.
6.5 [15] If an organisation holds health information about an individual and the individual is able to establish that the information is inaccurate, incomplete, misleading or not up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date but must not delete the information otherwise than in accordance with HPP 4.2.
6.6 If—
(a) the organisation is not willing to correct the health information in accordance with a request by the individual; and
(b) no decision or recommendation to the effect that the information should be corrected wholly or partly in accordance with the request, is pending or has been made under this Act or any other law; and
(c) the individual gives to the organisation a written statement concerning the requested correction—
the organisation must take reasonable steps to associate the statement with the information.
6.7 If the organisation accepts the need to correct the health information but—
(a) the organisation considers it likely that leaving incorrect information, even if corrected, could cause harm to the individual or result in inappropriate health services or care being provided; or
(b) the form in which the health information is held makes correction impossible; or
(c) the corrections required are sufficiently complex or numerous for a real possibility of confusion or error to arise in relation to interpreting or reading the record if it were to be so corrected—
the organisation must place the incorrect information on a record which is not generally available to anyone involved in providing health services to the individual, and to which access is restricted, and take reasonable steps to ensure that only the corrected information is generally available to anyone who may provide health services to the individual.
6.8 If an organisation corrects health information about an individual, it must—
(a) if practicable, record with the correction the name of the person who made the correction and the date on which the correction is made; and
(b) take reasonable steps to notify any health service providers to whom the organisation disclosed the health information before its correction and who may reasonably be expected to rely on that information in the future.
6.9 If an individual requests an organisation to correct health information about the individual, the organisation must take reasonable steps to notify the individual of a decision on the request as soon as practicable but in any case not later than 30 days after the request is received by the organisation.
Written reasons
6.10 An organisation must provide written reasons for refusal of access [16] or a refusal to correct health information.
7 Principle 7—Identifiers
7.1 An organisation may only assign identifiers to individuals if the assignment of identifiers is reasonably necessary to enable the organisation to carry out any of its functions efficiently.
7.2 Subject to HPP 7.4, a private sector organisation may only adopt as its own identifier of an individual an identifier of an individual that has been assigned by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if—
(a) the individual has consented to the adoption of the same identifier; or
(b) the use or disclosure of the identifier is required or authorised by or under law.
7.3 Subject to HPP 7.4, a private sector organisation may only use or disclose an identifier assigned to an individual by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if—
(a) the use or disclosure is required for the purpose for which it was assigned or for a secondary purpose referred to in one or more of paragraphs (c) to (l) of HPP 2.2; or
(b) the individual has consented to the use or disclosure; or
(c) the disclosure is to the public sector organisation which assigned the identifier to enable the public sector organisation to identify the individual for its own purposes.
7.4 If the use or disclosure of an identifier assigned to an individual by a public sector organisation is necessary for a private sector organisation to fulfil its obligations to, or requirements of, the public sector organisation, a private sector organisation may either—
(a) adopt as its own identifier of an individual an identifier of the individual that has been assigned by the public sector organisation; or
(b) use or disclose an identifier of the individual that has been assigned by the public sector organisation.
8 Principle 8—Anonymity
8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
9 Principle 9—Transborder Data Flows
9.1 An organisation may transfer health information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if—
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
(e) all of the following apply—
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain that consent, the individual would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles; or
(g) the transfer is authorised or required by any other law.
10 Principle 10—Transfer or closure of the practice of a health service provider
10.1 This Principle applies if the practice or business of a health service provider ( the provider ) is to be—
(a) sold or otherwise transferred and the provider will not be providing health services in the new practice or business; or
(b) closed down.
10.2 The provider or, if the provider is deceased, the legal representatives of the provider, must—
(a) publish a notice in a newspaper circulating in the locality of the practice or business stating—
(i) that the practice or business has been, or is about to be, sold, transferred or closed down, as the case may be; and
(ii) the manner in which the provider proposes to deal with the health information held by the practice or business about individuals who have received health services from the provider, including whether the provider proposes to retain the information or make it available for transfer to those individuals or their health service providers; and
Sch. 1 cl. 10.2(b) amended by No. 22/2016 s. 232(l).
(b) take any other steps to notify individuals who have received a health service from the provider in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph.
10.3 Not earlier than 21 days after giving notice in accordance with HPP 10.2, the person giving the notice must, in relation to health information about an individual held by, or on behalf of, the practice or business, elect to retain that information or transfer it to—
(a) the health service provider, if any, who takes over the practice or business; or
(b) the individual or a health service provider nominated by him or her.
10.4 A person who elects to retain health information must continue to hold it or transfer it to a competent organisation for safe storage in Victoria, until the time, if any, when the health information is destroyed in accordance with HPP 4.
10.5 Subject to HPP 10.2, a person must comply with the requirements of this Principle as soon as practicable.
10.6 Despite any other provision of the Health Privacy Principles, a person who transfers health information in accordance with this Principle does not, by so doing, contravene the Health Privacy Principles.
10.7 If—
(a) an individual, in response to a notice published under HPP 10.2, requests that health information be transferred to him or her or to a health service provider nominated by him or her; and
(b) the person who published the notice elects to retain the health information—
the request must be taken to be—
(c) in the case of a request that the health information be transferred to him or her, a request for access to that health information in accordance with Part 5 or HPP 6; and
(d) in the case of a request that the health information be transferred to a health service provider nominated by him or her, a request for the transfer of that health information in accordance with HPP 11—
and it must be dealt with in accordance with this Act.
10.8 This Principle operates subject to any other law, including the Public Records Act 1973 .
10.9 For the purposes of HPP 10.1(a), a business or practice of a provider is transferred if—
(a) it is amalgamated with another organisation; and
(b) the successor organisation which is the result of the amalgamation is a private sector organisation.
11 Principle 11—Making information available to another health service provider
11.1 If an individual—
(a) requests a health service provider to make health information relating to the individual held by the provider available to another health service provider; or
(b) authorises another health service provider to request a health service provider to make health information relating to the individual held by that provider available to the requesting health service provider—
a health service provider to whom the request is made and who holds health information about the individual must, on payment of a fee not exceeding the prescribed maximum fee and subject to the regulations, provide a copy or written summary of that health information to that other health service provider.
11.2 A health service provider must comply with the requirements of this Principle as soon as practicable.
11.3 Nothing in Part 5 or HPP 6 limits the operation of this Principle.
11.4 For the purposes of HPP 10.7, this Principle applies to a legal representative of a deceased health service provider in the same way that it applies to a health service provider.
Í Í Í Í Í Í Í Í Í Í Í Í Í Í Í