1. NEW SOUTH WALES PRIVACY LEGISLATION
In New South Wales, the privacy laws in operation are the PPIP Act and HRIP Act.
The PPIP Act regulates the way in which all NSW public sector agencies collect, use, store and release personal information in order to maintain privacy of individuals. The PIPP Act contains a set of ‘Information Protection Principles’ (IPPs) which NSW public sector agencies must abide by and sets out the role of the NSW Privacy Commissioner. It also establishes methods for the enforcement of privacy and a complaints handling framework if an individual believes their personal information has been mishandled. The NSW Privacy Commissioner has the power to receive, investigate and conciliate complaints about privacy matters and may conduct inquiries and investigations if required.
Specifically for health information, the HRIP Act protects and enhances the privacy rights of individuals with respect to this highly sensitive information. The HRIP Act governs the use and disclosure of health information in both public and private sectors in NSW. This includes public and private hospitals, doctors and other health care organisations; or any other organisation that obtains any type of health information including (but not limited to) insurance companies, airlines, gymnasiums and universities.
The HRIP Act sets out legal obligations in the form of 15 HPPs, located in Schedule 1 of the HRIP Act, which concern the collection, storage, access and accuracy, use, disclosure, assigning identifiers, anonymity and transferrals and linkage of health records (see Appendix 1). These obligations are subject to a number of legal exemptions from these principles. With respect to health information, the NSW Privacy Commissioner has a number of functions. This includes, among a number of functions, promoting the adoption of, and monitoring compliance with, the HPPs; preparing, publishing and promoting guidelines relating to the protection of health information; and having the ability to receive, investigate and conciliate complaints regarding the handling of health information. The NSW Privacy Commissioner’s functions can be found at section 58 of the HRIP Act.
 Many private sector organisations may also be subject to the Commonwealth Privacy Act 1988
1.1 Information Protection Principles and Health Privacy Principles
The NSW privacy laws contain two sets of principles. The IPPs located in the PPIP Act, which apply to NSW public sector agencies, and the HPPs, contained in HRIP Act in regard to health information and applying to all public and private sector organisations.
The IPPs apply to how personal information is handled by NSW public sector agencies. Personal information refers to any information that relates to an identifiable person. The IPPs are legal obligations that NSW public sector agencies must comply with and cover the collection, storage, access, accuracy, use and disclosure of personal information. These legal obligations ensure that NSW public sector agencies are handling personal information responsibly, although lawful exemptions from the IPPs are available in particular circumstances. For example, a law enforcement agency is not required to comply if compliance by the agency would prejudice the agency’s law enforcement functions.
The HPPs aim to protect health information through 15 principles imposed on organisations to ensure that health information is handled appropriately. Particularly relevant to these Guidelines are HPPs 10 and 11. Whilst organisations holding health information must not use the information for a purpose other than the purpose for which it was collected, HPP 10 provides for certain circumstances exempting organisations from the general requirements. This is also the case for disclosure of health information, where exemptions can be found in HPP 11.
An organisation may use or disclose health information for a purpose other than the purpose it was collected, in circumstances, for example, where:
- the patient consents;
- the secondary purpose is directly related to the primary purpose within the individual’s reasonable expectations
- the information is disclosed to or used by a law enforcement agency ; and
- where any other exception applies.
1.2 Health Legislation Amendment Act 2012
The Amending Act was passed by New South Wales Parliament in 2012. The Amending Act amended the law regarding the protection of genetic information by establishing a framework in which such information can be used and disclosed to genetic relatives in certain circumstances.
Upon commencement of the Amending Act, the amendments will bring the HRIP Act in line with the Commonwealth’s Privacy Act 1988 regarding the use and disclose of genetic information.
Genetic information and genetic relative
The Amending Act defines “genetic information” as meaning health information of a type described in section 6 (d).
Once the amendments commence, the definition of genetic information in section 6(d) of the HRIP Act will be altered to “other personal information that is genetic information about an individual arising from a health service provided to the individual in the form that is or could be predictive of the health (at any time) of the individual or of a genetic relative”.
The Amending Act defines “genetic relative” as “a person who is related to an individual by blood, for example, a sibling parent or descendant of the individual”. This definition will be inserted in section 4(1) of the HRIP Act once the amendments commence.
Changes to the Health Privacy Principles
The Amending Act introduces two exceptions to the general requirement that health information must not be used or disclosed for a purpose other than the purpose for which it was collected. The first exception in HPP 10(1)(c1) allows genetic information to be used by an organisation, without the consent of the individual, if it reasonably believes that using the individual’s genetic information is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative, even if the threat is not imminent; and in accordance with guidelines issued by the NSW Privacy Commissioner, if any.
Similarly, the second exception located in HPP 11(1)(c1) allows genetic information to be disclosed by an organisation to a genetic relative of the individual, if it reasonably believes that disclosing genetic information to the genetic relative is necessary to lessen or prevent a serious threat to the life, health or safety of that genetic relative, even if the threat is not imminent and consent has not been given. It must also be in accordance with guidelines issued by the NSW Privacy Commissioner, if any.