Health Privacy Principles (HPPs) for agencies
Read the document below or download it here Fact sheet - Health Privacy Principles (HPPs) for agencies, updated April 2023
The 15 Health Privacy Principles are the key to the Health Records and Information Privacy Act 2002 (HRIP Act)
These are legal obligations which NSW public sector agencies and private sector organisations must abide by when they collect, hold, use and disclose a person’s health information.
As exemptions may apply in certain circumstances, it is suggested you seek further advice from the Privacy Contact Officer or the Health Information Manager in your agency or organisation in the first instance. You can also contact the Information and Privacy Commission NSW (IPC) for further advice.
Collection
- Lawful
Only collect health information for a lawful purpose that is directly related to the agency or organisation’s activities and necessary for that purpose. You should not collect health information by any unlawful means.
- Relevant
Ensure health information is relevant, accurate, up to date, complete and not excessive, and that the collection does not unreasonably intrude into the personal affairs of the person to whom the information relates to.
- Direct
Only collect health information from the person concerned, unless it is unreasonable or impracticable to do so.
- Open
Inform a person as to why you are collecting their health information, what you will do with it, and who else may see it. Tell the person how they can view and correct their health information and any consequences that will occur if they decide not to provide their information to you.
If you collect health information about a person from a third party you must still take reasonable steps to notify the person that this has occurred.
Storage
- Secure
(Note: private sector organisations should also refer to section 25 of the HRIP Act for further provisions relating to retention.)
Access and accuracy
- Transparent
Explain to the person what health information is being stored, the reasons it is being used and any rights they have to access it.
- Accessible
Allow a person to access their health information without unreasonable delay or expense.
(Note: private sector organisations should also refer to sections 26-32 of the HRIP Act for further provisions relating to access.)
- Correct
Note: private sector organisations should also refer to sections 33-37 of the HRIP Act for further provisions relating to amendment.
- Accurate
Use
- Limited
Only use health information for the purpose for which it was collected or for a directly related purpose, which a person would expect. Otherwise, you would generally need their consent to use the health information for a secondary purpose, unless one the exceptions in HPP 10 applies (e.g. emergencies, threat to health or welfare, research or training etc).
Disclosure
- Limited
Only disclose health information for the purpose for which it was collected, or for a directly related purpose that a person would expect. Otherwise, you would generally need their consent, unless one of the exceptions in HPP 11 applies (e.g. in some instances disclosure is allowed in the event of an emergency, serious threat to health or welfare, research or training etc).
Note: also see HPP 10.
Identifiers and anonymity
- Not identified
Only identify people by using unique identifiers if it is reasonably necessary to carry out your functions efficiently.
- Anonymous
Give the person the opportunity of receiving services from you anonymously, where this is lawful and practicable.
Transferrals and linkage
- Controlled
Only transfer health information outside New South Wales in accordance with HPP 14.
- Authorised
For more information
Contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au
