NSW Genetic Health Guidelines - Appendix 1: Health Privacy Principles

Health Records and Information Privacy Act 2002 (NSW)

Schedule 1 Health Privacy Principles

1. Purposes of collection of health information

(1) An organisation must not collect health information unless:

(a) the information is collected for a lawful purpose that is directly related to a function or activity of the organisation, and

(b) the collection of the information is reasonably necessary for that purpose.

(2) An organisation must not collect health information by any unlawful means.

2. Information must be relevant, not excessive, accurate and note intrusive

An organisation that collects health information from an individual must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:

(a) the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete, and

(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

3. Collection to be from individual concerned

(1) An organisation must collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so.

(2) Health information is to be collected in accordance with any guidelines issued by the NSW Privacy Commissioner for the purposes of this clause.   

4. Individual to made aware of certain matters

(1) An organisation that collects health information about an individual from the individual must, at or before the time that it collects the information (or if that is not practicable, as soon as practicable after that time), take steps that are reasonable in the circumstances to ensure that the individual is aware of the following:

(a) the identity of the organisation and how to contact it,

(b) the fact that the individual is able to request access to the information,

(c) the purposes for which the information is collected,

(d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind,

(e) any law that requires the particular information to be collected,

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

(2) If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is generally aware of the matters listed in subclause (1) except to the extent that:

(a) making the individual aware of the matters would pose a serious threat to the life or health of any individual, or

(b) the collection is made in accordance with guidelines issued under subclause (3).

(3) The NSW Privacy Commissioner may issue guidelines setting out circumstances in which an organisation is not required to comply with subclause (2).

(4) An organisation is not required to comply with a requirement of this clause if:

(a) the individual to whom the information relates has expressly consented to the organisation not complying with it, or

(b) the organisation is lawfully authorised or required not to comply with it, or

(c) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or

(d) compliance by the organisation would, in the circumstances, prejudice the interests of the individual to whom the information relates, or

(e) the information concerned is collected for law enforcement purposes, or

(f) the organisation is an investigative agency and compliance might detrimentally affect (or prevent the proper exercise of) its complaint handling functions or any of its investigative functions.

(5) If the organisation reasonably believes that the individual is incapable of understanding the general nature of the matters listed in subclause (1), the organisation must take steps that are reasonable in the circumstances to ensure that any authorised representative of the individual is aware of those matters.

(6) Subclause (4) (e) does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.

(7) The exemption provided by subclause (4) (f) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

5. Retention and security

(1) An organisation that holds health information must ensure that:

(a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and

(b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and

(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

(d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.

Note. Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

(2) An organisation is not required to comply with a requirement of this clause if:

(a) the organisation is lawfully authorised or required not to comply with it, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

(3) An investigative agency is not required to comply with subclause (1) (a).

6. Information about health information held by organisations

(1) An organisation that holds health information must take such steps as are, in the circumstances, reasonable to enable any individual to ascertain:

(a) whether the organisation holds health information, and

(b) whether the organisation holds health information relating to that individual, and

(c) if the organisation holds health information relating to that individual:

             i. the nature of that information, and

            ii. the main purposes for which the information is used, and

           iii. that person’s entitlement to request access to the information.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

7. Access to health information

(1) An organisation that holds health information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.

Note. Division 3 (Access to health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

Access to health information held by public sector agencies may also be available under the Government Information (Public Access) Act 2009 or the State Records Act 1998.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

8. Amendment of health information

(1) An organisation that holds health information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the health information:

(a) is accurate, and

(b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.

(2) If an organisation is not prepared to amend health information under subclause (1) in accordance with a request by the individual to whom the information relates, the organisation must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.

(3) If health information is amended in accordance with this clause, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the organisation.

Note. Division 4 (Amendment of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

Amendment of health information held by public sector agencies may also be able to be sought under the Privacy and Personal Information Protection Act 1998.

(4) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

9. Accuracy

An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

10. Limits on use of health information

(1) An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a) Consent
the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b) Direct relation
the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note. For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c) Serious threat to health or welfare
the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

            i. a serious and imminent threat to the life, health or safety of the individual or another person, or

           ii. (ii) a serious threat to public health or public safety, or

(c1) Genetic information 
the information is genetic information and the use of the information for the secondary purpose:

    i. is reasonably believed by the organisation to be necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of a genetic relative of the individual to whom the genetic information relates, and

   ii. is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(d) Management of health services
the use of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and:

           i. either:

   (A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

   (B) reasonable steps are taken to de-identify the information, and

           ii. if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

          iii. the use of the information is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(e) Training
the use of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and:

           i. either:

          (A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

          (B) reasonable steps are taken to de-identify the information, and

         ii. if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

        iii. the use of the information is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(f) Research
the use of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:

         i. either:

         (A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

         (B) reasonable steps are taken to de-identify the information, and

         ii. if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

        iii. the use of the information is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(g) Find missing person
the use of the information for the secondary purpose is by a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or

(h) Suspected unlawful activity, unsatisfactory professional conduct or breach of discipline the organisation:

          i. has reasonable grounds to suspect that:

          (A) unlawful activity has been or may be engaged in, or

          (B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW), or

          (C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and

          ii. uses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or

(i) Law enforcement
the use of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or

(j) Investigative agencies
the use of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or

(k) Prescribed circumstances
the use of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

(3) The Ombudsman’s Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions.

(4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency:

(a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or

(b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter.

(5) The exemption provided by subclause (1) (j) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.

11. Limits on disclosure of health information

(1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a) Consent
the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b) Direct relation
the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note. For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c) Serious threat to health or welfare
the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

            i. a serious and imminent threat to the life, health or safety of the individual or another person, or

           ii. (ii) a serious threat to public health or public safety, or

(c1) Genetic information 
the information is genetic information and the disclosure of the information for the secondary purpose:

    i. is reasonably believed by the organisation to be necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of a genetic relative of the individual to whom the genetic information relates, and

   ii. is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(d) Management of health services
the disclosure of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and:

           i. either:

   (A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

   (B) reasonable steps are taken to de-identify the information, and

           ii. if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

          iii. the disclosure of the information is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(e) Training
the disclosure of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and:

           i. either:

          (A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

          (B) reasonable steps are taken to de-identify the information, and

         ii. if the information could reasonably be expected to identify the individual, the information is not published in a generally available publication, and

        iii. the disclosure of the information is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(f) Research
the disclosure of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:

         i. either:

         (A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

         (B) reasonable steps are taken to de-identify the information, and

         ii. the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can be reasonably ascertained, and

        iii. the disclosure of the information is in accordance with guidelines, if any, issued by the NSW Privacy Commissioner for the purposes of this paragraph, or

(g) Compassionate reasons
the disclosure of the information for the secondary purpose is to provide information to an immediate family member of the individual for compassionate reasons, and: 

         i. the disclosure is limited to the extent reasonable for those compassionate reasons, and

        ii. the individual is incapable of giving consent to the disclosure of information, and

       iii. the disclosure is not contrary to any wish expressed by the individual (and not withdrawn) of which the organisation was aware or could make itself aware by taking reasonable steps, and 

       iv. if the immediate family member is under the age of 18 years, the organisation reasonably believes that the family member has insufficient maturity in the circumstances to receive the information, or

(h) Finding missing person
the disclosure of the information for the secondary purpose is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or  

(i) Suspected unlawful activity, unsatisfactory professional conduct or breach of discipline 
the organisation:

          i. has reasonable grounds to suspect that:

          (A) unlawful activity has been or may be engaged in, or

          (B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW), or

          (C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and

          ii. discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or

(j) Law enforcement
the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or

(k) Investigative agencies
the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or

(l) Prescribed circumstances
the disclosure of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or 

(c) the organisation is an investigative agency disclosing information to another investigative agency.

(3) The Ombudsman’s Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions.

(4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency:

(a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or

(b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter.

(5) If health information is disclosed in accordance with subclause (1), the person, body or organisation to whom it was disclosed must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

(6) The exemptions provided by subclauses (1) (k) and (2) extend to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency. 

12. Identifiers

(1) An organisation may only assign identifiers to individuals if the assignment of identifiers is reasonably necessary to enable the organisation to carry out any of its functions efficiently.

(2) Subject to subclause (4), a private sector person may only adopt as its own identifier of an individual an identifier of an individual that has been assigned by a public sector agency (or by an agent of, or contractor to, a public sector agency acting in its capacity as agent or contractor) if:

(a) the individual has consented to the adoption of the same identifier, or

(b) the use or disclosure of the identifier is required or authorised by or under law.

(3) Subject to subclause (4), a private sector person may only use or disclose an identifier assigned to an individual by a public sector agency (or by an agent of, or contractor to, a public sector agency acting in its capacity as agent or contractor) if:

(a) the use or disclosure is required for the purpose for which it was assigned or for a secondary purpose referred to in one or more paragraphs of HPP 10 (1) (c)–(k) or 11 (1) (c)–(l), or

(b) the individual has consented to the use or disclosure, or

(c) the disclosure is to the public sector agency that assigned the identifier to enable the public sector agency to identify the individual for its own purposes.

(4) If the use or disclosure of an identifier assigned to an individual by a public sector agency is necessary for a private sector person to fulfil its obligations to, or the requirements of, the public sector agency, a private sector person may either:

(a) adopt as its own identifier of an individual an identifier of the individual that has been assigned by the public sector agency, or

(b) use or disclose an identifier of the individual that has been assigned by the public sector agency.

13. Anonymity

Wherever it is lawful and practicable, individuals must be given the opportunity to not identify themselves when entering into transactions with or receiving health services from an organisation. 

14. Transborder data flows and data flows to Commonwealth agencies

An organisation must not transfer health information about an individual to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:

(1) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles, or

(2) the individual consents to the transfer, or

(3) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request, or

(4) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party, or

(5) all of the following apply:

     i. the transfer is for the benefit of the individual,

    ii. it is impracticable to obtain the consent of the individual to that transfer,

   iii. if it were practicable to obtain such consent, the individual would be likely to give it, or

(6) the transfer is reasonably believed by the organisation to be necessary to lessen or prevent:

     i. a serious and imminent threat to the life, health or safety of the individual or another person, or

    ii. a serious threat to public health or public safety, or

(7) the organisation has taken reasonable steps to ensure that the information that it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles, or

(8) the transfer is permitted or required by an Act (including an Act of the Commonwealth) or any other law.

15. Linkage of health records

(1) An organisation must not:

(a) include health information about an individual in a health records linkage system unless the individual has expressly consented to the information being so included, or

(b) disclose an identifier of an individual to any person if the purpose of the disclosure is to include health information about the individual in a health records linkage system, unless the individual has expressly consented to the identifier being disclosed for that purpose.

(2) An organisation is not required to comply with a provision of this clause if:

(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or

(c) the inclusion of the health information about the individual in the health records information system (including an inclusion for which an identifier of the individual is to be disclosed) is a use of the information that complies with HPP 10 (1) (f) or a disclosure of the information that complies with HPP 11 (1) (f).

(3) In this clause:

health record means an ongoing record of health care for an individual.

health records linkage system means a computerised system that is designed to link health records for an individual held by different organisations for the purpose of facilitating access to health records, and includes a system or class of systems prescribed by the regulations as being a health records linkage system, but does not include a system or class of systems prescribed by the regulations as not being a health records linkage system.

disclose an identifier of an individual to any person if the purpose of the disclosure is to include health information about the individual in a health records linkage system, unless the individual has expressly consented to the identifier being disclosed for that purpose.