PERSONAL INFORMATION PROTECTION BILL 52 OF 2004

Tasmanian Bills

This is a Bill, not an Act. For current law, see the Acts databases.

PERSONAL INFORMATION PROTECTION BILL 52 OF 2004

TASMANIA __________ PERSONAL INFORMATION PROTECTION BILL 2004 __________ CONTENTS PART 1 PRELIMINARY 1. Short title 2. Commencement 3. Interpretation 4. Relationship of Act to other laws 5. Act binds Crown PART 2 APPLICATION AND EXEMPTIONS Division 1 Application 6. Application of personal information protection principles Division 2 Exemptions 7. Courts and tribunals 8. Public information 9. Law enforcement information 10. Employee information 11. Unsolicited information 12. Use of basic information 13. Application for exemptions 14. Determination of exemption [Bill 52]-V

15. Revocation of exemption PART 3 PERSONAL INFORMATION PROTECTION PRINCIPLES 16. Personal information protection principles 17. Compliance with personal information protection principles PART 4 COMPLAINTS AND INVESTIGATIONS 18. Making of complaints 19. Preliminary assessment of complaints 20. Referral to other authorities 21. Dealing with complaints 22. Procedure on completion of investigation PART 5 MISCELLANEOUS 23. Regulations 24. Administration of Act SCHEDULE 1 PERSONAL INFORMATION PROTECTION PRINCIPLES 2

PERSONAL INFORMATION PROTECTION BILL 2004 (Brought in by the Minister for Justice and Industrial Relations, the Honourable Judith Louise Jackson) A BILL FOR An Act to regulate the collection, maintenance, use and disclosure of personal information relating to individuals Be it enacted by His Excellency the Governor of Tasmania, by and with the advice and consent of the Legislative Council and House of Assembly, in Parliament assembled, as follows: PART 1 PRELIMINARY Short title 1. This Act may be cited as the Personal Information Protection Act 2004. Commencement 2. This Act commences on a day to be proclaimed. Interpretation 3. In this Act [Bill 52] 3

s. 3 No. Personal Information Protection 2004 "basic personal information" means the name, residential address, postal address, date of birth and gender of an individual; "complaint" means a complaint made under Part 4; "employee information" includes personal information about an individual who is, was or applies to be an employee relating to (a) the selection, employment, training, discipline or resignation of the individual; or (b) the termination of the employment of the individual; or (c) the terms and conditions of employment of the individual; or (d) the performance or conduct of the individual in carrying out the duties or functions of employment; or (e) the suitability of the individual for appointment or for employment held by the individual; or (f) the hours of employment of the individual; or (g) the salary or wages of the individual; or (h) the membership of the individual of a professional association, trade association or trade union; or (i) the recreation leave, long service leave, sick leave, personal leave, maternity leave, paternity leave or other leave of the individual; or 4

2004 Personal Information Protection No. s. 3 (j) information that supports employment statistical reporting and personnel planning; or (k) information in relation to employees as required by law; "employment" includes appointment or engagement to an office or position; "health information" means (a) personal information or opinion about (i) the physical, mental or psychological health at any time of an individual; or (ii) a disability at any time of an individual; or (iii) an individual's expressed wishes about the future provision of health services to him or her; or (iv) a health service provided, or to be provided, to an individual; or (b) other personal information collected to provide, or in providing, a health service; or (c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or (d) genetic information about an individual that is or may be predictive of the health 5

s. 3 No. Personal Information Protection 2004 at any time of the individual or any of his or her descendants other than prescribed information, a prescribed class of information or information contained in a prescribed class of documents; "health service" means an activity, other than a prescribed activity, performed in relation to an individual that is intended or claimed by the individual or the person performing it (a) to assess, maintain or improve the individual's health; or (b) to diagnose the individual's illness, injury or disability; or (c) to treat the individual's illness, injury or disability or suspected illness, injury or disability; or (d) to dispense on prescription a drug or medical preparation; or (e) to provide a disability service, palliative care service or aged care service; or (f) to provide a prescribed service or a prescribed class of service in conjunction with any activity referred to in paragraph (a), (b), (c), (d) or (e); "identifier" means anything assigned by a personal information custodian to identify an individual for its operations, other than a name or ABN number as defined in the A New Tax System (Australian Business Number) Act 1999 of the Commonwealth; 6

2004 Personal Information Protection No. s. 3 "law enforcement agency" means any of the following: (a) a police force or police service of (i) the Commonwealth; or (ii) this State; or (iii) any other State or a Territory of the Commonwealth; or (iv) any country; (b) the Australian Crime Commission; (c) a commission established or appointed under any Act of this State or any other State or a Territory of the Commonwealth or of the Commonwealth to investigate matters relating to criminal activity generally or of a specified class; (d) a personal information custodian responsible for the performance of functions relating to (i) the prevention, detection, investigation or prosecution of criminal offences or other offences that impose a penalty or sanction; or (ii) the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime or the enforcement of such a law; 7

s. 3 No. Personal Information Protection 2004 (e) an agency established under the Public Service Act 1999 of the Commonwealth responsible for the performance of functions relating to (i) the prevention, detection, investigation or prosecution of criminal offences or other offences that impose a penalty or sanction; or (ii) the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime or the enforcement of such a law; (f) a personal information custodian or an individual or body contracted by a personal information custodian responsible for the execution or implementation of an order, decision or determination of a court or tribunal; (g) a personal information custodian (i) responsible for the issue of warrants; or (ii) that provides correctional services; or (iii) responsible for decisions relating to the release of persons from custody; (h) a personal information custodian responsible for the protection of public revenue under any Act; 8

2004 Personal Information Protection No. s. 3 (i) a personal information custodian responsible for the administration or performance of a function under a law that imposes a penalty or sanction; (j) the Attorney-General; (k) the Solicitor-General appointed and holding office under the Solicitor- General Act 1983; (l) the Director of Public Prosecutions appointed and holding office under the Director of Public Prosecutions Act 1973; (m) the Ombudsman; (n) a prescribed organisation; "law enforcement information" means information referred to in section 28(1) of the Freedom of Information Act 1991; "Ombudsman" means the person appointed and holding office under the Ombudsman Act 1978; "personal information" means any information or opinion in any recorded format about an individual (a) whose identity is apparent or is reasonably ascertainable from the information or opinion; and (b) who is alive or has not been dead for more than 25 years; "personal information contract" means a contract between a personal information custodian and another person (whether a 9

s. 3 No. Personal Information Protection 2004 personal information custodian or not) relating to the collection, use or storage of personal information; "personal information custodian" means any of the following: (a) a public sector body; (b) a council; (c) the University of Tasmania; (d) any body, organisation or person who has entered into a personal information contract relating to personal information; (e) a prescribed body; "personal information protection principles" means the personal information protection principles referred to in section 16; "public information" means any personal information that is (a) contained in a publicly available record or publication; or (b) taken to be public information under any Act; "public sector body" means any of the following: (a) an Agency as defined in the State Service Act 2000; (b) a statutory board; (c) a holder of a statutory office; 10

2004 Personal Information Protection No. s. 3 (d) a Government Business Enterprise under the Government Business Enterprises Act 1995; (e) a Minister; (f) a body whose members, or a majority of whose members, are appointed by the Governor or a Minister; (g) a prescribed body; "record" means a record in any format; "sensitive information" means (a) personal information or an opinion relating to personal information about an individual's (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; or (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record; and (b) health information about an individual. 11

s. 4 No. Personal Information Protection 2004 Relationship of Act to other laws 4. If a provision of this Act is inconsistent with a provision made by or under any other Act (a) that other provision prevails; and (b) the provision of this Act has no effect to the extent of the inconsistency. Act binds Crown 5. (1) This Act binds the Crown in right of Tasmania and, so far as the legislative power of Parliament permits, in all its other capacities. (2) The Crown in any of its capacities is not liable to be prosecuted for an offence under this Act. 12

2004 Personal Information Protection No. s. 6 PART 2 APPLICATION AND EXEMPTIONS Division 1 Application Application of personal information protection principles 6. (1) Clauses 1, 7, 8 and 10 of Schedule 1 apply only in relation to information collected after the commencement of this Act. (2) Clauses 2, 3, 4, 5, 6 and 9 of Schedule 1 apply in relation to information collected before or after the commencement of this Act. Division 2 Exemptions Courts and tribunals 7. The following are exempt from the provisions of this Act: (a) a court or tribunal in the performance or exercise of judicial or quasi-judicial functions or powers; (b) the holder of a judicial or quasi-judicial office or other office pertaining to a court or tribunal in the capacity of the holder of that office; (c) the Solicitor-General appointed and holding office under the Solicitor-General Act 1983; (d) any person employed in relation to the functions of the Solicitor-General; 13

s. 8 No. Personal Information Protection 2004 (e) the Director of Public Prosecutions appointed and holding office under the Director of Public Prosecutions Act 1973; (f) any person employed in relation to the functions of the Director of Public Prosecutions; (g) the registry or other office of a court or tribunal in relation to any matter relating to the judicial or quasi-judicial functions of that court or tribunal; (h) any person employed in such a registry or other office in relation to any such matter. Public information 8. This Act does not apply to public information. Law enforcement information 9. Clauses 1(3), (4) and (5), 2(1), 5(3)(c), 7, 9 and 10(1)(a), (b), (c) and (e) of Schedule 1 do not apply to any law enforcement information kept or made by a law enforcement agency if it considers that non-compliance is reasonably necessary (a) for the purpose of any of its functions or activities; or (b) for the enforcement of laws relating to the confiscation of the proceeds of crime; or (c) in connection with the conduct of proceedings in any court or tribunal. 14

2004 Personal Information Protection No. s. 10 Employee information 10. Clauses 1(4) and (5), 7 and 10 of Schedule 1 do not apply to any employee information. Unsolicited information 11. Clause 1 of Schedule 1 does not apply to unsolicited information received by a personal information custodian. Use of basic information 12. A personal information custodian may use or disclose personal information about an individual for a purpose other than the primary purpose of collection without the individual's consent if (a) it is a public sector body; and (b) the information is basic personal information; and (c) the use or disclosure is reasonably necessary for the efficient storage and use of that information; and (d) the information is only used by, or disclosed to, another public sector body. Application for exemptions 13. (1) A personal information custodian may apply to the Minister for an exemption from compliance with any or all provisions of this Act. (2) An application is to 15

s. 14 No. Personal Information Protection 2004 (a) specify the provision or provisions to which the application relates; and (b) specify the information or class or classes of information to which the application relates; and (c) specify the personal information custodian or custodians or class or classes of personal information custodians to which the application applies; and (d) specify the reasons for the exemption; and (e) specify any public benefit involved; and (f) specify any relevant law, code of practice or other instrument under which it proposes to operate; and (g) include any other information the Minister determines. Determination of exemption 14. (1) The Minister may determine to (a) approve an application if satisfied that the public benefit outweighs to a substantial degree the public benefit from compliance with the personal information protection principles; or (b) refuse to approve the application if not so satisfied. (2) The Minister may approve an application subject to any conditions the Minister considers appropriate. 16

2004 Personal Information Protection No. s. 15 (3) The Minister is to publish the determination and the details of the application in the Gazette. Revocation of exemption 15. (1) The Minister may revoke a determination to approve an application for an exemption (a) if satisfied that (i) the reasons for granting that exemption no longer apply; or (ii) section 14(1)(a) no longer applies; or (b) at the request of the applicant. (2) The Minister is to publish the details of a revocation in the Gazette. 17

s. 16 No. Personal Information Protection 2004 PART 3 PERSONAL INFORMATION PROTECTION PRINCIPLES Personal information protection principles 16. The personal information protection principles that apply in Tasmania are those specified in Schedule 1. Compliance with personal information protection principles 17. (1) A personal information custodian must comply with the personal information protection principles. (2) Subsection (1) does not apply to anything done by a personal information custodian before the second anniversary of the commencement of this Act that is necessary for the performance of a contract entered into by the personal information custodian before the commencement of this Act. 18

2004 Personal Information Protection No. s. 18 PART 4 COMPLAINTS AND INVESTIGATIONS Making of complaints 18. (1) A person may make a complaint to the Ombudsman in relation to a matter referred to in subsection (2) if the person (a) has raised the matter with the relevant personal information custodian; and (b) is not satisfied with the response from the personal information custodian. (2) A complaint may be made by a person in relation to the alleged contravention by a personal information custodian of a personal information protection principle that applies to the person. (3) A complaint may be in writing or verbal, but the Ombudsman may require a verbal complaint to be put in writing. (4) The Ombudsman may (a) require information about a complaint to be provided by the complainant in a particular manner or form; and (b) require a complaint to be verified by statutory declaration. (5) A complaint must be made within 6 months or any further period the Ombudsman may allow from the time the complainant first became aware of the matter which is the subject of the complaint. (6) A complainant may amend or withdraw a complaint. 19

s. 19 No. Personal Information Protection 2004 Preliminary assessment of complaints 19. (1) The Ombudsman may conduct a preliminary assessment of a complaint for the purpose of deciding whether to deal with the complaint. (2) The Ombudsman may decide not to deal with a complaint if satisfied that (a) the complaint is frivolous, vexatious, lacking in substance or is not in good faith; or (b) the subject matter of the complaint is trivial; or (c) the subject matter of the complaint relates to a matter permitted or required under any law. (3) If the Ombudsman declines to deal with a complaint, the Ombudsman is to advise the complainant of the reasons for so declining. Referral to other authorities 20. (1) The Ombudsman, subject to subsection (3), may refer a complaint for investigation or other action to any person, body or authority the Ombudsman considers appropriate in the circumstances. (2) The Ombudsman may only refer a complaint (a) after appropriate consultation with the complainant and the relevant person, body or authority; and (b) after taking their views into consideration. (3) The Ombudsman may refer a complaint relating to a matter arising under the State Service Act 2000 to the State Service Commissioner. 20

2004 Personal Information Protection No. s. 21 Dealing with complaints 21. (1) If the Ombudsman decides to deal with a complaint, the Ombudsman is to conduct any investigations in relation to the complaint in accordance with Division 3 of Part III of the Ombudsman Act 1978. (2) The Ombudsman may conduct an investigation into any general issue or matter under this Act. Procedure on completion of investigation 22. (1) If, on completion of an investigation of a complaint, the Ombudsman is of the opinion that a personal information custodian has contravened a personal information protection principle, the Ombudsman (a) is to advise the complainant and the personal information custodian in writing of that opinion and the reasons on which it is based; and (b) may make any recommendations the Ombudsman considers appropriate in relation to the subject matter of the complaint. (2) The Ombudsman is to give the Minister a copy of the advice and any recommendations. (3) The Minister is to table the advice and any recommendations in both Houses of Parliament within 5 sitting days of its receipt. 21

s. 23 No. Personal Information Protection 2004 PART 5 MISCELLANEOUS Regulations 23. The Governor may make regulations for the purpose of this Act. Administration of Act 24. Until provision is made in relation to this Act by order under section 4 of the Administrative Arrangements Act 1990 (a) the administration of this Act is assigned to the Minister for Justice and Industrial Relations; and (b) the department responsible to that Minister in relation to the administration of this Act is the Department of Justice. 22

2004 Personal Information Protection No. sch. 1 SCHEDULE 1 PERSONAL INFORMATION PROTECTION PRINCIPLES Sections 6, 9, 10, 11 and 16 Collection 1. (1) A personal information custodian must not collect personal information unless the information is necessary for one or more of its functions or activities. (2) A personal information custodian must collect personal information only by lawful means. (3) Before collection, during collection or as soon as practicable after collection of personal information about an individual from the individual, the personal information custodian must take any reasonable steps necessary to ensure that the individual is aware of the following: (a) its identity and how to contact it; (b) the individual's right of access to the information; (c) the purposes for which the information is collected; (d) the intended recipients or class of recipients of the information; (e) any law that requires the information to be collected; (f) the main consequences for the individual if all or part of the information is not provided. (4) If it is reasonable and practicable to do so, a personal information custodian must collect personal information about an individual only from that individual. 23

sch. 1 No. Personal Information Protection 2004 (5) If a personal information custodian collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is made aware of the matters referred to in subclause (3) unless doing so would pose a serious threat to the life, safety, health or welfare of any individual. Use and disclosure 2. (1) A personal information custodian must not use or disclose personal information about an individual for a purpose other than the purpose for which it was collected unless (a) both of the following apply: (i) that purpose is related to the primary purpose and, if the personal information is sensitive information, that information is directly related to the primary purpose; (ii) the individual would reasonably expect the personal information custodian to use or disclose the information for that purpose; or (b) the individual has consented to the use or disclosure; or (c) if the use or disclosure is necessary for research or the compilation or analysis of statistics in the public interest, other than for publication in a form that identifies any particular individual (i) it is impracticable for the personal information custodian to seek the 24

2004 Personal Information Protection No. sch. 1 individual's consent before the use or disclosure; or (ii) the personal information custodian reasonably believes that the recipient of the information is not likely to disclose the information; or (d) the personal information custodian reasonably believes that the use or disclosure is necessary to lessen or prevent (i) a serious threat to an individual's life, health, safety or welfare; or (ii) a serious threat to public health or public safety; or (e) the personal information custodian has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or (f) the use or disclosure is required or authorised by or under law; or (g) the personal information custodian reasonably believes that the use or disclosure is reasonably necessary for any of the following purposes by or on behalf of a law enforcement agency: (i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; 25

sch. 1 No. Personal Information Protection 2004 (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; (iii) the protection of the public revenue; (iv) the prevention, detection, investigation or remedying of conduct that is in the opinion of the personal information custodian seriously improper conduct; (v) the preparation for, or conduct of, proceedings before any court or tribunal or implementation of any order of a court or tribunal; (vi) the investigation of missing persons; (vii) the investigation of a matter under the Coroners Act 1995; or (h) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the personal information custodian to disclose the personal information and (i) the disclosure is made to an officer or employee of ASIO or ASIS appropriately authorised in writing to receive the disclosure; and (ii) an officer or employee of ASIO or ASIS so authorised certifies that the disclosure is connected with the performance by ASIO or ASIS of its functions; or (i) the personal information is to be used as employee information in relation to 26

2004 Personal Information Protection No. sch. 1 (i) the suitability of the individual for appointment; or (ii) the suitability of the individual for employment held by the individual; or (j) the personal information is employee information which is being transferred from one personal information custodian to another personal information custodian for use as employee information relating to the individual; or (k) subclause (4) or section 12 applies. (2) If a personal information custodian uses or discloses personal information under subclause (1)(g), it must make a written note of the use or disclosure. (3) Subclause (1) applies to personal information collected by a personal information custodian that is a body corporate from a related body corporate as if the primary purpose of that collection were the primary purpose for which the related body corporate collected the information. (4) A personal information custodian that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if (a) the individual is (i) physically or legally incapable of giving consent to the disclosure; or (ii) physically unable to communicate consent to the disclosure; and 27

sch. 1 No. Personal Information Protection 2004 (b) the natural person providing the health service for the personal information custodian is satisfied that the disclosure (i) is necessary to provide appropriate care or treatment of the individual; or (ii) is made for compassionate reasons; and (c) the disclosure is not contrary to any wish (i) expressed by the individual before the individual became unable to give or communicate consent; and (ii) of which the natural person is aware, or of which he or she could reasonably be expected to be aware; and (d) the disclosure is limited to the extent reasonable and necessary for the purpose mentioned in paragraph (b). (5) A person is responsible for an individual if the person (a) is a parent of the individual; or (b) is a child or sibling of the individual and at least 18 years of age; or (c) is a spouse of the individual; or (d) is in a personal relationship, within the meaning of the Relationships Act 2003, with the individual; or (e) is a relative of the individual, at least 18 years of age and a member of the individual's household; or (f) is a guardian of the individual; or 28

2004 Personal Information Protection No. sch. 1 (g) is exercising enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or (h) is nominated by the individual to be contacted in case of emergency. Data quality 3. A personal information custodian must take reasonable steps to ensure that, having regard to the purpose for which the personal information is to be used, the personal information it collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to its functions or activities. Data security 4. (1) A personal information custodian must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure. (2) A personal information custodian must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. (3) A personal information custodian, the records of which are subject to the Archives Act 1983, must take the reasonable steps referred to in subclause (2) only with the approval of the State Archivist. 29

sch. 1 No. Personal Information Protection 2004 Openness 5. (1) A personal information custodian must clearly set out in a document its policies on its management of personal information. (2) A personal information custodian must make the document available to anyone who asks for it. (3) On request by a person, a personal information custodian must take reasonable steps to advise the person, in general terms, of (a) the sort of personal information it holds; and (b) the purposes for which it holds the information; and (c) how it collects, holds, uses and discloses that information. Access and correction 6. (1) If a personal information custodian holds personal information about an individual, it must provide the individual with access to the information in accordance with Parts 2 and 3 of the Freedom of Information Act 1991, as if it were subject to that Act, and as if a reference to an agency or Minister in that Act were a reference to a personal information custodian. (2) An individual may request amendment of his or her personal information in accordance with Part 4 of the Freedom of Information Act 1991 if that information is incorrect, incomplete, out of date or misleading, whether or not the personal information custodian is subject to that Act, as if a reference to an agency or Minister in that Act were a reference to a personal information custodian. 30

2004 Personal Information Protection No. sch. 1 Unique identifiers 7. (1) A personal information custodian must not assign a unique identifier to an individual unless it is necessary for it to carry out any of its functions efficiently. (2) A personal information custodian must not adopt as its own unique identifier of an individual a unique identifier that has been assigned to the individual by another personal information custodian unless (a) that adoption is necessary for it to carry out any of its functions efficiently; or (b) it has obtained the consent of the individual to the use of the unique identifier; or (c) it is a body, an organisation or an individual adopting the unique identifier created by a personal information custodian in the performance of its obligations to the personal information custodian under a personal information contract. (3) A personal information custodian must not use or disclose a unique identifier assigned to an individual by another personal information custodian unless (a) the use or disclosure is necessary for it to fulfil its obligations to the other personal information custodian; or (b) clause 2(1) applies. (4) A personal information custodian must not require an individual to provide a unique identifier in order to obtain a service unless the provision (a) is required or authorised by law; or 31

sch. 1 No. Personal Information Protection 2004 (b) is in connection with the purpose, or a directly related purpose, for which the unique identifier was assigned. Anonymity 8. Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with a personal information custodian. Disclosure of information outside Tasmania 9. A personal information custodian may disclose personal information about an individual to another person or other body who is outside Tasmania only if (a) the personal information custodian reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that has principles for fair handling of the information that are substantially similar to the personal information protection principles; or (b) the individual consents to the disclosure; or (c) the disclosure is necessary for (i) the performance of a contract between the individual and the personal information custodian; or (ii) the conclusion or performance of a contract concluded in the interest of the individual between the personal information custodian and a third party; or 32

2004 Personal Information Protection No. sch. 1 (d) the personal information custodian has taken reasonable steps to ensure that the information which it has disclosed is not to be held, used or disclosed by the recipient of the information inconsistently with the personal information protection principles; or (e) the disclosure is authorised or required by any other law. Sensitive information 10. (1) A personal information custodian must not collect sensitive information about an individual unless (a) the individual has consented; or (b) the collection is required or permitted by law; or (c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual and the individual to whom the information relates (i) is physically or legally incapable of giving consent to the collection; or (ii) physically cannot communicate consent to the collection; or (iii) is subject to a guardianship order under the Guardianship and Administration Act 1995 or the Mental Health Act 1996; or (d) the information is collected in the course of the activities of a non-profit personal information custodian that has only racial, ethnic, 33

sch. 1 No. Personal Information Protection 2004 political, religious, philosophical, professional, trade or trade union aims and (i) the information relates solely to the members of that personal information custodian or to individuals who have regular contact with it in connection with its activities; and (ii) at or before the time of collection, the personal information custodian undertakes to the individual to whom the information relates that it will not disclose the information without the individual's consent; or (e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; or (f) subclause (2), (3), (4) or (6) applies. (2) A personal information custodian may collect sensitive information about an individual if (a) either of the following applies: (i) the collection is necessary for research or the compilation or analysis of statistics in the public interest and any resulting publication does not identify the individual; (ii) the information relates to an individual's racial or ethnic origin and is collected for the purpose of welfare or educational services funded by government; and 34

2004 Personal Information Protection No. sch. 1 (b) there is no reasonably practicable alternative to collecting the information for a purpose referred to in paragraph (a); and (c) it is impracticable for the personal information custodian to seek the individual's consent to the collection. (3) A personal information custodian may collect sensitive information that is health information about an individual if (a) the information is necessary to provide a health service to the individual; and (b) the information is collected (i) as required by law, other than this Act; or (ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian. (4) A personal information custodian may collect sensitive information that is health information about an individual if (a) the collection is necessary for any of the following purposes: (i) research relevant to public health or public safety; (ii) the compilation or analysis of statistics relevant to public health or public safety; 35

sch. 1 No. Personal Information Protection 2004 (iii) the management, funding or monitoring of a health service; and (b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and (c) it is impracticable for the personal information custodian to seek the individual's consent to the collection; and (d) the information is collected (i) as required by law, other than this Act; or (ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian. (5) If a personal information custodian collects sensitive information that is health information about an individual in accordance with subclause (4), it must take reasonable steps to permanently de-identify the information before disclosing it. (6) A personal information custodian may collect sensitive information that is health information from an individual about another person without the consent of that other person if both the following apply: (a) the collection is necessary for the provision of any health service provided to the individual; (b) the information is relevant to the social or family history of the individual. 36 Government Printer, Tasmania

[[Index]] [Search] [Download] [Help]