Western Australian Bills

[Index] [Search] [Download] [Related Items] [Help]


This is a Bill, not an Act. For current law, see the Acts databases.


INFORMATION PRIVACY BILL 2007

                    Western Australia


      Information Privacy Bill 2007

                       CONTENTS


      Part 1 -- Preliminary
1.    Short title                                         2
2.    Commencement                                        2
3.    Objects of Act                                      2
4.    Terms used in this Act                              2
5.    Meaning of "health information"                    10
6.    Meaning of "personal information"                  11
7.    When information is held                           12
8.    Related public organisations                       13
9.    Application to courts, registries and judicial
      officers                                           13
10.   Publicly available information                     14
11.   Application of certain privacy principles to law
      enforcement agencies and child protection
      agencies                                           14
12.   Relationship to FOI Act and State Records
      Act 2000                                           15
13.   Nature of rights created by this Act               15
14.   Act binds Crown                                    15
      Part 2 -- Personal information
           privacy
15.   Information privacy principles                     16
16.   Application of information privacy principles      16
17.   Public organisations to comply with information
      privacy principles                                 17




                         193--1                          page i

 


 

Information Privacy Bill 2007 Contents Part 3 -- Health information privacy Division 1 -- Health privacy principles 18. Health privacy principles 18 19. Application of health privacy principles 18 20. Organisations to comply with health privacy principles 19 Division 2 -- Access to health records Subdivision 1 -- Preliminary 21. Application of Division 20 Subdivision 2 -- Right of access and access applications 22. Right of access 20 23. Access application 20 24. How access application is made 21 25. Withdrawal of access application 21 Subdivision 3 -- Procedure for dealing with access applications 26. Decisions as to access and charges 21 27. Organisation may request consultation or further information 22 28. Ambit of access application may be reduced by agreement 23 29. Charges for access to health records 23 30. Estimate of charges 24 31. Advance deposits 25 32. Failure of access applicant to notify intention or pay deposit 25 33. Organisation may refuse to deal with an application in certain cases 26 34. Giving access 27 35. Refusal of access 27 36. Access to edited copy of health record 28 37. Health records that cannot be found or do not exist 29 38. Ways in which access can be given 29 39. Information detrimental to health of access applicant 30 40. Notice of decision 30 41. Applications may be regarded as having been withdrawn in certain circumstances 31 page ii

 


 

Information Privacy Bill 2007 Contents Division 3 -- Amendment of health records Subdivision 1 -- Preliminary 42. Application of Division 33 Subdivision 2 -- Right to apply for amendment and amendment applications 43. Right to apply for health record to be amended 33 44. How amendment application is made 34 Subdivision 3 -- Procedure for dealing with amendment applications 45. Decisions as to amendment 35 46. Notice of decision 36 47. How organisation may amend health record 36 48. Request for notation or attachment disputing accuracy of health record 37 49. Other users of health record to be advised of requested amendment 38 50. Organisation may give reasons for not amending information 38 51. No charge for application or request 38 Division 4 -- General 52. Part not intended to limit access or amendment that is otherwise lawful 39 53. Application on behalf of an individual 39 54. Personal, family or household affairs 39 55. News media 40 Part 4 -- Codes of practice 56. Terms used in this Part 41 57. Information privacy code of practice 41 58. Health privacy code of practice 42 59. Preparation of code of practice by organisation 43 60. Preparation of code of practice by Commissioner 43 61. Submission of code of practice to relevant Minister 43 62. Approval of code of practice 44 63. Publication and operation of approved code of practice 44 64. Amendment, revocation or replacement of approved code of practice 44 65. Organisation to comply with applicable code of practice 45 page iii

 


 

Information Privacy Bill 2007 Contents 66. Register 45 Part 5 -- Complaints Division 1 -- Preliminary 67. Terms used in this Part 46 68. What constitutes an interference with privacy 47 Division 2 -- Complaints and procedure for dealing with them 69. Complaints 48 70. Who may make a complaint 48 71. Complaint on behalf of an individual 48 72. How and when a complaint can be made 49 73. Commissioner may decide not to deal with a complaint 50 74. Referral of complaint to respondent in certain circumstances 51 75. Referral of complaint to Tribunal if Commissioner decides not to deal with it 52 76. Notification of complaint 52 77. Withdrawal of complaint 52 78. Parties to conciliation proceedings 53 79. Procedure 53 80. Conciliation proceedings record 54 81. Power to obtain information and documents and compel attendance 55 82. Power to examine 56 83. Commissioner to ensure non-disclosure of certain matter 56 84. Production of certain health records for inspection 56 85. Referral of unresolved complaint to Tribunal 57 86. Provision of information to Tribunal 57 Division 3 -- Tribunal's jurisdiction as to complaints 87. Meaning of "complaint jurisdiction" 58 88. Presiding member of Tribunal 58 89. Tribunal to ensure non-disclosure of certain matter 58 90. Decisions of the Tribunal 59 91. Restrictions under other laws not applicable 61 page iv

 


 

Information Privacy Bill 2007 Contents Division 4 -- Appeals 92. Terms used in this Division 61 93. Appeal from Tribunal's decision 61 94. No access to health record containing exempt matter 62 95. Power to impose terms on orders 62 96. Court to ensure non-disclosure of certain matter 62 97. Production of documents 63 98. Restrictions under other laws not applicable 63 99. Other procedure 63 Part 6 -- Exchange of information 100. Terms used in this Part 64 101. Construction of certain references for the purposes of this Part 65 102. Exchange of information between agencies 66 103. Exchange of information between agencies and other persons 66 104. Scope of disclosure powers 68 105. Protection from liability for disclosure 68 Part 7 -- Privacy and Information Commissioner Division 1 -- Office of Privacy and Information Commissioner 106. Privacy and Information Commissioner 69 107. Appointment of Commissioner 69 108. Remuneration 69 109. Leave and other conditions of service 69 110. Resignation of Commissioner 70 111. Removal and suspension from office 70 112. Deputy Privacy and Information Commissioner 71 113. Deputy Commissioner may act as Commissioner 72 114. Acting Commissioner 73 115. Oath or affirmation of office -- Commissioner, Deputy Commissioner and Acting Commissioner 74 116. Staff of Commissioner 74 117. Oath or affirmation of office -- members of staff 75 118. Rights of officers preserved 75 page v

 


 

Information Privacy Bill 2007 Contents 119. Offices of Commissioner and Parliamentary Commissioner can be held concurrently 76 Division 2 -- Functions and powers of Commissioner 120. Functions of Commissioner 76 121. General powers of Commissioner 77 122. Powers relating to audit or review 78 123. Commissioner to report on audit or review 79 124. Delegation 79 Division 3 -- Reports to Parliament 125. Annual report under Financial Management Act 2006 to include certain information 80 126. Special reports 81 Part 8 -- Miscellaneous 127. Deceased individuals 82 128. Capacity of authorised representative to give consent 82 129. Protection from legal action -- access to health records 82 130. Restrictions under other laws not applicable 83 131. Confidentiality of information 84 132. Protection from liability for wrongdoing 85 133. Failure to provide information or document or to appear 85 134. Regulations 86 135. Review of Act 87 Part 9 -- Amendment of other written laws Division 1 -- Freedom of Information Act 1992 136. The Act amended 88 137. Part 4 Division 1 repealed 88 138. Heading to Part 4 Division 2 amended 88 139. Section 63 amended 88 140. Section 64 repealed 88 141. Heading to Part 4 Division 4 amended 88 142. Section 79 repealed 88 143. Section 80 repealed 89 page vi

 


 

Information Privacy Bill 2007 Contents 144. Section 82 repealed 89 145. Section 111 amended 89 146. Schedule 2 amended 89 147. Glossary amended 90 Division 2 -- Parliamentary Commissioner Act 1971 148. The Act amended 90 149. Section 4 amended 90 150. Section 5 amended 90 151. Section 7 amended 91 152. Section 12A inserted 91 12A. Offices of Commissioner and Privacy and Information Commissioner can be held concurrently 91 153. Section 22B amended 92 154. Section 31 amended 92 155. Schedule 1 amended 93 Division 3 -- Other Acts amended 156. Constitution Acts Amendment Act 1899 93 157. Financial Management Act 2006 93 158. State Records Act 2000 94 Division 4 -- Amendment of subsidiary legislation 159. Power to amend subsidiary legislation 95 Part 10 -- Transitional provisions 160. Terms used in this Part 96 161. Continuation of office 96 162. Staff of former Commissioner 96 163. References to former Commissioner 97 Schedule 1 -- Public organisations Schedule 2 -- Exempt organisations Schedule 3 -- Information privacy principles 1. Collection 100 2. Use and disclosure 101 3. Data quality 103 page vii

 


 

Information Privacy Bill 2007 Contents 4. Data security 103 5. Openness 104 6. Identifiers 104 7. Anonymity 105 8. Transborder data flows 105 Schedule 4 -- Health privacy principles 1. Collection 107 2. Use and disclosure 109 3. Data quality 116 4. Data security and data retention 116 5. Openness 117 6. Identifiers 118 7. Anonymity 119 8. Transborder data flows 119 9. Transfer or closure of the practice of a health service provider 120 10. Making health information available to other health service providers 121 Schedule 5 -- Concurrent appointment as Commissioner and Parliamentary Commissioner 1. Term of office 122 2. Remuneration and other conditions of service 122 3. Rights preserved 123 4. Resignation from office 123 5. Removal or suspension from office 123 6. Application of clauses 7 to 10 123 7. Deputy Commissioners and Acting Commissioners 124 8. Functions of staff 125 9. Delegation 126 10. Confidentiality provisions 126 Defined Terms page viii

 


 

Western Australia LEGISLATIVE ASSEMBLY Information Privacy Bill 2007 A Bill for An Act to -- · provide for the privacy of personal information and health information held by certain persons and bodies; and · provide for access to, and amendment of, health records held by certain persons and bodies; and · authorise the disclosure in certain circumstances of personal information or health information held by government agencies; and · establish the office of Privacy and Information Commissioner; and · amend the Freedom of Information Act 1992, the Parliamentary Commissioner Act 1971 and other Acts as a consequence of the enactment of this Act, and for related purposes. The Parliament of Western Australia enacts as follows: page 1

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 1 Part 1 -- Preliminary 1. Short title This is the Information Privacy Act 2007. 2. Commencement 5 This Act comes into operation as follows: (a) sections 1 and 2 -- on the day on which this Act receives the Royal Assent; (b) the rest of the Act -- on a day fixed by proclamation, and different days may be fixed for different provisions. 10 3. Objects of Act The main objects of this Act are -- (a) to promote and protect the privacy of personal information through the establishment of principles to be observed by persons and bodies in the public sector 15 when collecting, holding, using or disclosing such information; and (b) to promote and protect the privacy of health information through the establishment of principles to be observed by persons and bodies in the public sector and the 20 private sector when collecting, holding, using or disclosing such information; and (c) to facilitate the sharing, in appropriate circumstances, of personal information or health information held by persons and bodies in the public sector. 25 4. Terms used in this Act (1) In this Act, unless the contrary intention appears -- "access applicant" means the individual by whom or on whose behalf an access application has been made; page 2

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 4 "access application" means an application made under section 23(1); "Acting Commissioner" means a person appointed to act in the office of Commissioner under section 114; 5 "amendment applicant" means the individual by whom or on whose behalf an amendment application has been made; "amendment application" means an application made under section 43(1); "applicable code of practice", in relation to an organisation, 10 means an approved code of practice by which the organisation is bound; "approved code of practice" means a code of practice approved under section 62 as in force from time to time; "authorised representative" means -- 15 (a) in relation to an individual other than a deceased individual, a person who -- (i) is a guardian of the individual appointed under law; or (ii) has parental responsibility for the individual; 20 or (iii) is otherwise empowered under law to perform any functions or duties as an agent of or in the best interests of the individual; and 25 (b) in relation to a deceased individual, a person who immediately before the individual's death was a person to whom paragraph (a)(i), (ii) or (iii) applied; "child" means a person who is under 18 years of age; "child protection agency" means -- 30 (a) the department of the Public Service principally assisting the Minister administering the Children and Community Services Act 2004 in its administration; or page 3

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 4 (b) a person, body or office prescribed for the purposes of this definition; "child protection functions" means functions under an enactment prescribed for the purposes of this definition; 5 "Commissioner" means the person holding the office of Privacy and Information Commissioner established by section 106; "complaint" means a complaint referred to in section 69; "contractor" means -- 10 (a) a person or body (other than a person or body referred to in Schedule 1) to the extent that the person or body handles personal information under a contract -- (i) between the person or body and a person, 15 body or office referred to in Schedule 1; and (ii) entered into after the commencement of Part 2; or (b) a subcontractor to a person or body to whom or 20 which paragraph (a) applies to the extent that the subcontractor handles personal information referred to in that paragraph; "contravene" includes to fail to comply with; "Corruption and Crime Commission" means the Corruption 25 and Crime Commission established under the Corruption and Crime Commission Act 2003; "court" includes a tribunal; "Deputy Commissioner" means a person holding the office of Deputy Privacy and Information Commissioner established 30 by section 112; "disability" has the meaning given in the Disability Services Act 1993 section 3; page 4

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 4 "document" means -- (a) any record; or (b) any part of a record; or (c) any copy, reproduction or duplicate of a record; or 5 (d) any part of a copy, reproduction or duplicate of a record; "exempt organisation" means a person, body or office referred to in Schedule 2 and includes staff under the control of the person, body or office; 10 "FOI Act" means the Freedom of Information Act 1992; "handle", in relation to personal information or health information, means to collect, hold, use or disclose; "health information" has the meaning given in section 5; "health privacy principle" or "HPP" means a health privacy 15 principle set out in Schedule 4; "health record" means a document that contains health information; "health service" means -- (a) an activity performed in relation to an individual that 20 is intended or claimed (expressly or otherwise) by the organisation performing it -- (i) to assess, maintain or improve the individual's health; or (ii) to diagnose the individual's illness, injury or 25 disability; or (iii) to treat the individual's illness, injury or disability or suspected illness, injury or disability; or 30 (b) a disability service, palliative care service or aged care service; or page 5

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 4 (c) the dispensing on prescription of a drug or medicinal preparation by a pharmacist, but does not include a health service, or a class of health service, that is prescribed as an exempt health service or to 5 the extent that it is prescribed as an exempt health service; "health service provider" means an organisation that provides a health service in Western Australia to the extent that it provides a health service, but does not include a health service provider, or a class of health service provider, that 10 is prescribed as an exempt health service provider or to the extent that it is prescribed as an exempt health service provider; "identifier" means an identifier (usually a number) assigned by an organisation to an individual uniquely to identify the 15 individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual's name; "illness" means a physical, mental or psychological illness and includes a suspected illness; 20 "information privacy principle" or "IPP" means an information privacy principle set out in Schedule 3; "judicial office" includes an office as a member of a tribunal; "law enforcement agency" means -- (a) the Australian Crime Commission established by the 25 Australian Crime Commission Act 2002 (Commonwealth); or (b) the board established under the Criminal Law (Mentally Impaired Accused) Act 1996 section 41; or (c) the board established under the Sentence 30 Administration Act 2003 section 102; or (d) the board established under the Young Offenders Act 1994 section 151; or page 6

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 4 (e) the Commissioner for Public Sector Standards appointed under the Public Sector Management Act 1994; or (f) the Commissioner for State Revenue; or 5 (g) the Corruption and Crime Commission; or (h) the department of the Public Service principally assisting the Minister administering the Police Act 1892 in its administration; or (i) the department of the Public Service principally 10 assisting the Minister administering the Sentence Administration Act 2003 Part 8 in its administration; or (j) the Director of Public Prosecutions appointed under the Director of Public Prosecutions Act 1991; or 15 (k) the Police Force of Western Australia, the Australian Federal Police or the police force of another State or a Territory; or (l) a person, body or office prescribed by the regulations for the purposes of this definition, 20 and, in relation to a health privacy principle, includes the Office of Health Review established under the Health Services (Conciliation and Review) Act 1995 and a registration board; "law enforcement functions" means functions that relate to 25 one or more of the following -- (a) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; (b) the enforcement of laws relating to the confiscation 30 of the proceeds of crime; (c) the protection of public revenue; (d) the prevention, detection, investigation or remedying of seriously improper conduct; page 7

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 4 (e) the preparation for, or conduct of, proceedings before a court or implementation of the orders of a court; "legal representative", in relation to a deceased individual, means a person who is an executor or administrator of the 5 deceased individual's estate; "licensing agency" means a person, body or office prescribed for the purposes of this definition; "licensing functions" means functions that relate to -- (a) the grant, suspension or cancellation of licences, 10 registrations, permits or other authorisations (however described); or (b) the administration of a licensing scheme, registration scheme or similar scheme; "member of staff" means -- 15 (a) a person appointed under section 116(1); or (b) a person whose services are used under section 116(4); "mental disability" has the meaning given in the Guardianship and Administration Act 1990 section 3(1); 20 "organisation" means a public organisation or a private organisation; "Parliamentary Commissioner" means the Parliamentary Commissioner for Administrative Investigations appointed under the Parliamentary Commissioner Act 1971; 25 "parliamentary secretary" means -- (a) the parliamentary secretary of the Cabinet; or (b) a parliamentary secretary holding office under the Constitution Acts Amendment Act 1899 section 44A; "personal information" has the meaning given in section 6; 30 "private organisation" means -- (a) an individual; or (b) a body corporate; or page 8

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 4 (c) a partnership; or (d) a trust; or (e) an unincorporated association or body, that is not a public organisation, an exempt organisation or 5 a small business operator (within the meaning given in the Privacy Act 1988 (Commonwealth) section 6D); "public health agency" means -- (a) the department of the Public Service principally assisting the Minister administering the Health 10 Act 1911 in its administration; or (b) a board as defined in the Hospitals and Health Services Act 1927 section 2; or (c) a person, body or office prescribed by the regulations for the purposes of this definition; 15 "public organisation" means -- (a) a person, body or office referred to in Schedule 1; or (b) a contractor, but does not include an exempt organisation; "public service officer" has the meaning given in the Public 20 Sector Management Act 1994 section 3(1); "record" means any record of information however recorded and includes the following -- (a) any paper or other material, including affixed papers on which there is writing; 25 (b) any map, plan, diagram or graph; (c) any drawing, pictorial or graphic work, or photograph; (d) any paper or other material on which there are marks, figures, symbols or perforations having a meaning for 30 persons qualified to interpret them; page 9

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 5 (e) any article or material from which sounds, images or writing can be reproduced whether or not with the aid of some other article or device; (f) any article on which information has been stored or 5 recorded, either mechanically, magnetically or electronically; "registration board" means a body that is listed in the Health Services (Conciliation and Review) Act 1995 Schedule 1; "relative" of an individual means -- 10 (a) the individual's spouse or de facto partner; or (b) a parent, step-parent or grandparent of the individual; or (c) a child, step-child or grandchild of the individual; or (d) a brother, sister, step-brother or step-sister of the 15 individual; "remuneration" has the meaning given in the Salaries and Allowances Act 1975 section 4(1); "wellbeing" has the meaning given in the Children and Community Services Act 2004 section 3. 20 (2) A reference in this Act to an IPP followed by a designation is a reference to the provision with that designation in Schedule 3. (3) A reference in this Act to an HPP followed by a designation is a reference to the provision with that designation in Schedule 4. (4) A reference in this Act to the Commissioner's functions 25 includes a reference to functions given to the Commissioner under the FOI Act. 5. Meaning of "health information" (1) Health information is -- (a) information or an opinion about -- 30 (i) the physical, mental or psychological health (at any time) of an individual; or page 10

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 6 (ii) a disability (at any time) of an individual; or (iii) an individual's expressed wishes about the future provision of health services to him or her; or (iv) a health service provided, or to be provided, to 5 an individual, that is also personal information; or (b) other personal information collected to provide, or in providing, a health service; or (c) other personal information about an individual collected 10 in connection with the donation, or intended donation, by the individual of his or her body tissue; or (d) other personal information, including genetic information, about an individual in a form which is, or could be, predictive of the health of the individual or 15 any other individual. (2) In subsection (1)(c) -- "body tissue" includes an organ or part of the human body or a substance extracted from, or from a part of, the human body. 20 (3) Health information does not include information, or a class of information, that is prescribed as exempt health information. 6. Meaning of "personal information" (1) Personal information is information or an opinion, whether true or not, and whether recorded in a material form or not, about an 25 individual, whether living or dead -- (a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or (b) who can be identified by reference to an identifier or an identifying particular such as a fingerprint, retina print 30 or body sample. page 11

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 7 (2) Personal information does not include -- (a) information about an individual who has been dead for more than 30 years; or (b) information about an individual who -- 5 (i) is included in a witness protection program as defined in the Witness Protection (Western Australia) Act 1996 section 3(1); or (ii) is the subject of witness protection arrangements made under another written law; 10 or (c) information about an individual arising out of a Royal Commission established under the Royal Commissions Act 1968; or (d) information about an individual that is contained in an 15 appropriate disclosure of public interest information made under the Public Interest Disclosure Act 2003; or (e) information about an individual that is contained in a document containing matter that is exempt matter under the FOI Act Schedule 1 clause 1; or 20 (f) information about an individual that is of a class, or is contained in a document of a class, prescribed for the purposes of this subsection. 7. When information is held (1) In this section -- 25 "entity" means a public organisation, a private organisation or an exempt organisation; "officer" of an entity includes -- (a) the principal officer of the entity; and (b) a director of the entity; and 30 (c) a member of the entity; and page 12

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 8 (d) a person employed in, by, or for the purposes of, the entity. (2) For the purposes of this Act, an entity holds personal information or health information if the information is contained 5 in a document that is in the possession or under the control of the entity, whether alone or jointly with other persons or bodies, including a document to which the entity is entitled to access and a document in the possession or under the control of an officer of the entity in his or her capacity as such an officer. 10 (3) For the purposes of this Act, an entity holds a health record if the health record is in the possession or under the control of the entity, whether alone or jointly with other persons or bodies, including a health record to which the entity is entitled to access and a health record in the possession or under the control of an 15 officer of the entity in his or her capacity as such an officer. 8. Related public organisations A person is not to be regarded as a separate public organisation by reason of -- (a) holding office as a member or other officer of a public 20 organisation; or (b) holding an office established for the purposes of a public organisation. 9. Application to courts, registries and judicial officers (1) Nothing in this Act applies to the handling of personal 25 information or health information by a court unless the information relates to matters of an administrative nature. (2) For the purposes of this Act a registry or other office of a court and the staff of such a registry or other office are part of the court. 30 (3) A person holding a judicial office or other office pertaining to a court, being an office established by the written law establishing page 13

 


 

Information Privacy Bill 2007 Part 1 Preliminary s. 10 the court, is not a public organisation and is not included in a public organisation. 10. Publicly available information Nothing in this Act applies to personal information or health 5 information contained in a document that is -- (a) available for purchase by the public or free distribution to the public; or (b) available for inspection (whether for a fee or charge or not) under a written law; or 10 (c) a State archive to which a person has a right to be given access under the State Records Act 2000 Part 6 despite the FOI Act; or (d) publicly available library material held by public organisations for reference purposes; or 15 (e) made or acquired by an art gallery, museum or library and preserved for public reference or exhibition purposes. 11. Application of certain privacy principles to law enforcement agencies and child protection agencies 20 (1) A law enforcement agency does not have to comply with IPP 1, IPP 2, IPP 6, IPP 8, HPP 1, HPP 2, HPP 6 or HPP 8 if it believes on reasonable grounds that the non-compliance is necessary for the purposes of one or more of its, or any other law enforcement agency's, law enforcement functions. 25 (2) A child protection agency does not have to comply with IPP 1, IPP 2, IPP 6, IPP 8, HPP 1, HPP 2, HPP 6 or HPP 8 if it believes on reasonable grounds that the non-compliance is necessary -- (a) for the purposes of one or more of its, or any other child 30 protection agency's, child protection functions; or (b) in connection with the conduct of proceedings commenced, or about to be commenced, in any court. page 14

 


 

Information Privacy Bill 2007 Preliminary Part 1 s. 12 12. Relationship to FOI Act and State Records Act 2000 Nothing in this Act affects the operation of the FOI Act or the State Records Act 2000. 13. Nature of rights created by this Act 5 Except to the extent expressly provided by this Act -- (a) nothing in this Act or an approved code of practice gives rise to a cause of action or creates an enforceable right; and (b) a contravention of this Act or an approved code of 10 practice does not give rise to an offence. 14. Act binds Crown This Act binds the Crown in right of the State and, so far as the legislative power of the State permits, the Crown in its other capacities. page 15

 


 

Information Privacy Bill 2007 Part 2 Personal information privacy s. 15 Part 2 -- Personal information privacy 15. Information privacy principles (1) The information privacy principles are set out in Schedule 3. (2) If there is an inconsistency between an IPP and an approved 5 code of practice, the code of practice prevails to the extent of the inconsistency. (3) If there is an inconsistency between an IPP and another enactment, the other enactment prevails to the extent of the inconsistency. 10 16. Application of information privacy principles (1) The information privacy principles apply to a public organisation unless this Act or another enactment expressly provides otherwise. (2) The application of an IPP to a public organisation may be 15 modified by an approved code of practice. (3) The information privacy principles do not apply to personal information that is also health information. (4) IPP 1 and IPP 3 (so far as it relates to the collection of personal information) apply only in relation to the collection of personal 20 information on or after the commencement of this section. (5) IPP 2, IPP 3 (so far as it relates to personal information used or disclosed), IPP 4, IPP 5, IPP 6 and IPP 8 apply in relation to personal information held by a public organisation regardless of whether the organisation holds the information as a result of 25 collection occurring before, on or after the commencement of this section. page 16

 


 

Information Privacy Bill 2007 Personal information privacy Part 2 s. 17 17. Public organisations to comply with information privacy principles A public organisation must not do any thing, or engage in any practice, that contravenes an IPP that applies to the public 5 organisation. page 17

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 1 Health privacy principles s. 18 Part 3 -- Health information privacy Division 1 -- Health privacy principles 18. Health privacy principles (1) The health privacy principles are set out in Schedule 4. 5 (2) If there is an inconsistency between an HPP and an approved code of practice, the code of practice prevails to the extent of the inconsistency. (3) If there is an inconsistency between an HPP and another enactment, the other enactment prevails to the extent of the 10 inconsistency. 19. Application of health privacy principles (1) The health privacy principles apply to an organisation that is a health service provider or collects, holds or uses health information unless this Act or another enactment expressly 15 provides otherwise. (2) The application of an HPP to an organisation may be modified by an approved code of practice. (3) HPP 1 and HPP 3 (so far as it relates to the collection of health information) apply only in relation to the collection of health 20 information on or after the commencement of this section. (4) HPP 2, HPP 3 (so far as it relates to health information used or disclosed), HPP 4, HPP 5, HPP 6, HPP 8, HPP 9 and HPP 10 apply in relation to health information held by an organisation regardless of whether the organisation holds the information as 25 a result of collection occurring before, on or after the commencement of this section. page 18

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Health privacy principles Division 1 s. 20 20. Organisations to comply with health privacy principles (1) In this section -- "transitional period" means -- (a) the period that ends on the second anniversary of the 5 commencement of this section; or (b) any extension of that period under subsection (4) in relation to a specified contract. (2) An organisation must not do any thing, or engage in any practice, that contravenes an HPP that applies to the 10 organisation. (3) Subsection (2) does not apply to the doing of any thing, or the engaging in of any practice, by an organisation that, but for this subsection, would constitute a contravention of HPP 1 or HPP 2, if -- 15 (a) doing the thing or engaging in the practice is necessary for the performance of a contract to which the organisation is a party that was entered into by the organisation before the commencement of this section; and 20 (b) the thing is done or the practice is engaged in before the end of the transitional period. (4) On the application of an organisation before the expiry of the transitional period, the Commissioner may extend that period in relation to a specified contract if he or she is satisfied that the 25 organisation is doing its best -- (a) to comply with HPP 1 or HPP 2 consistent with its obligations under the contract; and (b) to seek to have the contract renegotiated to enable the organisation to comply fully with HPP 1 or HPP 2. page 19

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 21 Division 2 -- Access to health records Subdivision 1 -- Preliminary 21. Application of Division (1) This Division does not apply to a health record held by an 5 organisation if the organisation is an agency for the purposes of the FOI Act. (2) This Division applies to a health record held by an organisation regardless of whether the health record contains health information collected before or after the commencement of this 10 Division. Subdivision 2 -- Right of access and access applications 22. Right of access (1) Subject to and in accordance with this Division, an individual has a right to be given access to a health record relating to the 15 individual that is held by an organisation. (2) Subject to this Division, an individual's right to be given access is not affected by -- (a) any reasons the individual has for wishing to obtain access; or 20 (b) an organisation's belief as to what are the individual's reasons for wishing to obtain access. 23. Access application (1) An individual who wishes to obtain access to a health record relating to the individual that is held by an organisation may 25 make an application to the organisation. (2) If the circumstances of the individual require it, the organisation must take reasonable steps to help the individual make an access application in a manner that complies with this Division. page 20

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Access to health records Division 2 s. 24 (3) In particular, if an access application does not comply with the requirements of section 24 the organisation must take reasonable steps under subsection (2) to help the individual to change the application so that it complies with those 5 requirements. 24. How access application is made (1) An access application must -- (a) be in writing; and (b) give enough information to enable the health record to 10 be identified; and (c) give an address in Australia to which notices under this Division can be sent; and (d) give any other information or details required under the regulations; and 15 (e) be accompanied by any application fee payable under the regulations. (2) An access application may request that access to the health record be given in a particular way described in section 38. 25. Withdrawal of access application 20 An access applicant may withdraw an access application by giving a written notice to that effect to the organisation. Subdivision 3 -- Procedure for dealing with access applications 26. Decisions as to access and charges (1) In this section -- 25 "permitted period" means the period of 45 days after the relevant access application is received or such other period as is agreed between the organisation and the access applicant or allowed by the Commissioner under subsection (4) or (5). page 21

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 27 (2) Subject to this Subdivision, an organisation must deal with an access application as soon as is practicable (and, in any event, before the end of the permitted period) by -- (a) considering the application and deciding -- 5 (i) whether to give or refuse access to the requested health record; and (ii) any charge payable for dealing with the application; and 10 (b) giving the access applicant written notice of the decision in accordance with section 40. (3) If an access applicant does not receive notice under subsection (2)(b) within the permitted period the organisation is taken to have refused, at the end of that period, to give access to 15 the health record and the access applicant is taken to have received written notice of that refusal on the day on which that period ended. (4) On the application of an access applicant, the Commissioner may reduce the time allowed to an organisation to comply with 20 subsection (2). (5) On the application of an organisation, the Commissioner, on being satisfied that the organisation has attempted to comply with subsection (2) within 45 days but that it is impracticable, in the circumstances, for it to comply within that time, may allow 25 the organisation an extension of time to comply on such conditions as the Commissioner thinks fit. (6) If an extension of time is allowed under subsection (5) the organisation must give written notice of the extension to the access applicant as soon as is practicable. 30 27. Organisation may request consultation or further information (1) In order to deal with an access application the organisation may in a written notice given to the access applicant request the page 22

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Access to health records Division 2 s. 28 applicant to consult with, or provide further information to, the organisation about the application. (2) A notice under subsection (1) must -- (a) give details of the access application; and 5 (b) state that the notice is given under this section; and (c) state the name and designation of the officer of the organisation who must be consulted or informed. (3) An organisation is not allowed under subsection (1) -- (a) to request the access applicant to provide information as 10 to the access applicant's reasons for wishing to obtain access to the requested health record; or (b) to inquire as to those reasons in the course of consultation. 28. Ambit of access application may be reduced by agreement 15 If it is apparent from the terms of an access application that the access applicant seeks information of a certain kind contained in a health record held by the organisation, the organisation may, with the agreement of the access applicant, deal with the access application as if it were an application relating only to that part 20 of the health record that contains information of that kind. 29. Charges for access to health records (1) Any charge that is required to be paid by an access applicant before access to a health record is given, must be calculated by an organisation in accordance with the following principles or, 25 where those principles require, must be waived -- (a) a charge may be made for the time taken to search for the health record to which access is requested but any such charge -- (i) must be fixed on an hourly rate basis; and page 23

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 30 (ii) must not cover additional time, if any, spent by the organisation in searching for a health record that was lost or misplaced; (b) a charge may be made for the reasonable costs incurred 5 by an organisation in -- (i) supervising the inspection of a health record; or (ii) giving a copy of a health record; or (iii) giving a summary or explanation of the information contained in a health record; 10 (c) a charge must be waived or be reduced if the access applicant is impecunious; (d) a charge must not exceed such amount as may be prescribed from time to time. (2) Subject to section 31, an organisation must not require payment 15 of a charge before it notifies the access applicant of its decision to give access to a health record. 30. Estimate of charges (1) When making an access application the access applicant may request an estimate of the charges that might be payable for 20 dealing with the application. (2) If a request is made under subsection (1) the organisation must notify the access applicant of its estimate, and the basis on which its estimate is made, as soon as is practicable. (3) If the organisation estimates that the charges for dealing with 25 the access application might exceed the prescribed amount then, whether or not a request has been made under subsection (1), the organisation must give the access applicant a notice that -- (a) sets out its estimate, and the basis on which its estimate is made; and 30 (b) asks whether the access applicant wishes to proceed with the application; and page 24

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Access to health records Division 2 s. 31 (c) gives details of the effect of section 32(1)(b). (4) Unless a greater amount is prescribed by regulation, $60 is the "prescribed amount" for the purposes of subsection (3). 31. Advance deposits 5 (1) An organisation may, in a notice given to an access applicant under section 30(3), require the applicant to pay a deposit of a prescribed amount or at a prescribed rate on account of the charges for dealing with the access application. (2) If payment of a deposit is required, the organisation must, at the 10 request of the access applicant, discuss with the applicant practicable alternatives for changing the access application or reducing the anticipated charges, including reduction of the charges if the applicant waives, either conditionally or unconditionally, the need for compliance by the organisation 15 with the time limit imposed by section 26(2). (3) If payment of a deposit is required, the notice referred to in subsection (2) must also give details of -- (a) the rights of the access applicant under Part 5 and the procedure to be followed to exercise those rights; and 20 (b) the effect of section 32(2)(b). 32. Failure of access applicant to notify intention or pay deposit (1) If an organisation has given an access applicant a notice under section 30(3) -- (a) the period commencing on the day on which the notice 25 was given, and ending on the day on which the organisation is notified that the applicant intends to proceed with the access application, is to be disregarded for the purposes of section 26(1); and (b) if intention to proceed is not notified within 30 days (or 30 such further time as the organisation allows) after the day on which the notice was given, the applicant is to be taken to have withdrawn the access application. page 25

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 33 (2) If the notice referred to in subsection (1) requires the access applicant to pay a deposit -- (a) the period commencing on the day on which the notice was given, and ending on the day on which the deposit 5 is paid, is to be disregarded for the purposes of section 26(1); and (b) if the deposit is not paid within 30 days (or such further time as the organisation allows) after the day on which the notice was given, the applicant is to be taken to have 10 withdrawn the access application. (3) Any period during which the requirement to pay a deposit is the subject of proceedings under Part 5 is to be disregarded for the purposes of subsection (2)(b). 33. Organisation may refuse to deal with an application in 15 certain cases (1) If an organisation considers that the work involved in dealing with the access application would divert a substantial and unreasonable portion of the organisation's resources away from its other operations, the organisation must take reasonable steps 20 to help the access applicant to change the application to reduce the amount of work needed to deal with it. (2) If after help has been given to change the access application the organisation still considers that the work involved in dealing with the application would divert a substantial and unreasonable 25 portion of the organisation's resources away from its other operations, the organisation may refuse to deal with the application. (3) An organisation may refuse to deal with an access application if the application is substantially in the same terms as one already 30 made by the access applicant to the organisation. (4) If, under subsection (2) or (3), an organisation refuses to deal with an access application, it must give the access applicant written notice of the refusal without delay. page 26

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Access to health records Division 2 s. 34 (5) The notice must give details of -- (a) the reasons for the refusal and the findings on any material questions of fact underlying those reasons, referring to the material on which those findings are 5 based; and (b) the rights of the access applicant under Part 5 and the procedure to be followed to exercise those rights. 34. Giving access If an organisation decides to give access to a health record and 10 the charges imposed for dealing with the access application have been paid, the organisation must give the access applicant access to the health record. 35. Refusal of access Subject to section 36, an organisation may refuse access to a 15 health record on one or more of the following grounds -- (a) giving access would pose a serious threat to the life, health, safety or welfare of any individual; (b) giving access would have an unreasonable impact on the privacy of any other individual; 20 (c) the health record -- (i) relates to existing or anticipated legal proceedings between the organisation (or a person insured by the organisation) and the access applicant, and the health record would not 25 be accessible by the process of discovery in those proceedings; or (ii) is otherwise subject to legal professional privilege; (d) giving access would reveal the intentions of the 30 organisation in relation to negotiations, other than about the provision of a health service, with the access page 27

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 36 applicant in such a way as to expose the organisation unreasonably to disadvantage; (e) giving access would be unlawful; (f) refusal of access is required or authorised by or under 5 law; (g) giving access would be likely to prejudice an investigation of possible unlawful activity; (h) giving access would be likely to prejudice a function performed by or on behalf of a law enforcement agency. 10 36. Access to edited copy of health record (1) If an access application requests access to a health record and -- (a) one or more of the grounds referred to in section 35 apply to particular matter contained in the health record; and 15 (b) it is practicable for the organisation to edit a copy of the health record so as to delete that matter; and (c) the organisation considers (either from the terms of the application or after consultation with the access applicant) that the applicant would wish to be given 20 access to an edited copy, the organisation must make and give access to an edited copy. (2) If an access application requests access to a health record and -- (a) the health record contains matter that may reasonably be regarded as being outside the ambit of the application; 25 and (b) it is practicable for the organisation to edit a copy of the health record so as to delete that matter; and (c) the organisation considers (either from the terms of the application or after consultation with the access 30 applicant) that the applicant would wish to be given access to an edited copy, the organisation may make and give access to an edited copy. page 28

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Access to health records Division 2 s. 37 37. Health records that cannot be found or do not exist (1) An organisation may advise an access applicant, by written notice, that it is not possible to give access to a health record if -- 5 (a) all reasonable steps have been taken to find the health record; and (b) the organisation is satisfied that the health record -- (i) is in the organisation's possession but cannot be found; or 10 (ii) does not exist. (2) For the purposes of this Act the sending of a notice under subsection (1) in relation to a health record is to be regarded as a decision to refuse access to the health record. 38. Ways in which access can be given 15 (1) Subject to subsection (3), access to a health record may be given to an access applicant in one or more of the following ways -- (a) by giving a reasonable opportunity to inspect the health record; (b) by giving a copy of the health record; 20 (c) by giving a summary of the health information contained in the health record; (d) by giving an explanation of the health information contained in the health record. (2) If an access applicant has requested that access to a health 25 record be given in a particular way described in subsection (1) and access is given in some other way, the applicant is not required to pay a charge in respect of the giving of access that is greater than the charge that the applicant would have been required to pay if access had been given in the way that was 30 requested. page 29

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 39 (3) If a health record contains only health information collected before the commencement of this Division, access to the health record may be given to an access applicant by giving a summary of that information. 5 (4) This section does not prevent an organisation from giving access to a health record in any way agreed on between the organisation and an access applicant. 39. Information detrimental to health of access applicant If a health record to which an organisation has decided to give 10 access contains information that, in the opinion of the organisation, may have a substantial adverse effect on the physical, mental or psychological health of the access applicant -- (a) it is sufficient compliance with this Division if access to 15 the health record is given to a suitably qualified person nominated in writing by the access applicant; and (b) the organisation may withhold access until a person who is, in the opinion of the organisation, suitably qualified is nominated. 20 40. Notice of decision The notice that an organisation gives an access applicant under section 26(2)(b) must give details of -- (a) the day on which the decision was made; and (b) the name and designation of the person who made the 25 decision; and (c) if the decision is that access is to be given to an edited copy of a health record under section 36(1) or (2) -- (i) the fact that access is to be given to an edited copy; and 30 (ii) the grounds on which matter has been deleted; and page 30

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Access to health records Division 2 s. 41 (d) if the decision is to give access to a health record in a way other than the way requested by the access applicant -- the reasons for giving access that other way; and 5 (e) if the decision is to give access to a health record in the manner referred to in section 39 -- the arrangements to be made for giving access to the record; and (f) if the decision is to refuse access to a health record -- the grounds for the refusal and the findings on any 10 material questions of fact underlying those grounds, referring to the material on which those findings were based; and (g) if the decision is that the access applicant is to pay a charge to the organisation -- the amount of the charge 15 and the basis on which the amount was calculated; and (h) the rights of the access applicant under Part 5 and the procedure to be followed to exercise those rights. 41. Applications may be regarded as having been withdrawn in certain circumstances 20 (1) An organisation may in a written notice given to an access applicant (a "compliance notice") advise the applicant that the applicant may be regarded by the organisation as having withdrawn the access application if the applicant does not -- (a) comply with a request of the organisation contained in a 25 notice under section 27(1), to consult with, or provide further information to, the organisation about the access application; or (b) nominate a suitably qualified person under section 39; or (c) obtain access to the requested health record, 30 within the period of 30 days after the day on which the compliance notice was given to the applicant. page 31

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 2 Access to health records s. 41 (2) Subsection (1)(c) applies if the access applicant has been given notice under section 26(2)(b) of the organisation's decision to give access to the requested health record. (3) A compliance notice must -- 5 (a) give details of the access application; and (b) state that the notice is given under this section and that failure to comply with it may result in the applicant being regarded as having withdrawn the access application; and 10 (c) in the case of a notice under subsection (1)(a), give details of the notice under section 27(1) that it refers to; and (d) in the case of a notice under subsection (1)(b), state the name and designation of the officer of the organisation 15 who must be consulted or informed; and (e) in the case of a notice under subsection (1)(c), state the name and designation of the officer of the organisation from whom access to the health record is to be obtained. (4) An organisation may regard an access applicant as having 20 withdrawn the access application if, within the period of 30 days after the day on which the organisation gave the applicant a compliance notice, the applicant does not -- (a) in the case of a notice under subsection (1)(a), comply with the request referred to in the notice; or 25 (b) in the case of a notice under subsection (1)(b), nominate a suitably qualified person under section 39; or (c) in the case of a notice under subsection (1)(c), obtain access to the requested health record. (5) If an organisation decides to regard an access applicant as 30 having withdrawn the access application, the organisation must give the applicant a written notice of that decision. page 32

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Amendment of health records Division 3 s. 42 (6) The notice under subsection (5) must give details of -- (a) the day on which the decision was made; and (b) the name and designation of the person who made the decision; and 5 (c) the reasons for deciding to regard the access applicant as having withdrawn the access application; and (d) the rights of the access applicant under Part 5 and the procedure to be followed to exercise those rights. Division 3 -- Amendment of health records 10 Subdivision 1 -- Preliminary 42. Application of Division (1) This Division does not apply to a health record held by an organisation if the organisation is an agency for the purposes of the FOI Act. 15 (2) This Division applies to a health record held by an organisation regardless of whether the health record contains health information collected before or after the commencement of this Division. Subdivision 2 -- Right to apply for amendment and 20 amendment applications 43. Right to apply for health record to be amended (1) An individual has a right to apply to an organisation for amendment of a health record relating to the individual that is held by the organisation if the health record is inaccurate, 25 incomplete, out of date or misleading. (2) If the circumstances of the individual require it, the organisation must take reasonable steps to help the individual make an amendment application in a manner that complies with this Division. page 33

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 3 Amendment of health records s. 44 (3) In particular, if an amendment application does not comply with the requirements of section 44 the organisation must take reasonable steps under subsection (2) to help the individual to change the application so that it complies with those 5 requirements. 44. How amendment application is made (1) An amendment application must -- (a) be in writing; and (b) give enough information to enable the health record to 10 be identified; and (c) give details of the matters in relation to which the amendment applicant believes the health record is inaccurate, incomplete, out of date or misleading; and (d) give the amendment applicant's reasons for holding that 15 belief; and (e) give details of the amendment that the amendment applicant wishes to have made; and (f) give an address in Australia to which notices under this Division can be sent; and 20 (g) give any other information or details required under the regulations. (2) For the purposes of subsection (1)(e) the amendment application must state whether the amendment applicant wishes the amendment to be made by -- 25 (a) altering information contained in the health record (otherwise than by deletion); or (b) inserting information into the health record; or (c) inserting a note into the health record, or in 2 or more of those ways. page 34

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Amendment of health records Division 3 s. 45 Subdivision 3 -- Procedure for dealing with amendment applications 45. Decisions as to amendment (1) In this section -- "permitted period" means the period of 30 days after the 5 relevant amendment application is received or such other period as is agreed between the organisation and the amendment applicant or allowed by the Commissioner under subsection (4). (2) Subject to this Subdivision, an organisation must deal with an 10 amendment application as soon as is practicable (and, in any event, before the end of the permitted period) by -- (a) considering the application and deciding whether to amend the health record; and (b) giving the amendment applicant written notice of the 15 decision in accordance with section 46. (3) If an amendment applicant does not receive notice under subsection (2)(b) within the permitted period the organisation is taken to have refused, at the end of that period, to amend the health record and the amendment applicant is taken to have 20 received written notice of that refusal on the day on which that period ended. (4) On the application of an organisation, the Commissioner, on being satisfied that the organisation has attempted to comply with subsection (2) within 30 days but that it is impracticable, in 25 the circumstances, for it to comply within that time, may allow the organisation an extension of time to comply on such conditions as the Commissioner thinks fit. (5) If an extension of time is allowed under subsection (4) the organisation must give written notice of the extension to the 30 access applicant as soon as is practicable. page 35

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 3 Amendment of health records s. 46 46. Notice of decision The notice that an organisation gives an amendment applicant under section 45(2)(b) must give details of -- (a) the day on which the decision was made; and 5 (b) the name and designation of the person who made the decision; and (c) if the decision is to amend the health record -- details of the amendment made; and (d) if the decision is to refuse to amend the health record -- 10 (i) the reasons for the refusal and the findings on any material questions of fact underlying those reasons, referring to the material on which those findings were based; and (ii) the rights of the amendment applicant under 15 Part 5 and the procedure to be followed to exercise those rights; and (iii) the right to request that a notation or attachment be made to the health record and the procedure to be followed to exercise that right. 20 47. How organisation may amend health record (1) If an organisation decides to amend a health record it may make the amendment by -- (a) altering information contained in the health record (otherwise than by deletion); or 25 (b) inserting information into the health record; or (c) inserting a note into the health record, or in 2 or more of those ways. (2) If the organisation inserts a note into the health record the note must -- 30 (a) give details of the matters in relation to which the health record is inaccurate, incomplete, out of date or misleading; and page 36

 


 

Information Privacy Bill 2007 Health information privacy Part 3 Amendment of health records Division 3 s. 48 (b) if the health record is incomplete or out of date -- set out whatever information is needed to complete it or bring it up to date. 48. Request for notation or attachment disputing accuracy of 5 health record (1) If an organisation decides not to amend a health record in accordance with an amendment application, the amendment applicant may, in writing, request the organisation to make a notation or attachment to the health record -- 10 (a) giving details of the matters in relation to which the applicant claims the health record is inaccurate, incomplete, out of date or misleading; and (b) if the amendment applicant claims the health record is incomplete or out of date -- setting out the information 15 that the applicant claims is needed to complete it or bring it up to date. (2) A request may be made under this section whether or not the amendment applicant has made a complaint in respect of the organisation's decision under Part 5. 20 (3) The organisation must comply with the request unless it considers that the notation or attachment that the amendment applicant has requested to be made to the health record is defamatory or unnecessarily voluminous. (4) If the organisation decides not to comply with the request it 25 must give the amendment applicant written notice of its decision giving details of -- (a) the reasons for the decision and the findings on any material questions of fact underlying those reasons, referring to the material on which those findings were 30 based; and (b) the rights of the amendment applicant under Part 5 and the procedure to be followed to exercise those rights. page 37

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 3 Amendment of health records s. 49 (5) This section does not prevent the organisation from making the requested notation or attachment in an edited or abbreviated form, but the making of an edited or abbreviated notation or attachment does not constitute compliance with the request for 5 the purposes of subsection (4). 49. Other users of health record to be advised of requested amendment (1) If after a request is made under section 48 the organisation gives the health record to another person (including another 10 organisation) the organisation must give that other person a statement that a claim has been made under this Division that the health record is inaccurate, incomplete, out of date or misleading. (2) If a notation or attachment has been made under section 48 15 particulars of the notation or attachment must be included in or attached to the statement given under subsection (1). 50. Organisation may give reasons for not amending information This Division does not prevent the organisation from adding to 20 a notation or attachment made under section 48 the organisation's reasons for deciding not to amend the health record in accordance with the amendment application, or from including those reasons in, or attaching them to, a statement given under section 49(1). 25 51. No charge for application or request No fee or other charge is payable in respect of an application or request under this Division. page 38

 


 

Information Privacy Bill 2007 Health information privacy Part 3 General Division 4 s. 52 Division 4 -- General 52. Part not intended to limit access or amendment that is otherwise lawful Nothing in this Part is intended to prevent or discourage the 5 giving of access to health records, or the amendment of health records, otherwise than under this Part if that can properly be done or is permitted or required by law to be done. 53. Application on behalf of an individual (1) In this section -- 10 "application" means -- (a) an access application; or (b) an amendment application; or (c) a request referred to in HPP 9(2) or 10(1). (2) If an individual is incapable of making an application, an 15 application may be made on his or her behalf by an authorised representative of the individual. (3) For the purposes of subsection (2), an individual is incapable of making an application if he or she is incapable by reason of age, illness, physical impairment or mental disability of -- 20 (a) understanding the general nature and effect of making the application; or (b) making the application, despite the provision of reasonable assistance by another person. 54. Personal, family or household affairs 25 Nothing in this Part or an HPP applies to -- (a) the handling of health information by an individual; or (b) health information held by an individual, only for the purposes of, or in connection with, his or her personal, family or household affairs. page 39

 


 

Information Privacy Bill 2007 Part 3 Health information privacy Division 4 General s. 55 55. News media (1) In this section -- "news activity" means -- (a) the gathering of news for the purposes of 5 dissemination to the public or any section of the public; or (b) the preparation or compiling of articles or programmes of or concerning news, observations on news or current affairs for the purposes of 10 dissemination to the public or any section of the public; or (c) the dissemination to the public or any section of the public of any article or programme of or concerning any news, observations on news or current affairs; 15 "news medium" means any organisation whose business, or whose principal business, consists of a news activity. (2) Nothing in the health privacy principles applies to the handling of health information by a news medium in connection with its news activities. 20 (3) Nothing in this Part or HPP 5(2) applies to health information held by a news medium in connection with its news activities. page 40

 


 

Information Privacy Bill 2007 Codes of practice Part 4 s. 56 Part 4 -- Codes of practice 56. Terms used in this Part In this Part, unless the contrary intention appears -- "code of practice" means an information privacy code of 5 practice or a health privacy code of practice; "health privacy code of practice" means a code of practice referred to in section 58; "information privacy code of practice" means a code of practice referred to in section 57; 10 "relevant Minister" means -- (a) in relation to an information privacy code of practice, the Minister administering this Act; and (b) in relation to a health privacy code of practice, the Minister administering the Health Act 1911. 15 57. Information privacy code of practice (1) An information privacy code of practice is a code of practice that modifies the application or operation of any one or more of the information privacy principles. (2) An information privacy code of practice may apply in relation 20 to any one or more of the following -- (a) any specified personal information or class of personal information; (b) any specified activity or class of activity; (c) any specified public organisation or class of public 25 organisation. (3) An information privacy code of practice must specify -- (a) the public organisations that are bound (either wholly or to a limited extent) by it; or (b) a way of determining the public organisations that are so 30 bound. page 41

 


 

Information Privacy Bill 2007 Part 4 Codes of practice s. 58 (4) An information privacy code of practice can only apply to a public organisation if the organisation has agreed to be bound by the provisions of the code. (5) An information privacy code of practice must not modify the 5 application or operation of an IPP in relation to a public organisation unless -- (a) the organisation is not otherwise reasonably capable of complying with the IPP; and (b) the application or operation of the IPP is modified only 10 to the extent reasonably necessary to enable the organisation to comply with the IPP. (6) An information privacy code of practice may be expressed to have effect for a period specified in the code. 58. Health privacy code of practice 15 (1) A health privacy code of practice is a code of practice that modifies the application or operation of any one or more of the health privacy principles. (2) A health privacy code of practice may apply in relation to any one or more of the following -- 20 (a) any specified health information or class of health information; (b) any specified activity or class of activity; (c) any specified organisation or class of organisation. (3) A health privacy code of practice must specify -- 25 (a) the organisations that are bound (either wholly or to a limited extent) by it; or (b) a way of determining the organisations that are so bound. (4) A health privacy code of practice can only apply to an 30 organisation if the organisation has agreed to be bound by the provisions of the code. page 42

 


 

Information Privacy Bill 2007 Codes of practice Part 4 s. 59 (5) A health privacy code of practice must not modify the application or operation of an HPP in relation to an organisation unless -- (a) the organisation is not otherwise reasonably capable of 5 complying with the HPP; and (b) the application or operation of the HPP is modified only to the extent reasonably necessary to enable the organisation to comply with the HPP. (6) A health privacy code of practice may be expressed to have 10 effect for a period specified in the code. 59. Preparation of code of practice by organisation (1) A public organisation may prepare an information privacy code of practice and submit it to the Commissioner. (2) An organisation may prepare a health privacy code of practice 15 and submit it to the Commissioner. (3) In preparing a code of practice an organisation may -- (a) consult with any person or body it considers appropriate; and (b) seek comment from members of the public. 20 60. Preparation of code of practice by Commissioner (1) The Commissioner may prepare a code of practice. (2) In preparing a code of practice the Commissioner may -- (a) consult with any person or body the Commissioner considers appropriate; and 25 (b) seek comment from members of the public. 61. Submission of code of practice to relevant Minister (1) The Commissioner may submit to the relevant Minister for approval a code of practice -- (a) submitted to the Commissioner under section 59; or page 43

 


 

Information Privacy Bill 2007 Part 4 Codes of practice s. 62 (b) prepared by the Commissioner under section 60. (2) Before submitting a code of practice referred to in subsection (1)(a) the Commissioner -- (a) may consult with any person or body the Commissioner 5 considers appropriate; and (b) must have regard to the extent to which members of the public have been given an opportunity to comment on the code of practice. 62. Approval of code of practice 10 (1) The relevant Minister may, by notice published in the Gazette, approve a code of practice submitted under section 61(1) or refuse to approve it. (2) The relevant Minister must not give approval unless he or she is satisfied that the code of practice complies with the 15 requirements of section 57 or 58, as the case requires. 63. Publication and operation of approved code of practice An approved code of practice -- (a) must be published in the Gazette; and (b) comes into operation on the day on which it is so 20 published or on any later day specified in it. 64. Amendment, revocation or replacement of approved code of practice (1) The relevant Minister may, by notice published in the Gazette, approve the amendment, replacement or revocation of an 25 approved code of practice. (2) Sections 59, 60, 61, 62(2) and 63 apply in relation to an amendment or replacement of an approved code of practice as if references in them to a code of practice were references to an amendment or replacement. page 44

 


 

Information Privacy Bill 2007 Codes of practice Part 4 s. 65 (3) If the revocation of an approved code of practice is approved under subsection (1), the revocation takes effect on the day on which the notice is published in the Gazette or on any later day specified in the notice. 5 65. Organisation to comply with applicable code of practice An organisation must not do any thing, or engage in any practice, that contravenes an applicable code of practice. 66. Register (1) The Commissioner must keep a register of approved codes of 10 practice. (2) The register is to be kept in the form and manner determined by the Commissioner. (3) A person may during business hours -- (a) inspect the register; and 15 (b) obtain a copy of, or an extract from, any part of the register on payment of the prescribed fee, if any. page 45

 


 

Information Privacy Bill 2007 Part 5 Complaints Division 1 Preliminary s. 67 Part 5 -- Complaints Division 1 -- Preliminary 67. Terms used in this Part In this Part -- 5 "access decision" means a decision -- (a) to give access to an edited copy of a health record; or (b) to refuse access to a health record; or (c) to give access to a health record in a way other than in the way requested by the access applicant; or 10 (d) to give access to a health record in the manner referred to in section 39 or withhold access under that section; or (e) to regard, under section 41, an access applicant as having withdrawn an access application; or 15 (f) to impose a charge or require the payment of a deposit in relation to an access application; "amendment decision" means a decision -- (a) not to amend a health record in accordance with an amendment application; or 20 (b) not to comply with a request by an amendment applicant to make a notation or attachment to a health record; "complainant", in relation to a complaint, means the individual by or on whose behalf the complaint is made; 25 "conciliation proceedings" means proceedings conducted by the Commissioner to deal with a complaint; "conciliation proceedings record" means a document prepared under section 80(1) or (3); "conciliation requirement" has the meaning given in 30 section 80(1)(b); page 46

 


 

Information Privacy Bill 2007 Complaints Part 5 Preliminary Division 1 s. 68 "conciliator" has the meaning given in section 79(5)(b); "deal with" a complaint means, in the case of the Commissioner, to endeavour to resolve the complaint by conciliation; 5 "protected matter" means matter contained in a health record that gives rise to a ground for refusal of access to the health record under section 35; "respondent" means -- (a) in the case of a complaint about an alleged 10 interference with privacy, the organisation that is alleged to have done the act or engaged in the practice to which the complaint relates; or (b) in the case of a complaint about an access decision or an amendment decision, the organisation that made 15 the decision; or (c) in the case of a complaint about an alleged contravention of a conciliation requirement, the organisation that is alleged to have contravened the requirement; 20 "Tribunal" means the State Administrative Tribunal. 68. What constitutes an interference with privacy For the purposes of this Part an interference with the privacy of an individual occurs if -- (a) a public organisation does any thing or engages in any 25 practice in relation to personal information about the individual that contravenes the obligation in section 17; or (b) an organisation does any thing or engages in any practice in relation to health information about the 30 individual that contravenes the obligation in section 20; or (c) an organisation does any thing or engages in any practice in relation to personal information or health page 47

 


 

Information Privacy Bill 2007 Part 5 Complaints Division 2 Complaints and procedure for dealing with them s. 69 information about the individual that contravenes the obligation in section 65. Division 2 -- Complaints and procedure for dealing with them 69. Complaints 5 A complaint may be made to the Commissioner about -- (a) an alleged interference with the privacy of an individual; or (b) an access decision; or (c) an amendment decision; or 10 (d) an alleged contravention of a conciliation requirement. 70. Who may make a complaint (1) A complaint about an alleged interference with the privacy of an individual may be made by the individual concerned. (2) A complaint about an access decision may be made by the 15 access applicant. (3) A complaint about an amendment decision may be made by the amendment applicant. (4) A complaint about an alleged contravention of a conciliation requirement may be made by the person who was the 20 complainant in the conciliation proceedings to which the relevant conciliation proceedings record relates. 71. Complaint on behalf of an individual (1) If an individual is incapable of making a complaint, a complaint may be made on his or her behalf by an authorised 25 representative of the individual. (2) For the purposes of subsection (1), an individual is incapable of making a complaint if he or she is incapable by reason of age, illness, physical impairment or mental disability of -- (a) understanding the general nature and effect of making 30 the complaint; or page 48

 


 

Information Privacy Bill 2007 Complaints Part 5 Complaints and procedure for dealing with them Division 2 s. 72 (b) making the complaint, despite the provision of reasonable assistance by another person. 72. How and when a complaint can be made (1) A complaint must -- 5 (a) be in writing; and (b) give particulars of the alleged interference with privacy, access decision, amendment decision or alleged contravention of a conciliation requirement, as the case requires; and 10 (c) give an address in Australia to which notices under this Act can be sent; and (d) give any other information or details required under the regulations; and (e) be lodged at the office of the Commissioner. 15 (2) A complaint about an alleged interference with privacy may be lodged within 6 months after the day on which the complainant first became aware of the alleged interference. (3) A complaint about an access decision or amendment decision may be lodged within 6 months after the complainant received 20 written notice of the decision. (4) A complaint about an alleged contravention of a conciliation requirement may be lodged within 6 months after the day on which the complainant first became aware of the alleged contravention. 25 (5) The Commissioner may allow a complaint to be lodged after the period mentioned in subsection (2), (3) or (4) has expired. page 49

 


 

Information Privacy Bill 2007 Part 5 Complaints Division 2 Complaints and procedure for dealing with them s. 73 73. Commissioner may decide not to deal with a complaint (1) The Commissioner may, at any time after receiving a complaint, decide not to deal with the complaint, or to stop dealing with the complaint, because -- 5 (a) it was lodged after the expiry of the period mentioned in section 72(2), (3) or (4) or any further period allowed by the Commissioner under section 72(5); or (b) it does not relate to a matter the Commissioner has power to deal with; or 10 (c) it is frivolous, vexatious, misconceived or lacking in substance; or (d) the complainant has not complained to the respondent about the alleged interference with privacy, access decision, amendment decision or alleged contravention 15 of a conciliation requirement and the Commissioner considers that it would be appropriate for the respondent to deal with the complaint; or (e) the complainant has complained to the respondent about the alleged interference with privacy, access decision, 20 amendment decision or alleged contravention of a conciliation requirement and the Commissioner considers that the respondent -- (i) has dealt adequately with the complaint; or (ii) is dealing adequately with the complaint; or 25 (iii) has not yet had an adequate opportunity to deal with the complaint; or (f) in the case of an alleged interference with privacy or alleged contravention of a conciliation requirement, the 30 complainant has made a complaint about the alleged interference or alleged contravention to the Parliamentary Commissioner and that complaint is, or has been, the subject of an investigation under the Parliamentary Commissioner Act 1971. page 50

 


 

Information Privacy Bill 2007 Complaints Part 5 Complaints and procedure for dealing with them Division 2 s. 74 (2) If the Commissioner decides not to deal with the complaint, or to stop dealing with the complaint, the Commissioner must inform the complainant, by notice in writing, of -- (a) the decision; and 5 (b) the reasons for the decision; and (c) the rights, if any, of the complainant under section 75. 74. Referral of complaint to respondent in certain circumstances (1) If -- 10 (a) the Commissioner has given a complainant a notice under section 73(2); and (b) the reason for the Commissioner's decision is a reason referred to in section 73(1)(d) or (e)(ii) or (iii), the Commissioner must -- 15 (c) refer the complaint to the respondent and ask the respondent to deal with, or continue to deal with, the complaint; and (d) notify the complainant in writing of the referral. (2) If a complaint is referred under subsection (1) -- 20 (a) the respondent must deal with, or continue to deal with, the complaint (the "initial complaint"); and (b) the complainant is not entitled to make another complaint to the Commissioner about the alleged interference with privacy, access decision, amendment 25 decision or alleged contravention of a conciliation requirement that is the subject of the initial complaint unless -- (i) the respondent has notified the complainant in writing that the respondent has finished dealing 30 with the initial complaint; or page 51

 


 

Information Privacy Bill 2007 Part 5 Complaints Division 2 Complaints and procedure for dealing with them s. 75 (ii) a period of 3 months has elapsed since the referral of the initial complaint. 75. Referral of complaint to Tribunal if Commissioner decides not to deal with it 5 (1) If -- (a) the Commissioner has given a complainant a notice under section 73(2); and (b) the reason for the Commiss