Queensland Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Previous] [Next] [Download] [Help]

INFORMATION PRIVACY ACT 2009 - SCHEDULE 4

SCHEDULE 4 – National privacy principles

1 NPP 1—Collection of personal information

(1) A health agency must not collect personal information unless the information is necessary for 1 or more of its functions or activities.
(2) A health agency must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
(3) At or before the time or, if that is not practicable, as soon as practicable after, a health agency collects personal information about an individual from the individual, the health agency must take reasonable steps to ensure that the individual is aware of—
(a) the identity of the health agency and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the entities, or the types of entities, to which the health agency usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences, if any, for the individual if all or part of the information is not provided.
(4) If it is reasonable and practicable to do so, a health agency must collect personal information about an individual only from that individual.
(5) If a health agency collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subsection (3) except to the extent that—
(a) the personal information is collected under NPP 9(1)(e); or
(b) making the individual aware of the matters would pose a serious threat to the life, health, safety or welfare of an individual.
(6) If the information is required under a statutory collection, a health agency is not required to ensure that the individual is or has been made aware of the matters listed in subsection (3) .
(7) In this section—

"statutory collection" means—
(a) a register or other collection of personal information that a health agency is authorised or required to maintain under an Act for monitoring public health issues, including, for example, by identifying morbidity and mortality trends, planning and evaluating health services or facilitating and evaluating treatments; or
(b) personal information collected by a health agency under an Act requiring a person to give information to the health agency.

2 NPP 2—Limits on use or disclosure of personal information

(1) A health agency must not use or disclose personal information about an individual for a purpose (the
"secondary purpose" ) other than the primary purpose of collection unless—
(a) both of the following apply—
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the health agency to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety—
(i) it is impracticable for the health agency to seek the individual’s consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for the purposes of this subparagraph; and
(iii) for disclosure—the health agency reasonably believes that the entity receiving the health information will not disclose the health information or personal information derived from the health information; or
(d) the health agency reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare or a serious threat to public health, safety or welfare; or
(e) the health agency has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(f) the use or disclosure is authorised or required by or under law; or
(g) the health agency reasonably believes that the use or disclosure is reasonably necessary for 1 or more of the following by or for an enforcement body—
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
Notes—
1 It is not intended to deter a health agency from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.
2 Subsection (1) does not override any existing legal obligations not to disclose personal information (for example, Hospital and Health Boards Act 2011 , section 142 ). Nothing in subsection (1) requires a health agency to disclose personal information. A health agency is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
3 A health agency is also subject to the requirements of chapter 2 , part 3 if it transfers personal information to an entity outside Australia.
(2) If a health agency uses or discloses personal information under subsection (1) (g) , it must include with the personal information a note of the use or disclosure.
(3) Despite subsection (1) , if a health agency provides a health service to an individual, it may disclose health information about the individual to a person who is responsible for the individual if—
(a) the individual—
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically can not communicate consent to the disclosure; and
(b) a health professional providing the health service for the health agency is satisfied that either—
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish—
(i) expressed by the individual before the individual became unable to give or communicate consent; and
(ii) of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and
(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b) .
(4) For subsection (3) , a person is
"responsible" for an individual if the person is—
(a) a parent of the individual; or
(b) a child or sibling of the individual who a health professional believes has capacity; or
(c) a spouse or de facto partner of the individual; or
(d) a relative of the individual and a member of the individual’s household; or
(e) a guardian of the individual; or
(f) a person exercising a power under an enduring power of attorney made by the individual that is exercisable in relation to decisions about the individual’s health; or
(g) a person who has sufficient personal interest in the health and welfare of the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
Note—
Subsection (3) does not override any law with respect to assisted and substituted decision-making, including, for example, the Guardianship and Administration Act 2000 and the Powers of Attorney Act 1998 .
(5) Despite subsection (1) , a health agency may use an individual’s personal information that is not sensitive information for a commercial purpose involving the health agency’s marketing of anything to the individual, but only if—
(a) it is impracticable for the health agency to seek the consent of the individual before the personal information is used for the purposes of the marketing; and
(b) the health agency will not charge the individual for giving effect to a request from the individual to the health agency that the individual not receive any marketing communications; and
(c) the individual has not made a request mentioned in paragraph (b) ; and
(d) in each marketing communication with the individual, the health agency will draw to the individual’s attention, or prominently display a notice, that the individual may ask not to receive any further marketing communications; and
(e) each written marketing communication from the health agency to the individual, up to and including the communication that involves the use, will state the department’s business address and telephone number and, if the communication with the individual is made by fax or other electronic means, a number or address at which the health agency can be directly contacted electronically.
(6) In this section—

"child" , of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.

"enforcement body" means an enforcement body within the meaning of the Privacy Act 1988 (Cwlth) .

"parent" , of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.

"relative" , of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.

"sibling" , of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.

3 NPP 3—Data quality

A health agency must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.

4 NPP 4—Data security

(1) A health agency must take reasonable steps to protect the personal information it holds from misuse, loss and unauthorised access, modification or disclosure.
(2) If the personal information is no longer needed for any purpose for which the information may be used or disclosed under NPP 2, the health agency must take reasonable steps to ensure that the individual the subject of the personal information can no longer, and can not in the future, be identified from the personal information.
Note—
Subsection (2) will apply subject to the requirements of the Public Records Act 2002 providing for the retention of records.

5 NPP 5—Openness

(1) A health agency must set out in a document clearly expressed policies on its management of personal information and must make the document available to anyone who asks for it.
(2) On request by a person, a health agency must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

6 NPP 6—Access to documents containing personal information

(1) If a health agency has control of a document containing personal information, it must give the individual the subject of the personal information access to the document if the individual asks for access.
(2) A health agency is not required to give an individual access to a document under subsection (1) if—
(a) the health agency is authorised or required under an access law to refuse to give the access to the individual; or
(b) the document is expressly excluded from the operation of an access law.

7 NPP 7—Amendment of documents containing personal information

(1) If a health agency has control of a document containing personal information, it must take all reasonable steps, including by the making of an appropriate amendment, to ensure the personal information
(a) is accurate; and
(b) having regard to the purpose for which it was collected or is to be used and to any purpose directly related to fulfilling the purpose, is relevant, complete, up to date and not misleading.
(2) Subsection (1) applies subject to any limitation in a law of the State providing for the amendment of personal information held by a health agency.
(3) Subsection (4) applies if—
(a) a health agency considers it is not required to amend personal information included in a document under the health agency’s control in a way asked for by the individual the subject of the personal information; and
(b) no decision or recommendation to the effect that the document should be amended wholly or partly in the way asked for has been made under a law mentioned in subsection (2) .
(4) A health agency must, if the individual asks, take all reasonable steps to attach to the document any statement provided by the individual of the amendment asked for.

8 NPP 8—Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with a health agency.

9 NPP 9—Sensitive information

(1) A health agency must not collect sensitive information about an individual (the
"relevant individual" ) unless—
(a) the relevant individual has consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of an individual, and the relevant individual—
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically can not communicate consent to the collection; or
(d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; or
(e) the information is a family medical history, social medical history or other relevant information about any individual, that is collected for the purpose of providing any person, whether or not the relevant individual, with a health service, and is collected by a health agency from—
(i) the person who is to receive or is receiving the service; or
(ii) a parent of the relevant individual; or
(iii) a child or sibling of the relevant individual if a health professional believes the child or sibling has capacity; or
(iv) a spouse or de facto partner of the relevant individual; or
(v) a relative of the relevant individual if the relative is a member of the relevant individual’s household; or
(vi) a guardian of the relevant individual; or
(vii) a person exercising a power under an enduring power of attorney made by the relevant individual that is exercisable in relation to decisions about the relevant individual’s health; or
(viii) a person who has sufficient personal interest in the health and welfare of the relevant individual; or
(ix) a person nominated by the relevant individual to be contacted in case of emergency.
(2) Despite subsection (1) , a health agency may collect health information about an individual if the information is necessary to provide a health service to the individual and—
(a) the individual would reasonably expect the health agency to collect the information for that purpose; or
(b) the information is collected as authorised or required by law.
(3) Despite subsection (1) , a health agency may collect health information about an individual if—
(a) the collection is necessary for any of the following purposes—
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(b) the purpose can not be served by the collection of information that does not identify the individual or from which the individual’s identity can not reasonably be ascertained; and
(c) it is impracticable for the health agency to seek the individual’s consent to the collection; and
(d) the information is collected—
(i) as authorised or required by law; or
(ii) by a designated person with the approval of the relevant chief executive; or
Note—
A relevant chief executive could delegate the power to approve the collection of information by a designated person.
(iii) in accordance with guidelines approved by the chief executive of the health department for the purposes of this subparagraph.
(4) If a health agency collects health information about an individual in accordance with subsection (3) , the health agency must, before it discloses the personal information, take reasonable steps to ensure that the individual the subject of the personal information can no longer, and can not in the future, be identified from the personal information.



AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback