Western Australian Bills Western Australian Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
Western Australia
Information Privacy Bill 2007
CONTENTS
Part 1 -- Preliminary
1. Short title 2
2. Commencement 2
3. Objects of Act 2
4. Terms used in this Act 2
5. Meaning of "health information" 10
6. Meaning of "personal information" 11
7. When information is held 12
8. Related public organisations 13
9. Application to courts, registries and judicial
officers 13
10. Publicly available information 14
11. Application of certain privacy principles to law
enforcement agencies and child protection
agencies 14
12. Relationship to FOI Act and State Records
Act 2000 15
13. Nature of rights created by this Act 15
14. Act binds Crown 15
Part 2 -- Personal information
privacy
15. Information privacy principles 16
16. Application of information privacy principles 16
17. Public organisations to comply with information
privacy principles 17
193--1 page i
Information Privacy Bill 2007
Contents
Part 3 -- Health information privacy
Division 1 -- Health privacy principles
18. Health privacy principles 18
19. Application of health privacy principles 18
20. Organisations to comply with health privacy
principles 19
Division 2 -- Access to health records
Subdivision 1 -- Preliminary
21. Application of Division 20
Subdivision 2 -- Right of access and access
applications
22. Right of access 20
23. Access application 20
24. How access application is made 21
25. Withdrawal of access application 21
Subdivision 3 -- Procedure for dealing with access
applications
26. Decisions as to access and charges 21
27. Organisation may request consultation or further
information 22
28. Ambit of access application may be reduced by
agreement 23
29. Charges for access to health records 23
30. Estimate of charges 24
31. Advance deposits 25
32. Failure of access applicant to notify intention or
pay deposit 25
33. Organisation may refuse to deal with an
application in certain cases 26
34. Giving access 27
35. Refusal of access 27
36. Access to edited copy of health record 28
37. Health records that cannot be found or do not exist 29
38. Ways in which access can be given 29
39. Information detrimental to health of access
applicant 30
40. Notice of decision 30
41. Applications may be regarded as having been
withdrawn in certain circumstances 31
page ii
Information Privacy Bill 2007
Contents
Division 3 -- Amendment of health records
Subdivision 1 -- Preliminary
42. Application of Division 33
Subdivision 2 -- Right to apply for amendment and
amendment applications
43. Right to apply for health record to be amended 33
44. How amendment application is made 34
Subdivision 3 -- Procedure for dealing with
amendment applications
45. Decisions as to amendment 35
46. Notice of decision 36
47. How organisation may amend health record 36
48. Request for notation or attachment disputing
accuracy of health record 37
49. Other users of health record to be advised of
requested amendment 38
50. Organisation may give reasons for not amending
information 38
51. No charge for application or request 38
Division 4 -- General
52. Part not intended to limit access or amendment that
is otherwise lawful 39
53. Application on behalf of an individual 39
54. Personal, family or household affairs 39
55. News media 40
Part 4 -- Codes of practice
56. Terms used in this Part 41
57. Information privacy code of practice 41
58. Health privacy code of practice 42
59. Preparation of code of practice by organisation 43
60. Preparation of code of practice by Commissioner 43
61. Submission of code of practice to relevant Minister 43
62. Approval of code of practice 44
63. Publication and operation of approved code of
practice 44
64. Amendment, revocation or replacement of
approved code of practice 44
65. Organisation to comply with applicable code of
practice 45
page iii
Information Privacy Bill 2007
Contents
66. Register 45
Part 5 -- Complaints
Division 1 -- Preliminary
67. Terms used in this Part 46
68. What constitutes an interference with privacy 47
Division 2 -- Complaints and procedure for
dealing with them
69. Complaints 48
70. Who may make a complaint 48
71. Complaint on behalf of an individual 48
72. How and when a complaint can be made 49
73. Commissioner may decide not to deal with a
complaint 50
74. Referral of complaint to respondent in certain
circumstances 51
75. Referral of complaint to Tribunal if Commissioner
decides not to deal with it 52
76. Notification of complaint 52
77. Withdrawal of complaint 52
78. Parties to conciliation proceedings 53
79. Procedure 53
80. Conciliation proceedings record 54
81. Power to obtain information and documents and
compel attendance 55
82. Power to examine 56
83. Commissioner to ensure non-disclosure of certain
matter 56
84. Production of certain health records for inspection 56
85. Referral of unresolved complaint to Tribunal 57
86. Provision of information to Tribunal 57
Division 3 -- Tribunal's jurisdiction
as to complaints
87. Meaning of "complaint jurisdiction" 58
88. Presiding member of Tribunal 58
89. Tribunal to ensure non-disclosure of certain matter 58
90. Decisions of the Tribunal 59
91. Restrictions under other laws not applicable 61
page iv
Information Privacy Bill 2007
Contents
Division 4 -- Appeals
92. Terms used in this Division 61
93. Appeal from Tribunal's decision 61
94. No access to health record containing exempt
matter 62
95. Power to impose terms on orders 62
96. Court to ensure non-disclosure of certain matter 62
97. Production of documents 63
98. Restrictions under other laws not applicable 63
99. Other procedure 63
Part 6 -- Exchange of information
100. Terms used in this Part 64
101. Construction of certain references for the purposes
of this Part 65
102. Exchange of information between agencies 66
103. Exchange of information between agencies and
other persons 66
104. Scope of disclosure powers 68
105. Protection from liability for disclosure 68
Part 7 -- Privacy and Information
Commissioner
Division 1 -- Office of Privacy and Information
Commissioner
106. Privacy and Information Commissioner 69
107. Appointment of Commissioner 69
108. Remuneration 69
109. Leave and other conditions of service 69
110. Resignation of Commissioner 70
111. Removal and suspension from office 70
112. Deputy Privacy and Information Commissioner 71
113. Deputy Commissioner may act as Commissioner 72
114. Acting Commissioner 73
115. Oath or affirmation of office -- Commissioner,
Deputy Commissioner and Acting Commissioner 74
116. Staff of Commissioner 74
117. Oath or affirmation of office -- members of staff 75
118. Rights of officers preserved 75
page v
Information Privacy Bill 2007
Contents
119. Offices of Commissioner and Parliamentary
Commissioner can be held concurrently 76
Division 2 -- Functions and powers of
Commissioner
120. Functions of Commissioner 76
121. General powers of Commissioner 77
122. Powers relating to audit or review 78
123. Commissioner to report on audit or review 79
124. Delegation 79
Division 3 -- Reports to Parliament
125. Annual report under Financial Management
Act 2006 to include certain information 80
126. Special reports 81
Part 8 -- Miscellaneous
127. Deceased individuals 82
128. Capacity of authorised representative to give
consent 82
129. Protection from legal action -- access to health
records 82
130. Restrictions under other laws not applicable 83
131. Confidentiality of information 84
132. Protection from liability for wrongdoing 85
133. Failure to provide information or document or to
appear 85
134. Regulations 86
135. Review of Act 87
Part 9 -- Amendment of other
written laws
Division 1 -- Freedom of Information Act 1992
136. The Act amended 88
137. Part 4 Division 1 repealed 88
138. Heading to Part 4 Division 2 amended 88
139. Section 63 amended 88
140. Section 64 repealed 88
141. Heading to Part 4 Division 4 amended 88
142. Section 79 repealed 88
143. Section 80 repealed 89
page vi
Information Privacy Bill 2007
Contents
144. Section 82 repealed 89
145. Section 111 amended 89
146. Schedule 2 amended 89
147. Glossary amended 90
Division 2 -- Parliamentary Commissioner
Act 1971
148. The Act amended 90
149. Section 4 amended 90
150. Section 5 amended 90
151. Section 7 amended 91
152. Section 12A inserted 91
12A. Offices of Commissioner and Privacy and
Information Commissioner can be held
concurrently 91
153. Section 22B amended 92
154. Section 31 amended 92
155. Schedule 1 amended 93
Division 3 -- Other Acts amended
156. Constitution Acts Amendment Act 1899 93
157. Financial Management Act 2006 93
158. State Records Act 2000 94
Division 4 -- Amendment of subsidiary
legislation
159. Power to amend subsidiary legislation 95
Part 10 -- Transitional provisions
160. Terms used in this Part 96
161. Continuation of office 96
162. Staff of former Commissioner 96
163. References to former Commissioner 97
Schedule 1 -- Public organisations
Schedule 2 -- Exempt organisations
Schedule 3 -- Information privacy
principles
1. Collection 100
2. Use and disclosure 101
3. Data quality 103
page vii
Information Privacy Bill 2007
Contents
4. Data security 103
5. Openness 104
6. Identifiers 104
7. Anonymity 105
8. Transborder data flows 105
Schedule 4 -- Health privacy
principles
1. Collection 107
2. Use and disclosure 109
3. Data quality 116
4. Data security and data retention 116
5. Openness 117
6. Identifiers 118
7. Anonymity 119
8. Transborder data flows 119
9. Transfer or closure of the practice of a health
service provider 120
10. Making health information available to other
health service providers 121
Schedule 5 -- Concurrent
appointment as Commissioner
and Parliamentary
Commissioner
1. Term of office 122
2. Remuneration and other conditions of service 122
3. Rights preserved 123
4. Resignation from office 123
5. Removal or suspension from office 123
6. Application of clauses 7 to 10 123
7. Deputy Commissioners and Acting Commissioners 124
8. Functions of staff 125
9. Delegation 126
10. Confidentiality provisions 126
Defined Terms
page viii
Western Australia
LEGISLATIVE ASSEMBLY
Information Privacy Bill 2007
A Bill for
An Act to --
· provide for the privacy of personal information and health
information held by certain persons and bodies; and
· provide for access to, and amendment of, health records held by
certain persons and bodies; and
· authorise the disclosure in certain circumstances of personal
information or health information held by government agencies;
and
· establish the office of Privacy and Information Commissioner;
and
· amend the Freedom of Information Act 1992, the Parliamentary
Commissioner Act 1971 and other Acts as a consequence of the
enactment of this Act,
and for related purposes.
The Parliament of Western Australia enacts as follows:
page 1
Information Privacy Bill 2007
Part 1 Preliminary
s. 1
Part 1 -- Preliminary
1. Short title
This is the Information Privacy Act 2007.
2. Commencement
5 This Act comes into operation as follows:
(a) sections 1 and 2 -- on the day on which this Act
receives the Royal Assent;
(b) the rest of the Act -- on a day fixed by proclamation,
and different days may be fixed for different provisions.
10 3. Objects of Act
The main objects of this Act are --
(a) to promote and protect the privacy of personal
information through the establishment of principles to
be observed by persons and bodies in the public sector
15 when collecting, holding, using or disclosing such
information; and
(b) to promote and protect the privacy of health information
through the establishment of principles to be observed
by persons and bodies in the public sector and the
20 private sector when collecting, holding, using or
disclosing such information; and
(c) to facilitate the sharing, in appropriate circumstances, of
personal information or health information held by
persons and bodies in the public sector.
25 4. Terms used in this Act
(1) In this Act, unless the contrary intention appears --
"access applicant" means the individual by whom or on whose
behalf an access application has been made;
page 2
Information Privacy Bill 2007
Preliminary Part 1
s. 4
"access application" means an application made under
section 23(1);
"Acting Commissioner" means a person appointed to act in the
office of Commissioner under section 114;
5 "amendment applicant" means the individual by whom or on
whose behalf an amendment application has been made;
"amendment application" means an application made under
section 43(1);
"applicable code of practice", in relation to an organisation,
10 means an approved code of practice by which the
organisation is bound;
"approved code of practice" means a code of practice
approved under section 62 as in force from time to time;
"authorised representative" means --
15 (a) in relation to an individual other than a deceased
individual, a person who --
(i) is a guardian of the individual appointed
under law; or
(ii) has parental responsibility for the individual;
20 or
(iii) is otherwise empowered under law to perform
any functions or duties as an agent of or in the
best interests of the individual;
and
25 (b) in relation to a deceased individual, a person who
immediately before the individual's death was a
person to whom paragraph (a)(i), (ii) or (iii) applied;
"child" means a person who is under 18 years of age;
"child protection agency" means --
30 (a) the department of the Public Service principally
assisting the Minister administering the Children and
Community Services Act 2004 in its administration;
or
page 3
Information Privacy Bill 2007
Part 1 Preliminary
s. 4
(b) a person, body or office prescribed for the purposes
of this definition;
"child protection functions" means functions under an
enactment prescribed for the purposes of this definition;
5 "Commissioner" means the person holding the office of
Privacy and Information Commissioner established by
section 106;
"complaint" means a complaint referred to in section 69;
"contractor" means --
10 (a) a person or body (other than a person or body
referred to in Schedule 1) to the extent that the person
or body handles personal information under a
contract --
(i) between the person or body and a person,
15 body or office referred to in Schedule 1; and
(ii) entered into after the commencement of
Part 2;
or
(b) a subcontractor to a person or body to whom or
20 which paragraph (a) applies to the extent that the
subcontractor handles personal information referred
to in that paragraph;
"contravene" includes to fail to comply with;
"Corruption and Crime Commission" means the Corruption
25 and Crime Commission established under the Corruption
and Crime Commission Act 2003;
"court" includes a tribunal;
"Deputy Commissioner" means a person holding the office of
Deputy Privacy and Information Commissioner established
30 by section 112;
"disability" has the meaning given in the Disability Services
Act 1993 section 3;
page 4
Information Privacy Bill 2007
Preliminary Part 1
s. 4
"document" means --
(a) any record; or
(b) any part of a record; or
(c) any copy, reproduction or duplicate of a record; or
5 (d) any part of a copy, reproduction or duplicate of a
record;
"exempt organisation" means a person, body or office referred
to in Schedule 2 and includes staff under the control of the
person, body or office;
10 "FOI Act" means the Freedom of Information Act 1992;
"handle", in relation to personal information or health
information, means to collect, hold, use or disclose;
"health information" has the meaning given in section 5;
"health privacy principle" or "HPP" means a health privacy
15 principle set out in Schedule 4;
"health record" means a document that contains health
information;
"health service" means --
(a) an activity performed in relation to an individual that
20 is intended or claimed (expressly or otherwise) by the
organisation performing it --
(i) to assess, maintain or improve the individual's
health; or
(ii) to diagnose the individual's illness, injury or
25 disability; or
(iii) to treat the individual's illness, injury or
disability or suspected illness, injury or
disability;
or
30 (b) a disability service, palliative care service or aged
care service; or
page 5
Information Privacy Bill 2007
Part 1 Preliminary
s. 4
(c) the dispensing on prescription of a drug or medicinal
preparation by a pharmacist,
but does not include a health service, or a class of health
service, that is prescribed as an exempt health service or to
5 the extent that it is prescribed as an exempt health service;
"health service provider" means an organisation that provides
a health service in Western Australia to the extent that it
provides a health service, but does not include a health
service provider, or a class of health service provider, that
10 is prescribed as an exempt health service provider or to the
extent that it is prescribed as an exempt health service
provider;
"identifier" means an identifier (usually a number) assigned by
an organisation to an individual uniquely to identify the
15 individual for the purposes of the operations of the
organisation but does not include an identifier that consists
only of the individual's name;
"illness" means a physical, mental or psychological illness and
includes a suspected illness;
20 "information privacy principle" or "IPP" means an
information privacy principle set out in Schedule 3;
"judicial office" includes an office as a member of a tribunal;
"law enforcement agency" means --
(a) the Australian Crime Commission established by the
25 Australian Crime Commission Act 2002
(Commonwealth); or
(b) the board established under the Criminal Law
(Mentally Impaired Accused) Act 1996 section 41; or
(c) the board established under the Sentence
30 Administration Act 2003 section 102; or
(d) the board established under the Young Offenders
Act 1994 section 151; or
page 6
Information Privacy Bill 2007
Preliminary Part 1
s. 4
(e) the Commissioner for Public Sector Standards
appointed under the Public Sector Management
Act 1994; or
(f) the Commissioner for State Revenue; or
5 (g) the Corruption and Crime Commission; or
(h) the department of the Public Service principally
assisting the Minister administering the Police
Act 1892 in its administration; or
(i) the department of the Public Service principally
10 assisting the Minister administering the Sentence
Administration Act 2003 Part 8 in its administration;
or
(j) the Director of Public Prosecutions appointed under
the Director of Public Prosecutions Act 1991; or
15 (k) the Police Force of Western Australia, the Australian
Federal Police or the police force of another State or
a Territory; or
(l) a person, body or office prescribed by the regulations
for the purposes of this definition,
20 and, in relation to a health privacy principle, includes the
Office of Health Review established under the Health
Services (Conciliation and Review) Act 1995 and a
registration board;
"law enforcement functions" means functions that relate to
25 one or more of the following --
(a) the prevention, detection, investigation, prosecution
or punishment of criminal offences or breaches of a
law imposing a penalty or sanction;
(b) the enforcement of laws relating to the confiscation
30 of the proceeds of crime;
(c) the protection of public revenue;
(d) the prevention, detection, investigation or remedying
of seriously improper conduct;
page 7
Information Privacy Bill 2007
Part 1 Preliminary
s. 4
(e) the preparation for, or conduct of, proceedings before
a court or implementation of the orders of a court;
"legal representative", in relation to a deceased individual,
means a person who is an executor or administrator of the
5 deceased individual's estate;
"licensing agency" means a person, body or office prescribed
for the purposes of this definition;
"licensing functions" means functions that relate to --
(a) the grant, suspension or cancellation of licences,
10 registrations, permits or other authorisations
(however described); or
(b) the administration of a licensing scheme, registration
scheme or similar scheme;
"member of staff" means --
15 (a) a person appointed under section 116(1); or
(b) a person whose services are used under
section 116(4);
"mental disability" has the meaning given in the Guardianship
and Administration Act 1990 section 3(1);
20 "organisation" means a public organisation or a private
organisation;
"Parliamentary Commissioner" means the Parliamentary
Commissioner for Administrative Investigations appointed
under the Parliamentary Commissioner Act 1971;
25 "parliamentary secretary" means --
(a) the parliamentary secretary of the Cabinet; or
(b) a parliamentary secretary holding office under the
Constitution Acts Amendment Act 1899 section 44A;
"personal information" has the meaning given in section 6;
30 "private organisation" means --
(a) an individual; or
(b) a body corporate; or
page 8
Information Privacy Bill 2007
Preliminary Part 1
s. 4
(c) a partnership; or
(d) a trust; or
(e) an unincorporated association or body,
that is not a public organisation, an exempt organisation or
5 a small business operator (within the meaning given in the
Privacy Act 1988 (Commonwealth) section 6D);
"public health agency" means --
(a) the department of the Public Service principally
assisting the Minister administering the Health
10 Act 1911 in its administration; or
(b) a board as defined in the Hospitals and Health
Services Act 1927 section 2; or
(c) a person, body or office prescribed by the regulations
for the purposes of this definition;
15 "public organisation" means --
(a) a person, body or office referred to in Schedule 1; or
(b) a contractor,
but does not include an exempt organisation;
"public service officer" has the meaning given in the Public
20 Sector Management Act 1994 section 3(1);
"record" means any record of information however recorded
and includes the following --
(a) any paper or other material, including affixed papers
on which there is writing;
25 (b) any map, plan, diagram or graph;
(c) any drawing, pictorial or graphic work, or
photograph;
(d) any paper or other material on which there are marks,
figures, symbols or perforations having a meaning for
30 persons qualified to interpret them;
page 9
Information Privacy Bill 2007
Part 1 Preliminary
s. 5
(e) any article or material from which sounds, images or
writing can be reproduced whether or not with the aid
of some other article or device;
(f) any article on which information has been stored or
5 recorded, either mechanically, magnetically or
electronically;
"registration board" means a body that is listed in the Health
Services (Conciliation and Review) Act 1995 Schedule 1;
"relative" of an individual means --
10 (a) the individual's spouse or de facto partner; or
(b) a parent, step-parent or grandparent of the individual;
or
(c) a child, step-child or grandchild of the individual; or
(d) a brother, sister, step-brother or step-sister of the
15 individual;
"remuneration" has the meaning given in the Salaries and
Allowances Act 1975 section 4(1);
"wellbeing" has the meaning given in the Children and
Community Services Act 2004 section 3.
20 (2) A reference in this Act to an IPP followed by a designation is a
reference to the provision with that designation in Schedule 3.
(3) A reference in this Act to an HPP followed by a designation is a
reference to the provision with that designation in Schedule 4.
(4) A reference in this Act to the Commissioner's functions
25 includes a reference to functions given to the Commissioner
under the FOI Act.
5. Meaning of "health information"
(1) Health information is --
(a) information or an opinion about --
30 (i) the physical, mental or psychological health (at
any time) of an individual; or
page 10
Information Privacy Bill 2007
Preliminary Part 1
s. 6
(ii) a disability (at any time) of an individual; or
(iii) an individual's expressed wishes about the future
provision of health services to him or her; or
(iv) a health service provided, or to be provided, to
5 an individual,
that is also personal information; or
(b) other personal information collected to provide, or in
providing, a health service; or
(c) other personal information about an individual collected
10 in connection with the donation, or intended donation,
by the individual of his or her body tissue; or
(d) other personal information, including genetic
information, about an individual in a form which is, or
could be, predictive of the health of the individual or
15 any other individual.
(2) In subsection (1)(c) --
"body tissue" includes an organ or part of the human body or a
substance extracted from, or from a part of, the human
body.
20 (3) Health information does not include information, or a class of
information, that is prescribed as exempt health information.
6. Meaning of "personal information"
(1) Personal information is information or an opinion, whether true
or not, and whether recorded in a material form or not, about an
25 individual, whether living or dead --
(a) whose identity is apparent or can reasonably be
ascertained from the information or opinion; or
(b) who can be identified by reference to an identifier or an
identifying particular such as a fingerprint, retina print
30 or body sample.
page 11
Information Privacy Bill 2007
Part 1 Preliminary
s. 7
(2) Personal information does not include --
(a) information about an individual who has been dead for
more than 30 years; or
(b) information about an individual who --
5 (i) is included in a witness protection program as
defined in the Witness Protection (Western
Australia) Act 1996 section 3(1); or
(ii) is the subject of witness protection arrangements
made under another written law;
10 or
(c) information about an individual arising out of a Royal
Commission established under the Royal Commissions
Act 1968; or
(d) information about an individual that is contained in an
15 appropriate disclosure of public interest information
made under the Public Interest Disclosure Act 2003; or
(e) information about an individual that is contained in a
document containing matter that is exempt matter under
the FOI Act Schedule 1 clause 1; or
20 (f) information about an individual that is of a class, or is
contained in a document of a class, prescribed for the
purposes of this subsection.
7. When information is held
(1) In this section --
25 "entity" means a public organisation, a private organisation or
an exempt organisation;
"officer" of an entity includes --
(a) the principal officer of the entity; and
(b) a director of the entity; and
30 (c) a member of the entity; and
page 12
Information Privacy Bill 2007
Preliminary Part 1
s. 8
(d) a person employed in, by, or for the purposes of, the
entity.
(2) For the purposes of this Act, an entity holds personal
information or health information if the information is contained
5 in a document that is in the possession or under the control of
the entity, whether alone or jointly with other persons or bodies,
including a document to which the entity is entitled to access
and a document in the possession or under the control of an
officer of the entity in his or her capacity as such an officer.
10 (3) For the purposes of this Act, an entity holds a health record if
the health record is in the possession or under the control of the
entity, whether alone or jointly with other persons or bodies,
including a health record to which the entity is entitled to access
and a health record in the possession or under the control of an
15 officer of the entity in his or her capacity as such an officer.
8. Related public organisations
A person is not to be regarded as a separate public organisation
by reason of --
(a) holding office as a member or other officer of a public
20 organisation; or
(b) holding an office established for the purposes of a public
organisation.
9. Application to courts, registries and judicial officers
(1) Nothing in this Act applies to the handling of personal
25 information or health information by a court unless the
information relates to matters of an administrative nature.
(2) For the purposes of this Act a registry or other office of a court
and the staff of such a registry or other office are part of the
court.
30 (3) A person holding a judicial office or other office pertaining to a
court, being an office established by the written law establishing
page 13
Information Privacy Bill 2007
Part 1 Preliminary
s. 10
the court, is not a public organisation and is not included in a
public organisation.
10. Publicly available information
Nothing in this Act applies to personal information or health
5 information contained in a document that is --
(a) available for purchase by the public or free distribution
to the public; or
(b) available for inspection (whether for a fee or charge or
not) under a written law; or
10 (c) a State archive to which a person has a right to be given
access under the State Records Act 2000 Part 6 despite
the FOI Act; or
(d) publicly available library material held by public
organisations for reference purposes; or
15 (e) made or acquired by an art gallery, museum or library
and preserved for public reference or exhibition
purposes.
11. Application of certain privacy principles to law enforcement
agencies and child protection agencies
20 (1) A law enforcement agency does not have to comply with IPP 1,
IPP 2, IPP 6, IPP 8, HPP 1, HPP 2, HPP 6 or HPP 8 if it
believes on reasonable grounds that the non-compliance is
necessary for the purposes of one or more of its, or any other
law enforcement agency's, law enforcement functions.
25 (2) A child protection agency does not have to comply with IPP 1,
IPP 2, IPP 6, IPP 8, HPP 1, HPP 2, HPP 6 or HPP 8 if it
believes on reasonable grounds that the non-compliance is
necessary --
(a) for the purposes of one or more of its, or any other child
30 protection agency's, child protection functions; or
(b) in connection with the conduct of proceedings
commenced, or about to be commenced, in any court.
page 14
Information Privacy Bill 2007
Preliminary Part 1
s. 12
12. Relationship to FOI Act and State Records Act 2000
Nothing in this Act affects the operation of the FOI Act or the
State Records Act 2000.
13. Nature of rights created by this Act
5 Except to the extent expressly provided by this Act --
(a) nothing in this Act or an approved code of practice gives
rise to a cause of action or creates an enforceable right;
and
(b) a contravention of this Act or an approved code of
10 practice does not give rise to an offence.
14. Act binds Crown
This Act binds the Crown in right of the State and, so far as the
legislative power of the State permits, the Crown in its other
capacities.
page 15
Information Privacy Bill 2007
Part 2 Personal information privacy
s. 15
Part 2 -- Personal information privacy
15. Information privacy principles
(1) The information privacy principles are set out in Schedule 3.
(2) If there is an inconsistency between an IPP and an approved
5 code of practice, the code of practice prevails to the extent of
the inconsistency.
(3) If there is an inconsistency between an IPP and another
enactment, the other enactment prevails to the extent of the
inconsistency.
10 16. Application of information privacy principles
(1) The information privacy principles apply to a public
organisation unless this Act or another enactment expressly
provides otherwise.
(2) The application of an IPP to a public organisation may be
15 modified by an approved code of practice.
(3) The information privacy principles do not apply to personal
information that is also health information.
(4) IPP 1 and IPP 3 (so far as it relates to the collection of personal
information) apply only in relation to the collection of personal
20 information on or after the commencement of this section.
(5) IPP 2, IPP 3 (so far as it relates to personal information used or
disclosed), IPP 4, IPP 5, IPP 6 and IPP 8 apply in relation to
personal information held by a public organisation regardless of
whether the organisation holds the information as a result of
25 collection occurring before, on or after the commencement of
this section.
page 16
Information Privacy Bill 2007
Personal information privacy Part 2
s. 17
17. Public organisations to comply with information privacy
principles
A public organisation must not do any thing, or engage in any
practice, that contravenes an IPP that applies to the public
5 organisation.
page 17
Information Privacy Bill 2007
Part 3 Health information privacy
Division 1 Health privacy principles
s. 18
Part 3 -- Health information privacy
Division 1 -- Health privacy principles
18. Health privacy principles
(1) The health privacy principles are set out in Schedule 4.
5 (2) If there is an inconsistency between an HPP and an approved
code of practice, the code of practice prevails to the extent of
the inconsistency.
(3) If there is an inconsistency between an HPP and another
enactment, the other enactment prevails to the extent of the
10 inconsistency.
19. Application of health privacy principles
(1) The health privacy principles apply to an organisation that is a
health service provider or collects, holds or uses health
information unless this Act or another enactment expressly
15 provides otherwise.
(2) The application of an HPP to an organisation may be modified
by an approved code of practice.
(3) HPP 1 and HPP 3 (so far as it relates to the collection of health
information) apply only in relation to the collection of health
20 information on or after the commencement of this section.
(4) HPP 2, HPP 3 (so far as it relates to health information used or
disclosed), HPP 4, HPP 5, HPP 6, HPP 8, HPP 9 and HPP 10
apply in relation to health information held by an organisation
regardless of whether the organisation holds the information as
25 a result of collection occurring before, on or after the
commencement of this section.
page 18
Information Privacy Bill 2007
Health information privacy Part 3
Health privacy principles Division 1
s. 20
20. Organisations to comply with health privacy principles
(1) In this section --
"transitional period" means --
(a) the period that ends on the second anniversary of the
5 commencement of this section; or
(b) any extension of that period under subsection (4) in
relation to a specified contract.
(2) An organisation must not do any thing, or engage in any
practice, that contravenes an HPP that applies to the
10 organisation.
(3) Subsection (2) does not apply to the doing of any thing, or the
engaging in of any practice, by an organisation that, but for this
subsection, would constitute a contravention of HPP 1 or
HPP 2, if --
15 (a) doing the thing or engaging in the practice is necessary
for the performance of a contract to which the
organisation is a party that was entered into by the
organisation before the commencement of this section;
and
20 (b) the thing is done or the practice is engaged in before the
end of the transitional period.
(4) On the application of an organisation before the expiry of the
transitional period, the Commissioner may extend that period in
relation to a specified contract if he or she is satisfied that the
25 organisation is doing its best --
(a) to comply with HPP 1 or HPP 2 consistent with its
obligations under the contract; and
(b) to seek to have the contract renegotiated to enable the
organisation to comply fully with HPP 1 or HPP 2.
page 19
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 21
Division 2 -- Access to health records
Subdivision 1 -- Preliminary
21. Application of Division
(1) This Division does not apply to a health record held by an
5 organisation if the organisation is an agency for the purposes of
the FOI Act.
(2) This Division applies to a health record held by an organisation
regardless of whether the health record contains health
information collected before or after the commencement of this
10 Division.
Subdivision 2 -- Right of access and access applications
22. Right of access
(1) Subject to and in accordance with this Division, an individual
has a right to be given access to a health record relating to the
15 individual that is held by an organisation.
(2) Subject to this Division, an individual's right to be given access
is not affected by --
(a) any reasons the individual has for wishing to obtain
access; or
20 (b) an organisation's belief as to what are the individual's
reasons for wishing to obtain access.
23. Access application
(1) An individual who wishes to obtain access to a health record
relating to the individual that is held by an organisation may
25 make an application to the organisation.
(2) If the circumstances of the individual require it, the organisation
must take reasonable steps to help the individual make an access
application in a manner that complies with this Division.
page 20
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 24
(3) In particular, if an access application does not comply with the
requirements of section 24 the organisation must take
reasonable steps under subsection (2) to help the individual to
change the application so that it complies with those
5 requirements.
24. How access application is made
(1) An access application must --
(a) be in writing; and
(b) give enough information to enable the health record to
10 be identified; and
(c) give an address in Australia to which notices under this
Division can be sent; and
(d) give any other information or details required under the
regulations; and
15 (e) be accompanied by any application fee payable under
the regulations.
(2) An access application may request that access to the health
record be given in a particular way described in section 38.
25. Withdrawal of access application
20 An access applicant may withdraw an access application by
giving a written notice to that effect to the organisation.
Subdivision 3 -- Procedure for dealing with access applications
26. Decisions as to access and charges
(1) In this section --
25 "permitted period" means the period of 45 days after the
relevant access application is received or such other period
as is agreed between the organisation and the access
applicant or allowed by the Commissioner under
subsection (4) or (5).
page 21
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 27
(2) Subject to this Subdivision, an organisation must deal with an
access application as soon as is practicable (and, in any event,
before the end of the permitted period) by --
(a) considering the application and deciding --
5 (i) whether to give or refuse access to the requested
health record; and
(ii) any charge payable for dealing with the
application;
and
10 (b) giving the access applicant written notice of the decision
in accordance with section 40.
(3) If an access applicant does not receive notice under
subsection (2)(b) within the permitted period the organisation is
taken to have refused, at the end of that period, to give access to
15 the health record and the access applicant is taken to have
received written notice of that refusal on the day on which that
period ended.
(4) On the application of an access applicant, the Commissioner
may reduce the time allowed to an organisation to comply with
20 subsection (2).
(5) On the application of an organisation, the Commissioner, on
being satisfied that the organisation has attempted to comply
with subsection (2) within 45 days but that it is impracticable, in
the circumstances, for it to comply within that time, may allow
25 the organisation an extension of time to comply on such
conditions as the Commissioner thinks fit.
(6) If an extension of time is allowed under subsection (5) the
organisation must give written notice of the extension to the
access applicant as soon as is practicable.
30 27. Organisation may request consultation or further
information
(1) In order to deal with an access application the organisation may
in a written notice given to the access applicant request the
page 22
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 28
applicant to consult with, or provide further information to, the
organisation about the application.
(2) A notice under subsection (1) must --
(a) give details of the access application; and
5 (b) state that the notice is given under this section; and
(c) state the name and designation of the officer of the
organisation who must be consulted or informed.
(3) An organisation is not allowed under subsection (1) --
(a) to request the access applicant to provide information as
10 to the access applicant's reasons for wishing to obtain
access to the requested health record; or
(b) to inquire as to those reasons in the course of
consultation.
28. Ambit of access application may be reduced by agreement
15 If it is apparent from the terms of an access application that the
access applicant seeks information of a certain kind contained in
a health record held by the organisation, the organisation may,
with the agreement of the access applicant, deal with the access
application as if it were an application relating only to that part
20 of the health record that contains information of that kind.
29. Charges for access to health records
(1) Any charge that is required to be paid by an access applicant
before access to a health record is given, must be calculated by
an organisation in accordance with the following principles or,
25 where those principles require, must be waived --
(a) a charge may be made for the time taken to search for
the health record to which access is requested but any
such charge --
(i) must be fixed on an hourly rate basis; and
page 23
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 30
(ii) must not cover additional time, if any, spent by
the organisation in searching for a health record
that was lost or misplaced;
(b) a charge may be made for the reasonable costs incurred
5 by an organisation in --
(i) supervising the inspection of a health record; or
(ii) giving a copy of a health record; or
(iii) giving a summary or explanation of the
information contained in a health record;
10 (c) a charge must be waived or be reduced if the access
applicant is impecunious;
(d) a charge must not exceed such amount as may be
prescribed from time to time.
(2) Subject to section 31, an organisation must not require payment
15 of a charge before it notifies the access applicant of its decision
to give access to a health record.
30. Estimate of charges
(1) When making an access application the access applicant may
request an estimate of the charges that might be payable for
20 dealing with the application.
(2) If a request is made under subsection (1) the organisation must
notify the access applicant of its estimate, and the basis on
which its estimate is made, as soon as is practicable.
(3) If the organisation estimates that the charges for dealing with
25 the access application might exceed the prescribed amount then,
whether or not a request has been made under subsection (1),
the organisation must give the access applicant a notice that --
(a) sets out its estimate, and the basis on which its estimate
is made; and
30 (b) asks whether the access applicant wishes to proceed
with the application; and
page 24
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 31
(c) gives details of the effect of section 32(1)(b).
(4) Unless a greater amount is prescribed by regulation, $60 is the
"prescribed amount" for the purposes of subsection (3).
31. Advance deposits
5 (1) An organisation may, in a notice given to an access applicant
under section 30(3), require the applicant to pay a deposit of a
prescribed amount or at a prescribed rate on account of the
charges for dealing with the access application.
(2) If payment of a deposit is required, the organisation must, at the
10 request of the access applicant, discuss with the applicant
practicable alternatives for changing the access application or
reducing the anticipated charges, including reduction of the
charges if the applicant waives, either conditionally or
unconditionally, the need for compliance by the organisation
15 with the time limit imposed by section 26(2).
(3) If payment of a deposit is required, the notice referred to in
subsection (2) must also give details of --
(a) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights; and
20 (b) the effect of section 32(2)(b).
32. Failure of access applicant to notify intention or pay deposit
(1) If an organisation has given an access applicant a notice under
section 30(3) --
(a) the period commencing on the day on which the notice
25 was given, and ending on the day on which the
organisation is notified that the applicant intends to
proceed with the access application, is to be disregarded
for the purposes of section 26(1); and
(b) if intention to proceed is not notified within 30 days (or
30 such further time as the organisation allows) after the
day on which the notice was given, the applicant is to be
taken to have withdrawn the access application.
page 25
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 33
(2) If the notice referred to in subsection (1) requires the access
applicant to pay a deposit --
(a) the period commencing on the day on which the notice
was given, and ending on the day on which the deposit
5 is paid, is to be disregarded for the purposes of
section 26(1); and
(b) if the deposit is not paid within 30 days (or such further
time as the organisation allows) after the day on which
the notice was given, the applicant is to be taken to have
10 withdrawn the access application.
(3) Any period during which the requirement to pay a deposit is the
subject of proceedings under Part 5 is to be disregarded for the
purposes of subsection (2)(b).
33. Organisation may refuse to deal with an application in
15 certain cases
(1) If an organisation considers that the work involved in dealing
with the access application would divert a substantial and
unreasonable portion of the organisation's resources away from
its other operations, the organisation must take reasonable steps
20 to help the access applicant to change the application to reduce
the amount of work needed to deal with it.
(2) If after help has been given to change the access application the
organisation still considers that the work involved in dealing
with the application would divert a substantial and unreasonable
25 portion of the organisation's resources away from its other
operations, the organisation may refuse to deal with the
application.
(3) An organisation may refuse to deal with an access application if
the application is substantially in the same terms as one already
30 made by the access applicant to the organisation.
(4) If, under subsection (2) or (3), an organisation refuses to deal
with an access application, it must give the access applicant
written notice of the refusal without delay.
page 26
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 34
(5) The notice must give details of --
(a) the reasons for the refusal and the findings on any
material questions of fact underlying those reasons,
referring to the material on which those findings are
5 based; and
(b) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights.
34. Giving access
If an organisation decides to give access to a health record and
10 the charges imposed for dealing with the access application
have been paid, the organisation must give the access applicant
access to the health record.
35. Refusal of access
Subject to section 36, an organisation may refuse access to a
15 health record on one or more of the following grounds --
(a) giving access would pose a serious threat to the life,
health, safety or welfare of any individual;
(b) giving access would have an unreasonable impact on the
privacy of any other individual;
20 (c) the health record --
(i) relates to existing or anticipated legal
proceedings between the organisation (or a
person insured by the organisation) and the
access applicant, and the health record would not
25 be accessible by the process of discovery in those
proceedings; or
(ii) is otherwise subject to legal professional
privilege;
(d) giving access would reveal the intentions of the
30 organisation in relation to negotiations, other than about
the provision of a health service, with the access
page 27
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 36
applicant in such a way as to expose the organisation
unreasonably to disadvantage;
(e) giving access would be unlawful;
(f) refusal of access is required or authorised by or under
5 law;
(g) giving access would be likely to prejudice an
investigation of possible unlawful activity;
(h) giving access would be likely to prejudice a function
performed by or on behalf of a law enforcement agency.
10 36. Access to edited copy of health record
(1) If an access application requests access to a health record and --
(a) one or more of the grounds referred to in section 35
apply to particular matter contained in the health record;
and
15 (b) it is practicable for the organisation to edit a copy of the
health record so as to delete that matter; and
(c) the organisation considers (either from the terms of the
application or after consultation with the access
applicant) that the applicant would wish to be given
20 access to an edited copy,
the organisation must make and give access to an edited copy.
(2) If an access application requests access to a health record and --
(a) the health record contains matter that may reasonably be
regarded as being outside the ambit of the application;
25 and
(b) it is practicable for the organisation to edit a copy of the
health record so as to delete that matter; and
(c) the organisation considers (either from the terms of the
application or after consultation with the access
30 applicant) that the applicant would wish to be given
access to an edited copy,
the organisation may make and give access to an edited copy.
page 28
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 37
37. Health records that cannot be found or do not exist
(1) An organisation may advise an access applicant, by written
notice, that it is not possible to give access to a health record
if --
5 (a) all reasonable steps have been taken to find the health
record; and
(b) the organisation is satisfied that the health record --
(i) is in the organisation's possession but cannot be
found; or
10 (ii) does not exist.
(2) For the purposes of this Act the sending of a notice under
subsection (1) in relation to a health record is to be regarded as a
decision to refuse access to the health record.
38. Ways in which access can be given
15 (1) Subject to subsection (3), access to a health record may be given
to an access applicant in one or more of the following ways --
(a) by giving a reasonable opportunity to inspect the health
record;
(b) by giving a copy of the health record;
20 (c) by giving a summary of the health information
contained in the health record;
(d) by giving an explanation of the health information
contained in the health record.
(2) If an access applicant has requested that access to a health
25 record be given in a particular way described in subsection (1)
and access is given in some other way, the applicant is not
required to pay a charge in respect of the giving of access that is
greater than the charge that the applicant would have been
required to pay if access had been given in the way that was
30 requested.
page 29
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 39
(3) If a health record contains only health information collected
before the commencement of this Division, access to the health
record may be given to an access applicant by giving a summary
of that information.
5 (4) This section does not prevent an organisation from giving
access to a health record in any way agreed on between the
organisation and an access applicant.
39. Information detrimental to health of access applicant
If a health record to which an organisation has decided to give
10 access contains information that, in the opinion of the
organisation, may have a substantial adverse effect on the
physical, mental or psychological health of the access
applicant --
(a) it is sufficient compliance with this Division if access to
15 the health record is given to a suitably qualified person
nominated in writing by the access applicant; and
(b) the organisation may withhold access until a person who
is, in the opinion of the organisation, suitably qualified
is nominated.
20 40. Notice of decision
The notice that an organisation gives an access applicant under
section 26(2)(b) must give details of --
(a) the day on which the decision was made; and
(b) the name and designation of the person who made the
25 decision; and
(c) if the decision is that access is to be given to an edited
copy of a health record under section 36(1) or (2) --
(i) the fact that access is to be given to an edited
copy; and
30 (ii) the grounds on which matter has been deleted;
and
page 30
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 41
(d) if the decision is to give access to a health record in a
way other than the way requested by the access
applicant -- the reasons for giving access that other
way; and
5 (e) if the decision is to give access to a health record in the
manner referred to in section 39 -- the arrangements to
be made for giving access to the record; and
(f) if the decision is to refuse access to a health record --
the grounds for the refusal and the findings on any
10 material questions of fact underlying those grounds,
referring to the material on which those findings were
based; and
(g) if the decision is that the access applicant is to pay a
charge to the organisation -- the amount of the charge
15 and the basis on which the amount was calculated; and
(h) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights.
41. Applications may be regarded as having been withdrawn in
certain circumstances
20 (1) An organisation may in a written notice given to an access
applicant (a "compliance notice") advise the applicant that the
applicant may be regarded by the organisation as having
withdrawn the access application if the applicant does not --
(a) comply with a request of the organisation contained in a
25 notice under section 27(1), to consult with, or provide
further information to, the organisation about the access
application; or
(b) nominate a suitably qualified person under section 39; or
(c) obtain access to the requested health record,
30 within the period of 30 days after the day on which the
compliance notice was given to the applicant.
page 31
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 41
(2) Subsection (1)(c) applies if the access applicant has been given
notice under section 26(2)(b) of the organisation's decision to
give access to the requested health record.
(3) A compliance notice must --
5 (a) give details of the access application; and
(b) state that the notice is given under this section and that
failure to comply with it may result in the applicant
being regarded as having withdrawn the access
application; and
10 (c) in the case of a notice under subsection (1)(a), give
details of the notice under section 27(1) that it refers to;
and
(d) in the case of a notice under subsection (1)(b), state the
name and designation of the officer of the organisation
15 who must be consulted or informed; and
(e) in the case of a notice under subsection (1)(c), state the
name and designation of the officer of the organisation
from whom access to the health record is to be obtained.
(4) An organisation may regard an access applicant as having
20 withdrawn the access application if, within the period of 30 days
after the day on which the organisation gave the applicant a
compliance notice, the applicant does not --
(a) in the case of a notice under subsection (1)(a), comply
with the request referred to in the notice; or
25 (b) in the case of a notice under subsection (1)(b), nominate
a suitably qualified person under section 39; or
(c) in the case of a notice under subsection (1)(c), obtain
access to the requested health record.
(5) If an organisation decides to regard an access applicant as
30 having withdrawn the access application, the organisation must
give the applicant a written notice of that decision.
page 32
Information Privacy Bill 2007
Health information privacy Part 3
Amendment of health records Division 3
s. 42
(6) The notice under subsection (5) must give details of --
(a) the day on which the decision was made; and
(b) the name and designation of the person who made the
decision; and
5 (c) the reasons for deciding to regard the access applicant as
having withdrawn the access application; and
(d) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights.
Division 3 -- Amendment of health records
10 Subdivision 1 -- Preliminary
42. Application of Division
(1) This Division does not apply to a health record held by an
organisation if the organisation is an agency for the purposes of
the FOI Act.
15 (2) This Division applies to a health record held by an organisation
regardless of whether the health record contains health
information collected before or after the commencement of this
Division.
Subdivision 2 -- Right to apply for amendment and
20 amendment applications
43. Right to apply for health record to be amended
(1) An individual has a right to apply to an organisation for
amendment of a health record relating to the individual that is
held by the organisation if the health record is inaccurate,
25 incomplete, out of date or misleading.
(2) If the circumstances of the individual require it, the organisation
must take reasonable steps to help the individual make an
amendment application in a manner that complies with this
Division.
page 33
Information Privacy Bill 2007
Part 3 Health information privacy
Division 3 Amendment of health records
s. 44
(3) In particular, if an amendment application does not comply with
the requirements of section 44 the organisation must take
reasonable steps under subsection (2) to help the individual to
change the application so that it complies with those
5 requirements.
44. How amendment application is made
(1) An amendment application must --
(a) be in writing; and
(b) give enough information to enable the health record to
10 be identified; and
(c) give details of the matters in relation to which the
amendment applicant believes the health record is
inaccurate, incomplete, out of date or misleading; and
(d) give the amendment applicant's reasons for holding that
15 belief; and
(e) give details of the amendment that the amendment
applicant wishes to have made; and
(f) give an address in Australia to which notices under this
Division can be sent; and
20 (g) give any other information or details required under the
regulations.
(2) For the purposes of subsection (1)(e) the amendment application
must state whether the amendment applicant wishes the
amendment to be made by --
25 (a) altering information contained in the health record
(otherwise than by deletion); or
(b) inserting information into the health record; or
(c) inserting a note into the health record,
or in 2 or more of those ways.
page 34
Information Privacy Bill 2007
Health information privacy Part 3
Amendment of health records Division 3
s. 45
Subdivision 3 -- Procedure for dealing with amendment applications
45. Decisions as to amendment
(1) In this section --
"permitted period" means the period of 30 days after the
5 relevant amendment application is received or such other
period as is agreed between the organisation and the
amendment applicant or allowed by the Commissioner
under subsection (4).
(2) Subject to this Subdivision, an organisation must deal with an
10 amendment application as soon as is practicable (and, in any
event, before the end of the permitted period) by --
(a) considering the application and deciding whether to
amend the health record; and
(b) giving the amendment applicant written notice of the
15 decision in accordance with section 46.
(3) If an amendment applicant does not receive notice under
subsection (2)(b) within the permitted period the organisation is
taken to have refused, at the end of that period, to amend the
health record and the amendment applicant is taken to have
20 received written notice of that refusal on the day on which that
period ended.
(4) On the application of an organisation, the Commissioner, on
being satisfied that the organisation has attempted to comply
with subsection (2) within 30 days but that it is impracticable, in
25 the circumstances, for it to comply within that time, may allow
the organisation an extension of time to comply on such
conditions as the Commissioner thinks fit.
(5) If an extension of time is allowed under subsection (4) the
organisation must give written notice of the extension to the
30 access applicant as soon as is practicable.
page 35
Information Privacy Bill 2007
Part 3 Health information privacy
Division 3 Amendment of health records
s. 46
46. Notice of decision
The notice that an organisation gives an amendment applicant
under section 45(2)(b) must give details of --
(a) the day on which the decision was made; and
5 (b) the name and designation of the person who made the
decision; and
(c) if the decision is to amend the health record -- details of
the amendment made; and
(d) if the decision is to refuse to amend the health record --
10 (i) the reasons for the refusal and the findings on
any material questions of fact underlying those
reasons, referring to the material on which those
findings were based; and
(ii) the rights of the amendment applicant under
15 Part 5 and the procedure to be followed to
exercise those rights; and
(iii) the right to request that a notation or attachment
be made to the health record and the procedure to
be followed to exercise that right.
20 47. How organisation may amend health record
(1) If an organisation decides to amend a health record it may make
the amendment by --
(a) altering information contained in the health record
(otherwise than by deletion); or
25 (b) inserting information into the health record; or
(c) inserting a note into the health record,
or in 2 or more of those ways.
(2) If the organisation inserts a note into the health record the note
must --
30 (a) give details of the matters in relation to which the health
record is inaccurate, incomplete, out of date or
misleading; and
page 36
Information Privacy Bill 2007
Health information privacy Part 3
Amendment of health records Division 3
s. 48
(b) if the health record is incomplete or out of date -- set
out whatever information is needed to complete it or
bring it up to date.
48. Request for notation or attachment disputing accuracy of
5 health record
(1) If an organisation decides not to amend a health record in
accordance with an amendment application, the amendment
applicant may, in writing, request the organisation to make a
notation or attachment to the health record --
10 (a) giving details of the matters in relation to which the
applicant claims the health record is inaccurate,
incomplete, out of date or misleading; and
(b) if the amendment applicant claims the health record is
incomplete or out of date -- setting out the information
15 that the applicant claims is needed to complete it or
bring it up to date.
(2) A request may be made under this section whether or not the
amendment applicant has made a complaint in respect of the
organisation's decision under Part 5.
20 (3) The organisation must comply with the request unless it
considers that the notation or attachment that the amendment
applicant has requested to be made to the health record is
defamatory or unnecessarily voluminous.
(4) If the organisation decides not to comply with the request it
25 must give the amendment applicant written notice of its decision
giving details of --
(a) the reasons for the decision and the findings on any
material questions of fact underlying those reasons,
referring to the material on which those findings were
30 based; and
(b) the rights of the amendment applicant under Part 5 and
the procedure to be followed to exercise those rights.
page 37
Information Privacy Bill 2007
Part 3 Health information privacy
Division 3 Amendment of health records
s. 49
(5) This section does not prevent the organisation from making the
requested notation or attachment in an edited or abbreviated
form, but the making of an edited or abbreviated notation or
attachment does not constitute compliance with the request for
5 the purposes of subsection (4).
49. Other users of health record to be advised of requested
amendment
(1) If after a request is made under section 48 the organisation gives
the health record to another person (including another
10 organisation) the organisation must give that other person a
statement that a claim has been made under this Division that
the health record is inaccurate, incomplete, out of date or
misleading.
(2) If a notation or attachment has been made under section 48
15 particulars of the notation or attachment must be included in or
attached to the statement given under subsection (1).
50. Organisation may give reasons for not amending
information
This Division does not prevent the organisation from adding to
20 a notation or attachment made under section 48 the
organisation's reasons for deciding not to amend the health
record in accordance with the amendment application, or from
including those reasons in, or attaching them to, a statement
given under section 49(1).
25 51. No charge for application or request
No fee or other charge is payable in respect of an application or
request under this Division.
page 38
Information Privacy Bill 2007
Health information privacy Part 3
General Division 4
s. 52
Division 4 -- General
52. Part not intended to limit access or amendment that is
otherwise lawful
Nothing in this Part is intended to prevent or discourage the
5 giving of access to health records, or the amendment of health
records, otherwise than under this Part if that can properly be
done or is permitted or required by law to be done.
53. Application on behalf of an individual
(1) In this section --
10 "application" means --
(a) an access application; or
(b) an amendment application; or
(c) a request referred to in HPP 9(2) or 10(1).
(2) If an individual is incapable of making an application, an
15 application may be made on his or her behalf by an authorised
representative of the individual.
(3) For the purposes of subsection (2), an individual is incapable of
making an application if he or she is incapable by reason of age,
illness, physical impairment or mental disability of --
20 (a) understanding the general nature and effect of making
the application; or
(b) making the application,
despite the provision of reasonable assistance by another person.
54. Personal, family or household affairs
25 Nothing in this Part or an HPP applies to --
(a) the handling of health information by an individual; or
(b) health information held by an individual,
only for the purposes of, or in connection with, his or her
personal, family or household affairs.
page 39
Information Privacy Bill 2007
Part 3 Health information privacy
Division 4 General
s. 55
55. News media
(1) In this section --
"news activity" means --
(a) the gathering of news for the purposes of
5 dissemination to the public or any section of the
public; or
(b) the preparation or compiling of articles or
programmes of or concerning news, observations on
news or current affairs for the purposes of
10 dissemination to the public or any section of the
public; or
(c) the dissemination to the public or any section of the
public of any article or programme of or concerning
any news, observations on news or current affairs;
15 "news medium" means any organisation whose business, or
whose principal business, consists of a news activity.
(2) Nothing in the health privacy principles applies to the handling
of health information by a news medium in connection with its
news activities.
20 (3) Nothing in this Part or HPP 5(2) applies to health information
held by a news medium in connection with its news activities.
page 40
Information Privacy Bill 2007
Codes of practice Part 4
s. 56
Part 4 -- Codes of practice
56. Terms used in this Part
In this Part, unless the contrary intention appears --
"code of practice" means an information privacy code of
5 practice or a health privacy code of practice;
"health privacy code of practice" means a code of practice
referred to in section 58;
"information privacy code of practice" means a code of
practice referred to in section 57;
10 "relevant Minister" means --
(a) in relation to an information privacy code of practice,
the Minister administering this Act; and
(b) in relation to a health privacy code of practice, the
Minister administering the Health Act 1911.
15 57. Information privacy code of practice
(1) An information privacy code of practice is a code of practice
that modifies the application or operation of any one or more of
the information privacy principles.
(2) An information privacy code of practice may apply in relation
20 to any one or more of the following --
(a) any specified personal information or class of personal
information;
(b) any specified activity or class of activity;
(c) any specified public organisation or class of public
25 organisation.
(3) An information privacy code of practice must specify --
(a) the public organisations that are bound (either wholly or
to a limited extent) by it; or
(b) a way of determining the public organisations that are so
30 bound.
page 41
Information Privacy Bill 2007
Part 4 Codes of practice
s. 58
(4) An information privacy code of practice can only apply to a
public organisation if the organisation has agreed to be bound
by the provisions of the code.
(5) An information privacy code of practice must not modify the
5 application or operation of an IPP in relation to a public
organisation unless --
(a) the organisation is not otherwise reasonably capable of
complying with the IPP; and
(b) the application or operation of the IPP is modified only
10 to the extent reasonably necessary to enable the
organisation to comply with the IPP.
(6) An information privacy code of practice may be expressed to
have effect for a period specified in the code.
58. Health privacy code of practice
15 (1) A health privacy code of practice is a code of practice that
modifies the application or operation of any one or more of the
health privacy principles.
(2) A health privacy code of practice may apply in relation to any
one or more of the following --
20 (a) any specified health information or class of health
information;
(b) any specified activity or class of activity;
(c) any specified organisation or class of organisation.
(3) A health privacy code of practice must specify --
25 (a) the organisations that are bound (either wholly or to a
limited extent) by it; or
(b) a way of determining the organisations that are so
bound.
(4) A health privacy code of practice can only apply to an
30 organisation if the organisation has agreed to be bound by the
provisions of the code.
page 42
Information Privacy Bill 2007
Codes of practice Part 4
s. 59
(5) A health privacy code of practice must not modify the
application or operation of an HPP in relation to an organisation
unless --
(a) the organisation is not otherwise reasonably capable of
5 complying with the HPP; and
(b) the application or operation of the HPP is modified only
to the extent reasonably necessary to enable the
organisation to comply with the HPP.
(6) A health privacy code of practice may be expressed to have
10 effect for a period specified in the code.
59. Preparation of code of practice by organisation
(1) A public organisation may prepare an information privacy code
of practice and submit it to the Commissioner.
(2) An organisation may prepare a health privacy code of practice
15 and submit it to the Commissioner.
(3) In preparing a code of practice an organisation may --
(a) consult with any person or body it considers appropriate;
and
(b) seek comment from members of the public.
20 60. Preparation of code of practice by Commissioner
(1) The Commissioner may prepare a code of practice.
(2) In preparing a code of practice the Commissioner may --
(a) consult with any person or body the Commissioner
considers appropriate; and
25 (b) seek comment from members of the public.
61. Submission of code of practice to relevant Minister
(1) The Commissioner may submit to the relevant Minister for
approval a code of practice --
(a) submitted to the Commissioner under section 59; or
page 43
Information Privacy Bill 2007
Part 4 Codes of practice
s. 62
(b) prepared by the Commissioner under section 60.
(2) Before submitting a code of practice referred to in
subsection (1)(a) the Commissioner --
(a) may consult with any person or body the Commissioner
5 considers appropriate; and
(b) must have regard to the extent to which members of the
public have been given an opportunity to comment on
the code of practice.
62. Approval of code of practice
10 (1) The relevant Minister may, by notice published in the Gazette,
approve a code of practice submitted under section 61(1) or
refuse to approve it.
(2) The relevant Minister must not give approval unless he or she is
satisfied that the code of practice complies with the
15 requirements of section 57 or 58, as the case requires.
63. Publication and operation of approved code of practice
An approved code of practice --
(a) must be published in the Gazette; and
(b) comes into operation on the day on which it is so
20 published or on any later day specified in it.
64. Amendment, revocation or replacement of approved code of
practice
(1) The relevant Minister may, by notice published in the Gazette,
approve the amendment, replacement or revocation of an
25 approved code of practice.
(2) Sections 59, 60, 61, 62(2) and 63 apply in relation to an
amendment or replacement of an approved code of practice as if
references in them to a code of practice were references to an
amendment or replacement.
page 44
Information Privacy Bill 2007
Codes of practice Part 4
s. 65
(3) If the revocation of an approved code of practice is approved
under subsection (1), the revocation takes effect on the day on
which the notice is published in the Gazette or on any later day
specified in the notice.
5 65. Organisation to comply with applicable code of practice
An organisation must not do any thing, or engage in any
practice, that contravenes an applicable code of practice.
66. Register
(1) The Commissioner must keep a register of approved codes of
10 practice.
(2) The register is to be kept in the form and manner determined by
the Commissioner.
(3) A person may during business hours --
(a) inspect the register; and
15 (b) obtain a copy of, or an extract from, any part of the
register on payment of the prescribed fee, if any.
page 45
Information Privacy Bill 2007
Part 5 Complaints
Division 1 Preliminary
s. 67
Part 5 -- Complaints
Division 1 -- Preliminary
67. Terms used in this Part
In this Part --
5 "access decision" means a decision --
(a) to give access to an edited copy of a health record; or
(b) to refuse access to a health record; or
(c) to give access to a health record in a way other than
in the way requested by the access applicant; or
10 (d) to give access to a health record in the manner
referred to in section 39 or withhold access under that
section; or
(e) to regard, under section 41, an access applicant as
having withdrawn an access application; or
15 (f) to impose a charge or require the payment of a
deposit in relation to an access application;
"amendment decision" means a decision --
(a) not to amend a health record in accordance with an
amendment application; or
20 (b) not to comply with a request by an amendment
applicant to make a notation or attachment to a health
record;
"complainant", in relation to a complaint, means the individual
by or on whose behalf the complaint is made;
25 "conciliation proceedings" means proceedings conducted by
the Commissioner to deal with a complaint;
"conciliation proceedings record" means a document prepared
under section 80(1) or (3);
"conciliation requirement" has the meaning given in
30 section 80(1)(b);
page 46
Information Privacy Bill 2007
Complaints Part 5
Preliminary Division 1
s. 68
"conciliator" has the meaning given in section 79(5)(b);
"deal with" a complaint means, in the case of the
Commissioner, to endeavour to resolve the complaint by
conciliation;
5 "protected matter" means matter contained in a health record
that gives rise to a ground for refusal of access to the health
record under section 35;
"respondent" means --
(a) in the case of a complaint about an alleged
10 interference with privacy, the organisation that is
alleged to have done the act or engaged in the
practice to which the complaint relates; or
(b) in the case of a complaint about an access decision or
an amendment decision, the organisation that made
15 the decision; or
(c) in the case of a complaint about an alleged
contravention of a conciliation requirement, the
organisation that is alleged to have contravened the
requirement;
20 "Tribunal" means the State Administrative Tribunal.
68. What constitutes an interference with privacy
For the purposes of this Part an interference with the privacy of
an individual occurs if --
(a) a public organisation does any thing or engages in any
25 practice in relation to personal information about the
individual that contravenes the obligation in section 17;
or
(b) an organisation does any thing or engages in any
practice in relation to health information about the
30 individual that contravenes the obligation in section 20;
or
(c) an organisation does any thing or engages in any
practice in relation to personal information or health
page 47
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 69
information about the individual that contravenes the
obligation in section 65.
Division 2 -- Complaints and procedure for dealing with them
69. Complaints
5 A complaint may be made to the Commissioner about --
(a) an alleged interference with the privacy of an individual;
or
(b) an access decision; or
(c) an amendment decision; or
10 (d) an alleged contravention of a conciliation requirement.
70. Who may make a complaint
(1) A complaint about an alleged interference with the privacy of an
individual may be made by the individual concerned.
(2) A complaint about an access decision may be made by the
15 access applicant.
(3) A complaint about an amendment decision may be made by the
amendment applicant.
(4) A complaint about an alleged contravention of a conciliation
requirement may be made by the person who was the
20 complainant in the conciliation proceedings to which the
relevant conciliation proceedings record relates.
71. Complaint on behalf of an individual
(1) If an individual is incapable of making a complaint, a complaint
may be made on his or her behalf by an authorised
25 representative of the individual.
(2) For the purposes of subsection (1), an individual is incapable of
making a complaint if he or she is incapable by reason of age,
illness, physical impairment or mental disability of --
(a) understanding the general nature and effect of making
30 the complaint; or
page 48
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 72
(b) making the complaint,
despite the provision of reasonable assistance by another person.
72. How and when a complaint can be made
(1) A complaint must --
5 (a) be in writing; and
(b) give particulars of the alleged interference with privacy,
access decision, amendment decision or alleged
contravention of a conciliation requirement, as the case
requires; and
10 (c) give an address in Australia to which notices under this
Act can be sent; and
(d) give any other information or details required under the
regulations; and
(e) be lodged at the office of the Commissioner.
15 (2) A complaint about an alleged interference with privacy may be
lodged within 6 months after the day on which the complainant
first became aware of the alleged interference.
(3) A complaint about an access decision or amendment decision
may be lodged within 6 months after the complainant received
20 written notice of the decision.
(4) A complaint about an alleged contravention of a conciliation
requirement may be lodged within 6 months after the day on
which the complainant first became aware of the alleged
contravention.
25 (5) The Commissioner may allow a complaint to be lodged after the
period mentioned in subsection (2), (3) or (4) has expired.
page 49
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 73
73. Commissioner may decide not to deal with a complaint
(1) The Commissioner may, at any time after receiving a complaint,
decide not to deal with the complaint, or to stop dealing with the
complaint, because --
5 (a) it was lodged after the expiry of the period mentioned in
section 72(2), (3) or (4) or any further period allowed by
the Commissioner under section 72(5); or
(b) it does not relate to a matter the Commissioner has
power to deal with; or
10 (c) it is frivolous, vexatious, misconceived or lacking in
substance; or
(d) the complainant has not complained to the respondent
about the alleged interference with privacy, access
decision, amendment decision or alleged contravention
15 of a conciliation requirement and the Commissioner
considers that it would be appropriate for the respondent
to deal with the complaint; or
(e) the complainant has complained to the respondent about
the alleged interference with privacy, access decision,
20 amendment decision or alleged contravention of a
conciliation requirement and the Commissioner
considers that the respondent --
(i) has dealt adequately with the complaint; or
(ii) is dealing adequately with the complaint; or
25 (iii) has not yet had an adequate opportunity to deal
with the complaint;
or
(f) in the case of an alleged interference with privacy or
alleged contravention of a conciliation requirement, the
30 complainant has made a complaint about the alleged
interference or alleged contravention to the
Parliamentary Commissioner and that complaint is, or
has been, the subject of an investigation under the
Parliamentary Commissioner Act 1971.
page 50
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 74
(2) If the Commissioner decides not to deal with the complaint, or
to stop dealing with the complaint, the Commissioner must
inform the complainant, by notice in writing, of --
(a) the decision; and
5 (b) the reasons for the decision; and
(c) the rights, if any, of the complainant under section 75.
74. Referral of complaint to respondent in certain
circumstances
(1) If --
10 (a) the Commissioner has given a complainant a notice
under section 73(2); and
(b) the reason for the Commissioner's decision is a reason
referred to in section 73(1)(d) or (e)(ii) or (iii),
the Commissioner must --
15 (c) refer the complaint to the respondent and ask the
respondent to deal with, or continue to deal with, the
complaint; and
(d) notify the complainant in writing of the referral.
(2) If a complaint is referred under subsection (1) --
20 (a) the respondent must deal with, or continue to deal with,
the complaint (the "initial complaint"); and
(b) the complainant is not entitled to make another
complaint to the Commissioner about the alleged
interference with privacy, access decision, amendment
25 decision or alleged contravention of a conciliation
requirement that is the subject of the initial complaint
unless --
(i) the respondent has notified the complainant in
writing that the respondent has finished dealing
30 with the initial complaint; or
page 51
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 75
(ii) a period of 3 months has elapsed since the
referral of the initial complaint.
75. Referral of complaint to Tribunal if Commissioner decides
not to deal with it
5 (1) If --
(a) the Commissioner has given a complainant a notice
under section 73(2); and
(b) the reason for the Commiss