Western Australian Bills Western Australian Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
Western Australia
Information Privacy Bill 2007
CONTENTS
Part 1 -- Preliminary
1. Short title 2
2. Commencement 2
3. Objects of Act 2
4. Terms used in this Act 2
5. Meaning of "health information" 10
6. Meaning of "personal information" 11
7. When information is held 12
8. Related public organisations 13
9. Application to courts, registries and judicial
officers 13
10. Publicly available information 14
11. Application of certain privacy principles to law
enforcement agencies and child protection
agencies 14
12. Relationship to FOI Act and State Records
Act 2000 15
13. Nature of rights created by this Act 15
14. Act binds Crown 15
Part 2 -- Personal information
privacy
15. Information privacy principles 16
16. Application of information privacy principles 16
17. Public organisations to comply with information
privacy principles 17
193--1 page i
Information Privacy Bill 2007
Contents
Part 3 -- Health information privacy
Division 1 -- Health privacy principles
18. Health privacy principles 18
19. Application of health privacy principles 18
20. Organisations to comply with health privacy
principles 19
Division 2 -- Access to health records
Subdivision 1 -- Preliminary
21. Application of Division 20
Subdivision 2 -- Right of access and access
applications
22. Right of access 20
23. Access application 20
24. How access application is made 21
25. Withdrawal of access application 21
Subdivision 3 -- Procedure for dealing with access
applications
26. Decisions as to access and charges 21
27. Organisation may request consultation or further
information 22
28. Ambit of access application may be reduced by
agreement 23
29. Charges for access to health records 23
30. Estimate of charges 24
31. Advance deposits 25
32. Failure of access applicant to notify intention or
pay deposit 25
33. Organisation may refuse to deal with an
application in certain cases 26
34. Giving access 27
35. Refusal of access 27
36. Access to edited copy of health record 28
37. Health records that cannot be found or do not exist 29
38. Ways in which access can be given 29
39. Information detrimental to health of access
applicant 30
40. Notice of decision 30
41. Applications may be regarded as having been
withdrawn in certain circumstances 31
page ii
Information Privacy Bill 2007
Contents
Division 3 -- Amendment of health records
Subdivision 1 -- Preliminary
42. Application of Division 33
Subdivision 2 -- Right to apply for amendment and
amendment applications
43. Right to apply for health record to be amended 33
44. How amendment application is made 34
Subdivision 3 -- Procedure for dealing with
amendment applications
45. Decisions as to amendment 35
46. Notice of decision 36
47. How organisation may amend health record 36
48. Request for notation or attachment disputing
accuracy of health record 37
49. Other users of health record to be advised of
requested amendment 38
50. Organisation may give reasons for not amending
information 38
51. No charge for application or request 38
Division 4 -- General
52. Part not intended to limit access or amendment that
is otherwise lawful 39
53. Application on behalf of an individual 39
54. Personal, family or household affairs 39
55. News media 40
Part 4 -- Codes of practice
56. Terms used in this Part 41
57. Information privacy code of practice 41
58. Health privacy code of practice 42
59. Preparation of code of practice by organisation 43
60. Preparation of code of practice by Commissioner 43
61. Submission of code of practice to relevant Minister 43
62. Approval of code of practice 44
63. Publication and operation of approved code of
practice 44
64. Amendment, revocation or replacement of
approved code of practice 44
65. Organisation to comply with applicable code of
practice 45
page iii
Information Privacy Bill 2007
Contents
66. Register 45
Part 5 -- Complaints
Division 1 -- Preliminary
67. Terms used in this Part 46
68. What constitutes an interference with privacy 47
Division 2 -- Complaints and procedure for
dealing with them
69. Complaints 48
70. Who may make a complaint 48
71. Complaint on behalf of an individual 48
72. How and when a complaint can be made 49
73. Commissioner may decide not to deal with a
complaint 50
74. Referral of complaint to respondent in certain
circumstances 51
75. Referral of complaint to Tribunal if Commissioner
decides not to deal with it 52
76. Notification of complaint 52
77. Withdrawal of complaint 52
78. Parties to conciliation proceedings 53
79. Procedure 53
80. Conciliation proceedings record 54
81. Power to obtain information and documents and
compel attendance 55
82. Power to examine 56
83. Commissioner to ensure non-disclosure of certain
matter 56
84. Production of certain health records for inspection 56
85. Referral of unresolved complaint to Tribunal 57
86. Provision of information to Tribunal 57
Division 3 -- Tribunal's jurisdiction
as to complaints
87. Meaning of "complaint jurisdiction" 58
88. Presiding member of Tribunal 58
89. Tribunal to ensure non-disclosure of certain matter 58
90. Decisions of the Tribunal 59
91. Restrictions under other laws not applicable 61
page iv
Information Privacy Bill 2007
Contents
Division 4 -- Appeals
92. Terms used in this Division 61
93. Appeal from Tribunal's decision 61
94. No access to health record containing exempt
matter 62
95. Power to impose terms on orders 62
96. Court to ensure non-disclosure of certain matter 62
97. Production of documents 63
98. Restrictions under other laws not applicable 63
99. Other procedure 63
Part 6 -- Exchange of information
100. Terms used in this Part 64
101. Construction of certain references for the purposes
of this Part 65
102. Exchange of information between agencies 66
103. Exchange of information between agencies and
other persons 66
104. Scope of disclosure powers 68
105. Protection from liability for disclosure 68
Part 7 -- Privacy and Information
Commissioner
Division 1 -- Office of Privacy and Information
Commissioner
106. Privacy and Information Commissioner 69
107. Appointment of Commissioner 69
108. Remuneration 69
109. Leave and other conditions of service 69
110. Resignation of Commissioner 70
111. Removal and suspension from office 70
112. Deputy Privacy and Information Commissioner 71
113. Deputy Commissioner may act as Commissioner 72
114. Acting Commissioner 73
115. Oath or affirmation of office -- Commissioner,
Deputy Commissioner and Acting Commissioner 74
116. Staff of Commissioner 74
117. Oath or affirmation of office -- members of staff 75
118. Rights of officers preserved 75
page v
Information Privacy Bill 2007
Contents
119. Offices of Commissioner and Parliamentary
Commissioner can be held concurrently 76
Division 2 -- Functions and powers of
Commissioner
120. Functions of Commissioner 76
121. General powers of Commissioner 77
122. Powers relating to audit or review 78
123. Commissioner to report on audit or review 79
124. Delegation 79
Division 3 -- Reports to Parliament
125. Annual report under Financial Management
Act 2006 to include certain information 80
126. Special reports 81
Part 8 -- Miscellaneous
127. Deceased individuals 82
128. Capacity of authorised representative to give
consent 82
129. Protection from legal action -- access to health
records 82
130. Restrictions under other laws not applicable 83
131. Confidentiality of information 84
132. Protection from liability for wrongdoing 85
133. Failure to provide information or document or to
appear 85
134. Regulations 86
135. Review of Act 87
Part 9 -- Amendment of other
written laws
Division 1 -- Freedom of Information Act 1992
136. The Act amended 88
137. Part 4 Division 1 repealed 88
138. Heading to Part 4 Division 2 amended 88
139. Section 63 amended 88
140. Section 64 repealed 88
141. Heading to Part 4 Division 4 amended 88
142. Section 79 repealed 88
143. Section 80 repealed 89
page vi
Information Privacy Bill 2007
Contents
144. Section 82 repealed 89
145. Section 111 amended 89
146. Schedule 2 amended 89
147. Glossary amended 90
Division 2 -- Parliamentary Commissioner
Act 1971
148. The Act amended 90
149. Section 4 amended 90
150. Section 5 amended 90
151. Section 7 amended 91
152. Section 12A inserted 91
12A. Offices of Commissioner and Privacy and
Information Commissioner can be held
concurrently 91
153. Section 22B amended 92
154. Section 31 amended 92
155. Schedule 1 amended 93
Division 3 -- Other Acts amended
156. Constitution Acts Amendment Act 1899 93
157. Financial Management Act 2006 93
158. State Records Act 2000 94
Division 4 -- Amendment of subsidiary
legislation
159. Power to amend subsidiary legislation 95
Part 10 -- Transitional provisions
160. Terms used in this Part 96
161. Continuation of office 96
162. Staff of former Commissioner 96
163. References to former Commissioner 97
Schedule 1 -- Public organisations
Schedule 2 -- Exempt organisations
Schedule 3 -- Information privacy
principles
1. Collection 100
2. Use and disclosure 101
3. Data quality 103
page vii
Information Privacy Bill 2007
Contents
4. Data security 103
5. Openness 104
6. Identifiers 104
7. Anonymity 105
8. Transborder data flows 105
Schedule 4 -- Health privacy
principles
1. Collection 107
2. Use and disclosure 109
3. Data quality 116
4. Data security and data retention 116
5. Openness 117
6. Identifiers 118
7. Anonymity 119
8. Transborder data flows 119
9. Transfer or closure of the practice of a health
service provider 120
10. Making health information available to other
health service providers 121
Schedule 5 -- Concurrent
appointment as Commissioner
and Parliamentary
Commissioner
1. Term of office 122
2. Remuneration and other conditions of service 122
3. Rights preserved 123
4. Resignation from office 123
5. Removal or suspension from office 123
6. Application of clauses 7 to 10 123
7. Deputy Commissioners and Acting Commissioners 124
8. Functions of staff 125
9. Delegation 126
10. Confidentiality provisions 126
Defined Terms
page viii
Western Australia
LEGISLATIVE ASSEMBLY
Information Privacy Bill 2007
A Bill for
An Act to --
· provide for the privacy of personal information and health
information held by certain persons and bodies; and
· provide for access to, and amendment of, health records held by
certain persons and bodies; and
· authorise the disclosure in certain circumstances of personal
information or health information held by government agencies;
and
· establish the office of Privacy and Information Commissioner;
and
· amend the Freedom of Information Act 1992, the Parliamentary
Commissioner Act 1971 and other Acts as a consequence of the
enactment of this Act,
and for related purposes.
The Parliament of Western Australia enacts as follows:
page 1
Information Privacy Bill 2007
Part 1 Preliminary
s. 1
Part 1 -- Preliminary
1. Short title
This is the Information Privacy Act 2007.
2. Commencement
5 This Act comes into operation as follows:
(a) sections 1 and 2 -- on the day on which this Act
receives the Royal Assent;
(b) the rest of the Act -- on a day fixed by proclamation,
and different days may be fixed for different provisions.
10 3. Objects of Act
The main objects of this Act are --
(a) to promote and protect the privacy of personal
information through the establishment of principles to
be observed by persons and bodies in the public sector
15 when collecting, holding, using or disclosing such
information; and
(b) to promote and protect the privacy of health information
through the establishment of principles to be observed
by persons and bodies in the public sector and the
20 private sector when collecting, holding, using or
disclosing such information; and
(c) to facilitate the sharing, in appropriate circumstances, of
personal information or health information held by
persons and bodies in the public sector.
25 4. Terms used in this Act
(1) In this Act, unless the contrary intention appears --
"access applicant" means the individual by whom or on whose
behalf an access application has been made;
page 2
Information Privacy Bill 2007
Preliminary Part 1
s. 4
"access application" means an application made under
section 23(1);
"Acting Commissioner" means a person appointed to act in the
office of Commissioner under section 114;
5 "amendment applicant" means the individual by whom or on
whose behalf an amendment application has been made;
"amendment application" means an application made under
section 43(1);
"applicable code of practice", in relation to an organisation,
10 means an approved code of practice by which the
organisation is bound;
"approved code of practice" means a code of practice
approved under section 62 as in force from time to time;
"authorised representative" means --
15 (a) in relation to an individual other than a deceased
individual, a person who --
(i) is a guardian of the individual appointed
under law; or
(ii) has parental responsibility for the individual;
20 or
(iii) is otherwise empowered under law to perform
any functions or duties as an agent of or in the
best interests of the individual;
and
25 (b) in relation to a deceased individual, a person who
immediately before the individual's death was a
person to whom paragraph (a)(i), (ii) or (iii) applied;
"child" means a person who is under 18 years of age;
"child protection agency" means --
30 (a) the department of the Public Service principally
assisting the Minister administering the Children and
Community Services Act 2004 in its administration;
or
page 3
Information Privacy Bill 2007
Part 1 Preliminary
s. 4
(b) a person, body or office prescribed for the purposes
of this definition;
"child protection functions" means functions under an
enactment prescribed for the purposes of this definition;
5 "Commissioner" means the person holding the office of
Privacy and Information Commissioner established by
section 106;
"complaint" means a complaint referred to in section 69;
"contractor" means --
10 (a) a person or body (other than a person or body
referred to in Schedule 1) to the extent that the person
or body handles personal information under a
contract --
(i) between the person or body and a person,
15 body or office referred to in Schedule 1; and
(ii) entered into after the commencement of
Part 2;
or
(b) a subcontractor to a person or body to whom or
20 which paragraph (a) applies to the extent that the
subcontractor handles personal information referred
to in that paragraph;
"contravene" includes to fail to comply with;
"Corruption and Crime Commission" means the Corruption
25 and Crime Commission established under the Corruption
and Crime Commission Act 2003;
"court" includes a tribunal;
"Deputy Commissioner" means a person holding the office of
Deputy Privacy and Information Commissioner established
30 by section 112;
"disability" has the meaning given in the Disability Services
Act 1993 section 3;
page 4
Information Privacy Bill 2007
Preliminary Part 1
s. 4
"document" means --
(a) any record; or
(b) any part of a record; or
(c) any copy, reproduction or duplicate of a record; or
5 (d) any part of a copy, reproduction or duplicate of a
record;
"exempt organisation" means a person, body or office referred
to in Schedule 2 and includes staff under the control of the
person, body or office;
10 "FOI Act" means the Freedom of Information Act 1992;
"handle", in relation to personal information or health
information, means to collect, hold, use or disclose;
"health information" has the meaning given in section 5;
"health privacy principle" or "HPP" means a health privacy
15 principle set out in Schedule 4;
"health record" means a document that contains health
information;
"health service" means --
(a) an activity performed in relation to an individual that
20 is intended or claimed (expressly or otherwise) by the
organisation performing it --
(i) to assess, maintain or improve the individual's
health; or
(ii) to diagnose the individual's illness, injury or
25 disability; or
(iii) to treat the individual's illness, injury or
disability or suspected illness, injury or
disability;
or
30 (b) a disability service, palliative care service or aged
care service; or
page 5
Information Privacy Bill 2007
Part 1 Preliminary
s. 4
(c) the dispensing on prescription of a drug or medicinal
preparation by a pharmacist,
but does not include a health service, or a class of health
service, that is prescribed as an exempt health service or to
5 the extent that it is prescribed as an exempt health service;
"health service provider" means an organisation that provides
a health service in Western Australia to the extent that it
provides a health service, but does not include a health
service provider, or a class of health service provider, that
10 is prescribed as an exempt health service provider or to the
extent that it is prescribed as an exempt health service
provider;
"identifier" means an identifier (usually a number) assigned by
an organisation to an individual uniquely to identify the
15 individual for the purposes of the operations of the
organisation but does not include an identifier that consists
only of the individual's name;
"illness" means a physical, mental or psychological illness and
includes a suspected illness;
20 "information privacy principle" or "IPP" means an
information privacy principle set out in Schedule 3;
"judicial office" includes an office as a member of a tribunal;
"law enforcement agency" means --
(a) the Australian Crime Commission established by the
25 Australian Crime Commission Act 2002
(Commonwealth); or
(b) the board established under the Criminal Law
(Mentally Impaired Accused) Act 1996 section 41; or
(c) the board established under the Sentence
30 Administration Act 2003 section 102; or
(d) the board established under the Young Offenders
Act 1994 section 151; or
page 6
Information Privacy Bill 2007
Preliminary Part 1
s. 4
(e) the Commissioner for Public Sector Standards
appointed under the Public Sector Management
Act 1994; or
(f) the Commissioner for State Revenue; or
5 (g) the Corruption and Crime Commission; or
(h) the department of the Public Service principally
assisting the Minister administering the Police
Act 1892 in its administration; or
(i) the department of the Public Service principally
10 assisting the Minister administering the Sentence
Administration Act 2003 Part 8 in its administration;
or
(j) the Director of Public Prosecutions appointed under
the Director of Public Prosecutions Act 1991; or
15 (k) the Police Force of Western Australia, the Australian
Federal Police or the police force of another State or
a Territory; or
(l) a person, body or office prescribed by the regulations
for the purposes of this definition,
20 and, in relation to a health privacy principle, includes the
Office of Health Review established under the Health
Services (Conciliation and Review) Act 1995 and a
registration board;
"law enforcement functions" means functions that relate to
25 one or more of the following --
(a) the prevention, detection, investigation, prosecution
or punishment of criminal offences or breaches of a
law imposing a penalty or sanction;
(b) the enforcement of laws relating to the confiscation
30 of the proceeds of crime;
(c) the protection of public revenue;
(d) the prevention, detection, investigation or remedying
of seriously improper conduct;
page 7
Information Privacy Bill 2007
Part 1 Preliminary
s. 4
(e) the preparation for, or conduct of, proceedings before
a court or implementation of the orders of a court;
"legal representative", in relation to a deceased individual,
means a person who is an executor or administrator of the
5 deceased individual's estate;
"licensing agency" means a person, body or office prescribed
for the purposes of this definition;
"licensing functions" means functions that relate to --
(a) the grant, suspension or cancellation of licences,
10 registrations, permits or other authorisations
(however described); or
(b) the administration of a licensing scheme, registration
scheme or similar scheme;
"member of staff" means --
15 (a) a person appointed under section 116(1); or
(b) a person whose services are used under
section 116(4);
"mental disability" has the meaning given in the Guardianship
and Administration Act 1990 section 3(1);
20 "organisation" means a public organisation or a private
organisation;
"Parliamentary Commissioner" means the Parliamentary
Commissioner for Administrative Investigations appointed
under the Parliamentary Commissioner Act 1971;
25 "parliamentary secretary" means --
(a) the parliamentary secretary of the Cabinet; or
(b) a parliamentary secretary holding office under the
Constitution Acts Amendment Act 1899 section 44A;
"personal information" has the meaning given in section 6;
30 "private organisation" means --
(a) an individual; or
(b) a body corporate; or
page 8
Information Privacy Bill 2007
Preliminary Part 1
s. 4
(c) a partnership; or
(d) a trust; or
(e) an unincorporated association or body,
that is not a public organisation, an exempt organisation or
5 a small business operator (within the meaning given in the
Privacy Act 1988 (Commonwealth) section 6D);
"public health agency" means --
(a) the department of the Public Service principally
assisting the Minister administering the Health
10 Act 1911 in its administration; or
(b) a board as defined in the Hospitals and Health
Services Act 1927 section 2; or
(c) a person, body or office prescribed by the regulations
for the purposes of this definition;
15 "public organisation" means --
(a) a person, body or office referred to in Schedule 1; or
(b) a contractor,
but does not include an exempt organisation;
"public service officer" has the meaning given in the Public
20 Sector Management Act 1994 section 3(1);
"record" means any record of information however recorded
and includes the following --
(a) any paper or other material, including affixed papers
on which there is writing;
25 (b) any map, plan, diagram or graph;
(c) any drawing, pictorial or graphic work, or
photograph;
(d) any paper or other material on which there are marks,
figures, symbols or perforations having a meaning for
30 persons qualified to interpret them;
page 9
Information Privacy Bill 2007
Part 1 Preliminary
s. 5
(e) any article or material from which sounds, images or
writing can be reproduced whether or not with the aid
of some other article or device;
(f) any article on which information has been stored or
5 recorded, either mechanically, magnetically or
electronically;
"registration board" means a body that is listed in the Health
Services (Conciliation and Review) Act 1995 Schedule 1;
"relative" of an individual means --
10 (a) the individual's spouse or de facto partner; or
(b) a parent, step-parent or grandparent of the individual;
or
(c) a child, step-child or grandchild of the individual; or
(d) a brother, sister, step-brother or step-sister of the
15 individual;
"remuneration" has the meaning given in the Salaries and
Allowances Act 1975 section 4(1);
"wellbeing" has the meaning given in the Children and
Community Services Act 2004 section 3.
20 (2) A reference in this Act to an IPP followed by a designation is a
reference to the provision with that designation in Schedule 3.
(3) A reference in this Act to an HPP followed by a designation is a
reference to the provision with that designation in Schedule 4.
(4) A reference in this Act to the Commissioner's functions
25 includes a reference to functions given to the Commissioner
under the FOI Act.
5. Meaning of "health information"
(1) Health information is --
(a) information or an opinion about --
30 (i) the physical, mental or psychological health (at
any time) of an individual; or
page 10
Information Privacy Bill 2007
Preliminary Part 1
s. 6
(ii) a disability (at any time) of an individual; or
(iii) an individual's expressed wishes about the future
provision of health services to him or her; or
(iv) a health service provided, or to be provided, to
5 an individual,
that is also personal information; or
(b) other personal information collected to provide, or in
providing, a health service; or
(c) other personal information about an individual collected
10 in connection with the donation, or intended donation,
by the individual of his or her body tissue; or
(d) other personal information, including genetic
information, about an individual in a form which is, or
could be, predictive of the health of the individual or
15 any other individual.
(2) In subsection (1)(c) --
"body tissue" includes an organ or part of the human body or a
substance extracted from, or from a part of, the human
body.
20 (3) Health information does not include information, or a class of
information, that is prescribed as exempt health information.
6. Meaning of "personal information"
(1) Personal information is information or an opinion, whether true
or not, and whether recorded in a material form or not, about an
25 individual, whether living or dead --
(a) whose identity is apparent or can reasonably be
ascertained from the information or opinion; or
(b) who can be identified by reference to an identifier or an
identifying particular such as a fingerprint, retina print
30 or body sample.
page 11
Information Privacy Bill 2007
Part 1 Preliminary
s. 7
(2) Personal information does not include --
(a) information about an individual who has been dead for
more than 30 years; or
(b) information about an individual who --
5 (i) is included in a witness protection program as
defined in the Witness Protection (Western
Australia) Act 1996 section 3(1); or
(ii) is the subject of witness protection arrangements
made under another written law;
10 or
(c) information about an individual arising out of a Royal
Commission established under the Royal Commissions
Act 1968; or
(d) information about an individual that is contained in an
15 appropriate disclosure of public interest information
made under the Public Interest Disclosure Act 2003; or
(e) information about an individual that is contained in a
document containing matter that is exempt matter under
the FOI Act Schedule 1 clause 1; or
20 (f) information about an individual that is of a class, or is
contained in a document of a class, prescribed for the
purposes of this subsection.
7. When information is held
(1) In this section --
25 "entity" means a public organisation, a private organisation or
an exempt organisation;
"officer" of an entity includes --
(a) the principal officer of the entity; and
(b) a director of the entity; and
30 (c) a member of the entity; and
page 12
Information Privacy Bill 2007
Preliminary Part 1
s. 8
(d) a person employed in, by, or for the purposes of, the
entity.
(2) For the purposes of this Act, an entity holds personal
information or health information if the information is contained
5 in a document that is in the possession or under the control of
the entity, whether alone or jointly with other persons or bodies,
including a document to which the entity is entitled to access
and a document in the possession or under the control of an
officer of the entity in his or her capacity as such an officer.
10 (3) For the purposes of this Act, an entity holds a health record if
the health record is in the possession or under the control of the
entity, whether alone or jointly with other persons or bodies,
including a health record to which the entity is entitled to access
and a health record in the possession or under the control of an
15 officer of the entity in his or her capacity as such an officer.
8. Related public organisations
A person is not to be regarded as a separate public organisation
by reason of --
(a) holding office as a member or other officer of a public
20 organisation; or
(b) holding an office established for the purposes of a public
organisation.
9. Application to courts, registries and judicial officers
(1) Nothing in this Act applies to the handling of personal
25 information or health information by a court unless the
information relates to matters of an administrative nature.
(2) For the purposes of this Act a registry or other office of a court
and the staff of such a registry or other office are part of the
court.
30 (3) A person holding a judicial office or other office pertaining to a
court, being an office established by the written law establishing
page 13
Information Privacy Bill 2007
Part 1 Preliminary
s. 10
the court, is not a public organisation and is not included in a
public organisation.
10. Publicly available information
Nothing in this Act applies to personal information or health
5 information contained in a document that is --
(a) available for purchase by the public or free distribution
to the public; or
(b) available for inspection (whether for a fee or charge or
not) under a written law; or
10 (c) a State archive to which a person has a right to be given
access under the State Records Act 2000 Part 6 despite
the FOI Act; or
(d) publicly available library material held by public
organisations for reference purposes; or
15 (e) made or acquired by an art gallery, museum or library
and preserved for public reference or exhibition
purposes.
11. Application of certain privacy principles to law enforcement
agencies and child protection agencies
20 (1) A law enforcement agency does not have to comply with IPP 1,
IPP 2, IPP 6, IPP 8, HPP 1, HPP 2, HPP 6 or HPP 8 if it
believes on reasonable grounds that the non-compliance is
necessary for the purposes of one or more of its, or any other
law enforcement agency's, law enforcement functions.
25 (2) A child protection agency does not have to comply with IPP 1,
IPP 2, IPP 6, IPP 8, HPP 1, HPP 2, HPP 6 or HPP 8 if it
believes on reasonable grounds that the non-compliance is
necessary --
(a) for the purposes of one or more of its, or any other child
30 protection agency's, child protection functions; or
(b) in connection with the conduct of proceedings
commenced, or about to be commenced, in any court.
page 14
Information Privacy Bill 2007
Preliminary Part 1
s. 12
12. Relationship to FOI Act and State Records Act 2000
Nothing in this Act affects the operation of the FOI Act or the
State Records Act 2000.
13. Nature of rights created by this Act
5 Except to the extent expressly provided by this Act --
(a) nothing in this Act or an approved code of practice gives
rise to a cause of action or creates an enforceable right;
and
(b) a contravention of this Act or an approved code of
10 practice does not give rise to an offence.
14. Act binds Crown
This Act binds the Crown in right of the State and, so far as the
legislative power of the State permits, the Crown in its other
capacities.
page 15
Information Privacy Bill 2007
Part 2 Personal information privacy
s. 15
Part 2 -- Personal information privacy
15. Information privacy principles
(1) The information privacy principles are set out in Schedule 3.
(2) If there is an inconsistency between an IPP and an approved
5 code of practice, the code of practice prevails to the extent of
the inconsistency.
(3) If there is an inconsistency between an IPP and another
enactment, the other enactment prevails to the extent of the
inconsistency.
10 16. Application of information privacy principles
(1) The information privacy principles apply to a public
organisation unless this Act or another enactment expressly
provides otherwise.
(2) The application of an IPP to a public organisation may be
15 modified by an approved code of practice.
(3) The information privacy principles do not apply to personal
information that is also health information.
(4) IPP 1 and IPP 3 (so far as it relates to the collection of personal
information) apply only in relation to the collection of personal
20 information on or after the commencement of this section.
(5) IPP 2, IPP 3 (so far as it relates to personal information used or
disclosed), IPP 4, IPP 5, IPP 6 and IPP 8 apply in relation to
personal information held by a public organisation regardless of
whether the organisation holds the information as a result of
25 collection occurring before, on or after the commencement of
this section.
page 16
Information Privacy Bill 2007
Personal information privacy Part 2
s. 17
17. Public organisations to comply with information privacy
principles
A public organisation must not do any thing, or engage in any
practice, that contravenes an IPP that applies to the public
5 organisation.
page 17
Information Privacy Bill 2007
Part 3 Health information privacy
Division 1 Health privacy principles
s. 18
Part 3 -- Health information privacy
Division 1 -- Health privacy principles
18. Health privacy principles
(1) The health privacy principles are set out in Schedule 4.
5 (2) If there is an inconsistency between an HPP and an approved
code of practice, the code of practice prevails to the extent of
the inconsistency.
(3) If there is an inconsistency between an HPP and another
enactment, the other enactment prevails to the extent of the
10 inconsistency.
19. Application of health privacy principles
(1) The health privacy principles apply to an organisation that is a
health service provider or collects, holds or uses health
information unless this Act or another enactment expressly
15 provides otherwise.
(2) The application of an HPP to an organisation may be modified
by an approved code of practice.
(3) HPP 1 and HPP 3 (so far as it relates to the collection of health
information) apply only in relation to the collection of health
20 information on or after the commencement of this section.
(4) HPP 2, HPP 3 (so far as it relates to health information used or
disclosed), HPP 4, HPP 5, HPP 6, HPP 8, HPP 9 and HPP 10
apply in relation to health information held by an organisation
regardless of whether the organisation holds the information as
25 a result of collection occurring before, on or after the
commencement of this section.
page 18
Information Privacy Bill 2007
Health information privacy Part 3
Health privacy principles Division 1
s. 20
20. Organisations to comply with health privacy principles
(1) In this section --
"transitional period" means --
(a) the period that ends on the second anniversary of the
5 commencement of this section; or
(b) any extension of that period under subsection (4) in
relation to a specified contract.
(2) An organisation must not do any thing, or engage in any
practice, that contravenes an HPP that applies to the
10 organisation.
(3) Subsection (2) does not apply to the doing of any thing, or the
engaging in of any practice, by an organisation that, but for this
subsection, would constitute a contravention of HPP 1 or
HPP 2, if --
15 (a) doing the thing or engaging in the practice is necessary
for the performance of a contract to which the
organisation is a party that was entered into by the
organisation before the commencement of this section;
and
20 (b) the thing is done or the practice is engaged in before the
end of the transitional period.
(4) On the application of an organisation before the expiry of the
transitional period, the Commissioner may extend that period in
relation to a specified contract if he or she is satisfied that the
25 organisation is doing its best --
(a) to comply with HPP 1 or HPP 2 consistent with its
obligations under the contract; and
(b) to seek to have the contract renegotiated to enable the
organisation to comply fully with HPP 1 or HPP 2.
page 19
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 21
Division 2 -- Access to health records
Subdivision 1 -- Preliminary
21. Application of Division
(1) This Division does not apply to a health record held by an
5 organisation if the organisation is an agency for the purposes of
the FOI Act.
(2) This Division applies to a health record held by an organisation
regardless of whether the health record contains health
information collected before or after the commencement of this
10 Division.
Subdivision 2 -- Right of access and access applications
22. Right of access
(1) Subject to and in accordance with this Division, an individual
has a right to be given access to a health record relating to the
15 individual that is held by an organisation.
(2) Subject to this Division, an individual's right to be given access
is not affected by --
(a) any reasons the individual has for wishing to obtain
access; or
20 (b) an organisation's belief as to what are the individual's
reasons for wishing to obtain access.
23. Access application
(1) An individual who wishes to obtain access to a health record
relating to the individual that is held by an organisation may
25 make an application to the organisation.
(2) If the circumstances of the individual require it, the organisation
must take reasonable steps to help the individual make an access
application in a manner that complies with this Division.
page 20
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 24
(3) In particular, if an access application does not comply with the
requirements of section 24 the organisation must take
reasonable steps under subsection (2) to help the individual to
change the application so that it complies with those
5 requirements.
24. How access application is made
(1) An access application must --
(a) be in writing; and
(b) give enough information to enable the health record to
10 be identified; and
(c) give an address in Australia to which notices under this
Division can be sent; and
(d) give any other information or details required under the
regulations; and
15 (e) be accompanied by any application fee payable under
the regulations.
(2) An access application may request that access to the health
record be given in a particular way described in section 38.
25. Withdrawal of access application
20 An access applicant may withdraw an access application by
giving a written notice to that effect to the organisation.
Subdivision 3 -- Procedure for dealing with access applications
26. Decisions as to access and charges
(1) In this section --
25 "permitted period" means the period of 45 days after the
relevant access application is received or such other period
as is agreed between the organisation and the access
applicant or allowed by the Commissioner under
subsection (4) or (5).
page 21
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 27
(2) Subject to this Subdivision, an organisation must deal with an
access application as soon as is practicable (and, in any event,
before the end of the permitted period) by --
(a) considering the application and deciding --
5 (i) whether to give or refuse access to the requested
health record; and
(ii) any charge payable for dealing with the
application;
and
10 (b) giving the access applicant written notice of the decision
in accordance with section 40.
(3) If an access applicant does not receive notice under
subsection (2)(b) within the permitted period the organisation is
taken to have refused, at the end of that period, to give access to
15 the health record and the access applicant is taken to have
received written notice of that refusal on the day on which that
period ended.
(4) On the application of an access applicant, the Commissioner
may reduce the time allowed to an organisation to comply with
20 subsection (2).
(5) On the application of an organisation, the Commissioner, on
being satisfied that the organisation has attempted to comply
with subsection (2) within 45 days but that it is impracticable, in
the circumstances, for it to comply within that time, may allow
25 the organisation an extension of time to comply on such
conditions as the Commissioner thinks fit.
(6) If an extension of time is allowed under subsection (5) the
organisation must give written notice of the extension to the
access applicant as soon as is practicable.
30 27. Organisation may request consultation or further
information
(1) In order to deal with an access application the organisation may
in a written notice given to the access applicant request the
page 22
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 28
applicant to consult with, or provide further information to, the
organisation about the application.
(2) A notice under subsection (1) must --
(a) give details of the access application; and
5 (b) state that the notice is given under this section; and
(c) state the name and designation of the officer of the
organisation who must be consulted or informed.
(3) An organisation is not allowed under subsection (1) --
(a) to request the access applicant to provide information as
10 to the access applicant's reasons for wishing to obtain
access to the requested health record; or
(b) to inquire as to those reasons in the course of
consultation.
28. Ambit of access application may be reduced by agreement
15 If it is apparent from the terms of an access application that the
access applicant seeks information of a certain kind contained in
a health record held by the organisation, the organisation may,
with the agreement of the access applicant, deal with the access
application as if it were an application relating only to that part
20 of the health record that contains information of that kind.
29. Charges for access to health records
(1) Any charge that is required to be paid by an access applicant
before access to a health record is given, must be calculated by
an organisation in accordance with the following principles or,
25 where those principles require, must be waived --
(a) a charge may be made for the time taken to search for
the health record to which access is requested but any
such charge --
(i) must be fixed on an hourly rate basis; and
page 23
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 30
(ii) must not cover additional time, if any, spent by
the organisation in searching for a health record
that was lost or misplaced;
(b) a charge may be made for the reasonable costs incurred
5 by an organisation in --
(i) supervising the inspection of a health record; or
(ii) giving a copy of a health record; or
(iii) giving a summary or explanation of the
information contained in a health record;
10 (c) a charge must be waived or be reduced if the access
applicant is impecunious;
(d) a charge must not exceed such amount as may be
prescribed from time to time.
(2) Subject to section 31, an organisation must not require payment
15 of a charge before it notifies the access applicant of its decision
to give access to a health record.
30. Estimate of charges
(1) When making an access application the access applicant may
request an estimate of the charges that might be payable for
20 dealing with the application.
(2) If a request is made under subsection (1) the organisation must
notify the access applicant of its estimate, and the basis on
which its estimate is made, as soon as is practicable.
(3) If the organisation estimates that the charges for dealing with
25 the access application might exceed the prescribed amount then,
whether or not a request has been made under subsection (1),
the organisation must give the access applicant a notice that --
(a) sets out its estimate, and the basis on which its estimate
is made; and
30 (b) asks whether the access applicant wishes to proceed
with the application; and
page 24
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 31
(c) gives details of the effect of section 32(1)(b).
(4) Unless a greater amount is prescribed by regulation, $60 is the
"prescribed amount" for the purposes of subsection (3).
31. Advance deposits
5 (1) An organisation may, in a notice given to an access applicant
under section 30(3), require the applicant to pay a deposit of a
prescribed amount or at a prescribed rate on account of the
charges for dealing with the access application.
(2) If payment of a deposit is required, the organisation must, at the
10 request of the access applicant, discuss with the applicant
practicable alternatives for changing the access application or
reducing the anticipated charges, including reduction of the
charges if the applicant waives, either conditionally or
unconditionally, the need for compliance by the organisation
15 with the time limit imposed by section 26(2).
(3) If payment of a deposit is required, the notice referred to in
subsection (2) must also give details of --
(a) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights; and
20 (b) the effect of section 32(2)(b).
32. Failure of access applicant to notify intention or pay deposit
(1) If an organisation has given an access applicant a notice under
section 30(3) --
(a) the period commencing on the day on which the notice
25 was given, and ending on the day on which the
organisation is notified that the applicant intends to
proceed with the access application, is to be disregarded
for the purposes of section 26(1); and
(b) if intention to proceed is not notified within 30 days (or
30 such further time as the organisation allows) after the
day on which the notice was given, the applicant is to be
taken to have withdrawn the access application.
page 25
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 33
(2) If the notice referred to in subsection (1) requires the access
applicant to pay a deposit --
(a) the period commencing on the day on which the notice
was given, and ending on the day on which the deposit
5 is paid, is to be disregarded for the purposes of
section 26(1); and
(b) if the deposit is not paid within 30 days (or such further
time as the organisation allows) after the day on which
the notice was given, the applicant is to be taken to have
10 withdrawn the access application.
(3) Any period during which the requirement to pay a deposit is the
subject of proceedings under Part 5 is to be disregarded for the
purposes of subsection (2)(b).
33. Organisation may refuse to deal with an application in
15 certain cases
(1) If an organisation considers that the work involved in dealing
with the access application would divert a substantial and
unreasonable portion of the organisation's resources away from
its other operations, the organisation must take reasonable steps
20 to help the access applicant to change the application to reduce
the amount of work needed to deal with it.
(2) If after help has been given to change the access application the
organisation still considers that the work involved in dealing
with the application would divert a substantial and unreasonable
25 portion of the organisation's resources away from its other
operations, the organisation may refuse to deal with the
application.
(3) An organisation may refuse to deal with an access application if
the application is substantially in the same terms as one already
30 made by the access applicant to the organisation.
(4) If, under subsection (2) or (3), an organisation refuses to deal
with an access application, it must give the access applicant
written notice of the refusal without delay.
page 26
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 34
(5) The notice must give details of --
(a) the reasons for the refusal and the findings on any
material questions of fact underlying those reasons,
referring to the material on which those findings are
5 based; and
(b) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights.
34. Giving access
If an organisation decides to give access to a health record and
10 the charges imposed for dealing with the access application
have been paid, the organisation must give the access applicant
access to the health record.
35. Refusal of access
Subject to section 36, an organisation may refuse access to a
15 health record on one or more of the following grounds --
(a) giving access would pose a serious threat to the life,
health, safety or welfare of any individual;
(b) giving access would have an unreasonable impact on the
privacy of any other individual;
20 (c) the health record --
(i) relates to existing or anticipated legal
proceedings between the organisation (or a
person insured by the organisation) and the
access applicant, and the health record would not
25 be accessible by the process of discovery in those
proceedings; or
(ii) is otherwise subject to legal professional
privilege;
(d) giving access would reveal the intentions of the
30 organisation in relation to negotiations, other than about
the provision of a health service, with the access
page 27
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 36
applicant in such a way as to expose the organisation
unreasonably to disadvantage;
(e) giving access would be unlawful;
(f) refusal of access is required or authorised by or under
5 law;
(g) giving access would be likely to prejudice an
investigation of possible unlawful activity;
(h) giving access would be likely to prejudice a function
performed by or on behalf of a law enforcement agency.
10 36. Access to edited copy of health record
(1) If an access application requests access to a health record and --
(a) one or more of the grounds referred to in section 35
apply to particular matter contained in the health record;
and
15 (b) it is practicable for the organisation to edit a copy of the
health record so as to delete that matter; and
(c) the organisation considers (either from the terms of the
application or after consultation with the access
applicant) that the applicant would wish to be given
20 access to an edited copy,
the organisation must make and give access to an edited copy.
(2) If an access application requests access to a health record and --
(a) the health record contains matter that may reasonably be
regarded as being outside the ambit of the application;
25 and
(b) it is practicable for the organisation to edit a copy of the
health record so as to delete that matter; and
(c) the organisation considers (either from the terms of the
application or after consultation with the access
30 applicant) that the applicant would wish to be given
access to an edited copy,
the organisation may make and give access to an edited copy.
page 28
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 37
37. Health records that cannot be found or do not exist
(1) An organisation may advise an access applicant, by written
notice, that it is not possible to give access to a health record
if --
5 (a) all reasonable steps have been taken to find the health
record; and
(b) the organisation is satisfied that the health record --
(i) is in the organisation's possession but cannot be
found; or
10 (ii) does not exist.
(2) For the purposes of this Act the sending of a notice under
subsection (1) in relation to a health record is to be regarded as a
decision to refuse access to the health record.
38. Ways in which access can be given
15 (1) Subject to subsection (3), access to a health record may be given
to an access applicant in one or more of the following ways --
(a) by giving a reasonable opportunity to inspect the health
record;
(b) by giving a copy of the health record;
20 (c) by giving a summary of the health information
contained in the health record;
(d) by giving an explanation of the health information
contained in the health record.
(2) If an access applicant has requested that access to a health
25 record be given in a particular way described in subsection (1)
and access is given in some other way, the applicant is not
required to pay a charge in respect of the giving of access that is
greater than the charge that the applicant would have been
required to pay if access had been given in the way that was
30 requested.
page 29
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 39
(3) If a health record contains only health information collected
before the commencement of this Division, access to the health
record may be given to an access applicant by giving a summary
of that information.
5 (4) This section does not prevent an organisation from giving
access to a health record in any way agreed on between the
organisation and an access applicant.
39. Information detrimental to health of access applicant
If a health record to which an organisation has decided to give
10 access contains information that, in the opinion of the
organisation, may have a substantial adverse effect on the
physical, mental or psychological health of the access
applicant --
(a) it is sufficient compliance with this Division if access to
15 the health record is given to a suitably qualified person
nominated in writing by the access applicant; and
(b) the organisation may withhold access until a person who
is, in the opinion of the organisation, suitably qualified
is nominated.
20 40. Notice of decision
The notice that an organisation gives an access applicant under
section 26(2)(b) must give details of --
(a) the day on which the decision was made; and
(b) the name and designation of the person who made the
25 decision; and
(c) if the decision is that access is to be given to an edited
copy of a health record under section 36(1) or (2) --
(i) the fact that access is to be given to an edited
copy; and
30 (ii) the grounds on which matter has been deleted;
and
page 30
Information Privacy Bill 2007
Health information privacy Part 3
Access to health records Division 2
s. 41
(d) if the decision is to give access to a health record in a
way other than the way requested by the access
applicant -- the reasons for giving access that other
way; and
5 (e) if the decision is to give access to a health record in the
manner referred to in section 39 -- the arrangements to
be made for giving access to the record; and
(f) if the decision is to refuse access to a health record --
the grounds for the refusal and the findings on any
10 material questions of fact underlying those grounds,
referring to the material on which those findings were
based; and
(g) if the decision is that the access applicant is to pay a
charge to the organisation -- the amount of the charge
15 and the basis on which the amount was calculated; and
(h) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights.
41. Applications may be regarded as having been withdrawn in
certain circumstances
20 (1) An organisation may in a written notice given to an access
applicant (a "compliance notice") advise the applicant that the
applicant may be regarded by the organisation as having
withdrawn the access application if the applicant does not --
(a) comply with a request of the organisation contained in a
25 notice under section 27(1), to consult with, or provide
further information to, the organisation about the access
application; or
(b) nominate a suitably qualified person under section 39; or
(c) obtain access to the requested health record,
30 within the period of 30 days after the day on which the
compliance notice was given to the applicant.
page 31
Information Privacy Bill 2007
Part 3 Health information privacy
Division 2 Access to health records
s. 41
(2) Subsection (1)(c) applies if the access applicant has been given
notice under section 26(2)(b) of the organisation's decision to
give access to the requested health record.
(3) A compliance notice must --
5 (a) give details of the access application; and
(b) state that the notice is given under this section and that
failure to comply with it may result in the applicant
being regarded as having withdrawn the access
application; and
10 (c) in the case of a notice under subsection (1)(a), give
details of the notice under section 27(1) that it refers to;
and
(d) in the case of a notice under subsection (1)(b), state the
name and designation of the officer of the organisation
15 who must be consulted or informed; and
(e) in the case of a notice under subsection (1)(c), state the
name and designation of the officer of the organisation
from whom access to the health record is to be obtained.
(4) An organisation may regard an access applicant as having
20 withdrawn the access application if, within the period of 30 days
after the day on which the organisation gave the applicant a
compliance notice, the applicant does not --
(a) in the case of a notice under subsection (1)(a), comply
with the request referred to in the notice; or
25 (b) in the case of a notice under subsection (1)(b), nominate
a suitably qualified person under section 39; or
(c) in the case of a notice under subsection (1)(c), obtain
access to the requested health record.
(5) If an organisation decides to regard an access applicant as
30 having withdrawn the access application, the organisation must
give the applicant a written notice of that decision.
page 32
Information Privacy Bill 2007
Health information privacy Part 3
Amendment of health records Division 3
s. 42
(6) The notice under subsection (5) must give details of --
(a) the day on which the decision was made; and
(b) the name and designation of the person who made the
decision; and
5 (c) the reasons for deciding to regard the access applicant as
having withdrawn the access application; and
(d) the rights of the access applicant under Part 5 and the
procedure to be followed to exercise those rights.
Division 3 -- Amendment of health records
10 Subdivision 1 -- Preliminary
42. Application of Division
(1) This Division does not apply to a health record held by an
organisation if the organisation is an agency for the purposes of
the FOI Act.
15 (2) This Division applies to a health record held by an organisation
regardless of whether the health record contains health
information collected before or after the commencement of this
Division.
Subdivision 2 -- Right to apply for amendment and
20 amendment applications
43. Right to apply for health record to be amended
(1) An individual has a right to apply to an organisation for
amendment of a health record relating to the individual that is
held by the organisation if the health record is inaccurate,
25 incomplete, out of date or misleading.
(2) If the circumstances of the individual require it, the organisation
must take reasonable steps to help the individual make an
amendment application in a manner that complies with this
Division.
page 33
Information Privacy Bill 2007
Part 3 Health information privacy
Division 3 Amendment of health records
s. 44
(3) In particular, if an amendment application does not comply with
the requirements of section 44 the organisation must take
reasonable steps under subsection (2) to help the individual to
change the application so that it complies with those
5 requirements.
44. How amendment application is made
(1) An amendment application must --
(a) be in writing; and
(b) give enough information to enable the health record to
10 be identified; and
(c) give details of the matters in relation to which the
amendment applicant believes the health record is
inaccurate, incomplete, out of date or misleading; and
(d) give the amendment applicant's reasons for holding that
15 belief; and
(e) give details of the amendment that the amendment
applicant wishes to have made; and
(f) give an address in Australia to which notices under this
Division can be sent; and
20 (g) give any other information or details required under the
regulations.
(2) For the purposes of subsection (1)(e) the amendment application
must state whether the amendment applicant wishes the
amendment to be made by --
25 (a) altering information contained in the health record
(otherwise than by deletion); or
(b) inserting information into the health record; or
(c) inserting a note into the health record,
or in 2 or more of those ways.
page 34
Information Privacy Bill 2007
Health information privacy Part 3
Amendment of health records Division 3
s. 45
Subdivision 3 -- Procedure for dealing with amendment applications
45. Decisions as to amendment
(1) In this section --
"permitted period" means the period of 30 days after the
5 relevant amendment application is received or such other
period as is agreed between the organisation and the
amendment applicant or allowed by the Commissioner
under subsection (4).
(2) Subject to this Subdivision, an organisation must deal with an
10 amendment application as soon as is practicable (and, in any
event, before the end of the permitted period) by --
(a) considering the application and deciding whether to
amend the health record; and
(b) giving the amendment applicant written notice of the
15 decision in accordance with section 46.
(3) If an amendment applicant does not receive notice under
subsection (2)(b) within the permitted period the organisation is
taken to have refused, at the end of that period, to amend the
health record and the amendment applicant is taken to have
20 received written notice of that refusal on the day on which that
period ended.
(4) On the application of an organisation, the Commissioner, on
being satisfied that the organisation has attempted to comply
with subsection (2) within 30 days but that it is impracticable, in
25 the circumstances, for it to comply within that time, may allow
the organisation an extension of time to comply on such
conditions as the Commissioner thinks fit.
(5) If an extension of time is allowed under subsection (4) the
organisation must give written notice of the extension to the
30 access applicant as soon as is practicable.
page 35
Information Privacy Bill 2007
Part 3 Health information privacy
Division 3 Amendment of health records
s. 46
46. Notice of decision
The notice that an organisation gives an amendment applicant
under section 45(2)(b) must give details of --
(a) the day on which the decision was made; and
5 (b) the name and designation of the person who made the
decision; and
(c) if the decision is to amend the health record -- details of
the amendment made; and
(d) if the decision is to refuse to amend the health record --
10 (i) the reasons for the refusal and the findings on
any material questions of fact underlying those
reasons, referring to the material on which those
findings were based; and
(ii) the rights of the amendment applicant under
15 Part 5 and the procedure to be followed to
exercise those rights; and
(iii) the right to request that a notation or attachment
be made to the health record and the procedure to
be followed to exercise that right.
20 47. How organisation may amend health record
(1) If an organisation decides to amend a health record it may make
the amendment by --
(a) altering information contained in the health record
(otherwise than by deletion); or
25 (b) inserting information into the health record; or
(c) inserting a note into the health record,
or in 2 or more of those ways.
(2) If the organisation inserts a note into the health record the note
must --
30 (a) give details of the matters in relation to which the health
record is inaccurate, incomplete, out of date or
misleading; and
page 36
Information Privacy Bill 2007
Health information privacy Part 3
Amendment of health records Division 3
s. 48
(b) if the health record is incomplete or out of date -- set
out whatever information is needed to complete it or
bring it up to date.
48. Request for notation or attachment disputing accuracy of
5 health record
(1) If an organisation decides not to amend a health record in
accordance with an amendment application, the amendment
applicant may, in writing, request the organisation to make a
notation or attachment to the health record --
10 (a) giving details of the matters in relation to which the
applicant claims the health record is inaccurate,
incomplete, out of date or misleading; and
(b) if the amendment applicant claims the health record is
incomplete or out of date -- setting out the information
15 that the applicant claims is needed to complete it or
bring it up to date.
(2) A request may be made under this section whether or not the
amendment applicant has made a complaint in respect of the
organisation's decision under Part 5.
20 (3) The organisation must comply with the request unless it
considers that the notation or attachment that the amendment
applicant has requested to be made to the health record is
defamatory or unnecessarily voluminous.
(4) If the organisation decides not to comply with the request it
25 must give the amendment applicant written notice of its decision
giving details of --
(a) the reasons for the decision and the findings on any
material questions of fact underlying those reasons,
referring to the material on which those findings were
30 based; and
(b) the rights of the amendment applicant under Part 5 and
the procedure to be followed to exercise those rights.
page 37
Information Privacy Bill 2007
Part 3 Health information privacy
Division 3 Amendment of health records
s. 49
(5) This section does not prevent the organisation from making the
requested notation or attachment in an edited or abbreviated
form, but the making of an edited or abbreviated notation or
attachment does not constitute compliance with the request for
5 the purposes of subsection (4).
49. Other users of health record to be advised of requested
amendment
(1) If after a request is made under section 48 the organisation gives
the health record to another person (including another
10 organisation) the organisation must give that other person a
statement that a claim has been made under this Division that
the health record is inaccurate, incomplete, out of date or
misleading.
(2) If a notation or attachment has been made under section 48
15 particulars of the notation or attachment must be included in or
attached to the statement given under subsection (1).
50. Organisation may give reasons for not amending
information
This Division does not prevent the organisation from adding to
20 a notation or attachment made under section 48 the
organisation's reasons for deciding not to amend the health
record in accordance with the amendment application, or from
including those reasons in, or attaching them to, a statement
given under section 49(1).
25 51. No charge for application or request
No fee or other charge is payable in respect of an application or
request under this Division.
page 38
Information Privacy Bill 2007
Health information privacy Part 3
General Division 4
s. 52
Division 4 -- General
52. Part not intended to limit access or amendment that is
otherwise lawful
Nothing in this Part is intended to prevent or discourage the
5 giving of access to health records, or the amendment of health
records, otherwise than under this Part if that can properly be
done or is permitted or required by law to be done.
53. Application on behalf of an individual
(1) In this section --
10 "application" means --
(a) an access application; or
(b) an amendment application; or
(c) a request referred to in HPP 9(2) or 10(1).
(2) If an individual is incapable of making an application, an
15 application may be made on his or her behalf by an authorised
representative of the individual.
(3) For the purposes of subsection (2), an individual is incapable of
making an application if he or she is incapable by reason of age,
illness, physical impairment or mental disability of --
20 (a) understanding the general nature and effect of making
the application; or
(b) making the application,
despite the provision of reasonable assistance by another person.
54. Personal, family or household affairs
25 Nothing in this Part or an HPP applies to --
(a) the handling of health information by an individual; or
(b) health information held by an individual,
only for the purposes of, or in connection with, his or her
personal, family or household affairs.
page 39
Information Privacy Bill 2007
Part 3 Health information privacy
Division 4 General
s. 55
55. News media
(1) In this section --
"news activity" means --
(a) the gathering of news for the purposes of
5 dissemination to the public or any section of the
public; or
(b) the preparation or compiling of articles or
programmes of or concerning news, observations on
news or current affairs for the purposes of
10 dissemination to the public or any section of the
public; or
(c) the dissemination to the public or any section of the
public of any article or programme of or concerning
any news, observations on news or current affairs;
15 "news medium" means any organisation whose business, or
whose principal business, consists of a news activity.
(2) Nothing in the health privacy principles applies to the handling
of health information by a news medium in connection with its
news activities.
20 (3) Nothing in this Part or HPP 5(2) applies to health information
held by a news medium in connection with its news activities.
page 40
Information Privacy Bill 2007
Codes of practice Part 4
s. 56
Part 4 -- Codes of practice
56. Terms used in this Part
In this Part, unless the contrary intention appears --
"code of practice" means an information privacy code of
5 practice or a health privacy code of practice;
"health privacy code of practice" means a code of practice
referred to in section 58;
"information privacy code of practice" means a code of
practice referred to in section 57;
10 "relevant Minister" means --
(a) in relation to an information privacy code of practice,
the Minister administering this Act; and
(b) in relation to a health privacy code of practice, the
Minister administering the Health Act 1911.
15 57. Information privacy code of practice
(1) An information privacy code of practice is a code of practice
that modifies the application or operation of any one or more of
the information privacy principles.
(2) An information privacy code of practice may apply in relation
20 to any one or more of the following --
(a) any specified personal information or class of personal
information;
(b) any specified activity or class of activity;
(c) any specified public organisation or class of public
25 organisation.
(3) An information privacy code of practice must specify --
(a) the public organisations that are bound (either wholly or
to a limited extent) by it; or
(b) a way of determining the public organisations that are so
30 bound.
page 41
Information Privacy Bill 2007
Part 4 Codes of practice
s. 58
(4) An information privacy code of practice can only apply to a
public organisation if the organisation has agreed to be bound
by the provisions of the code.
(5) An information privacy code of practice must not modify the
5 application or operation of an IPP in relation to a public
organisation unless --
(a) the organisation is not otherwise reasonably capable of
complying with the IPP; and
(b) the application or operation of the IPP is modified only
10 to the extent reasonably necessary to enable the
organisation to comply with the IPP.
(6) An information privacy code of practice may be expressed to
have effect for a period specified in the code.
58. Health privacy code of practice
15 (1) A health privacy code of practice is a code of practice that
modifies the application or operation of any one or more of the
health privacy principles.
(2) A health privacy code of practice may apply in relation to any
one or more of the following --
20 (a) any specified health information or class of health
information;
(b) any specified activity or class of activity;
(c) any specified organisation or class of organisation.
(3) A health privacy code of practice must specify --
25 (a) the organisations that are bound (either wholly or to a
limited extent) by it; or
(b) a way of determining the organisations that are so
bound.
(4) A health privacy code of practice can only apply to an
30 organisation if the organisation has agreed to be bound by the
provisions of the code.
page 42
Information Privacy Bill 2007
Codes of practice Part 4
s. 59
(5) A health privacy code of practice must not modify the
application or operation of an HPP in relation to an organisation
unless --
(a) the organisation is not otherwise reasonably capable of
5 complying with the HPP; and
(b) the application or operation of the HPP is modified only
to the extent reasonably necessary to enable the
organisation to comply with the HPP.
(6) A health privacy code of practice may be expressed to have
10 effect for a period specified in the code.
59. Preparation of code of practice by organisation
(1) A public organisation may prepare an information privacy code
of practice and submit it to the Commissioner.
(2) An organisation may prepare a health privacy code of practice
15 and submit it to the Commissioner.
(3) In preparing a code of practice an organisation may --
(a) consult with any person or body it considers appropriate;
and
(b) seek comment from members of the public.
20 60. Preparation of code of practice by Commissioner
(1) The Commissioner may prepare a code of practice.
(2) In preparing a code of practice the Commissioner may --
(a) consult with any person or body the Commissioner
considers appropriate; and
25 (b) seek comment from members of the public.
61. Submission of code of practice to relevant Minister
(1) The Commissioner may submit to the relevant Minister for
approval a code of practice --
(a) submitted to the Commissioner under section 59; or
page 43
Information Privacy Bill 2007
Part 4 Codes of practice
s. 62
(b) prepared by the Commissioner under section 60.
(2) Before submitting a code of practice referred to in
subsection (1)(a) the Commissioner --
(a) may consult with any person or body the Commissioner
5 considers appropriate; and
(b) must have regard to the extent to which members of the
public have been given an opportunity to comment on
the code of practice.
62. Approval of code of practice
10 (1) The relevant Minister may, by notice published in the Gazette,
approve a code of practice submitted under section 61(1) or
refuse to approve it.
(2) The relevant Minister must not give approval unless he or she is
satisfied that the code of practice complies with the
15 requirements of section 57 or 58, as the case requires.
63. Publication and operation of approved code of practice
An approved code of practice --
(a) must be published in the Gazette; and
(b) comes into operation on the day on which it is so
20 published or on any later day specified in it.
64. Amendment, revocation or replacement of approved code of
practice
(1) The relevant Minister may, by notice published in the Gazette,
approve the amendment, replacement or revocation of an
25 approved code of practice.
(2) Sections 59, 60, 61, 62(2) and 63 apply in relation to an
amendment or replacement of an approved code of practice as if
references in them to a code of practice were references to an
amendment or replacement.
page 44
Information Privacy Bill 2007
Codes of practice Part 4
s. 65
(3) If the revocation of an approved code of practice is approved
under subsection (1), the revocation takes effect on the day on
which the notice is published in the Gazette or on any later day
specified in the notice.
5 65. Organisation to comply with applicable code of practice
An organisation must not do any thing, or engage in any
practice, that contravenes an applicable code of practice.
66. Register
(1) The Commissioner must keep a register of approved codes of
10 practice.
(2) The register is to be kept in the form and manner determined by
the Commissioner.
(3) A person may during business hours --
(a) inspect the register; and
15 (b) obtain a copy of, or an extract from, any part of the
register on payment of the prescribed fee, if any.
page 45
Information Privacy Bill 2007
Part 5 Complaints
Division 1 Preliminary
s. 67
Part 5 -- Complaints
Division 1 -- Preliminary
67. Terms used in this Part
In this Part --
5 "access decision" means a decision --
(a) to give access to an edited copy of a health record; or
(b) to refuse access to a health record; or
(c) to give access to a health record in a way other than
in the way requested by the access applicant; or
10 (d) to give access to a health record in the manner
referred to in section 39 or withhold access under that
section; or
(e) to regard, under section 41, an access applicant as
having withdrawn an access application; or
15 (f) to impose a charge or require the payment of a
deposit in relation to an access application;
"amendment decision" means a decision --
(a) not to amend a health record in accordance with an
amendment application; or
20 (b) not to comply with a request by an amendment
applicant to make a notation or attachment to a health
record;
"complainant", in relation to a complaint, means the individual
by or on whose behalf the complaint is made;
25 "conciliation proceedings" means proceedings conducted by
the Commissioner to deal with a complaint;
"conciliation proceedings record" means a document prepared
under section 80(1) or (3);
"conciliation requirement" has the meaning given in
30 section 80(1)(b);
page 46
Information Privacy Bill 2007
Complaints Part 5
Preliminary Division 1
s. 68
"conciliator" has the meaning given in section 79(5)(b);
"deal with" a complaint means, in the case of the
Commissioner, to endeavour to resolve the complaint by
conciliation;
5 "protected matter" means matter contained in a health record
that gives rise to a ground for refusal of access to the health
record under section 35;
"respondent" means --
(a) in the case of a complaint about an alleged
10 interference with privacy, the organisation that is
alleged to have done the act or engaged in the
practice to which the complaint relates; or
(b) in the case of a complaint about an access decision or
an amendment decision, the organisation that made
15 the decision; or
(c) in the case of a complaint about an alleged
contravention of a conciliation requirement, the
organisation that is alleged to have contravened the
requirement;
20 "Tribunal" means the State Administrative Tribunal.
68. What constitutes an interference with privacy
For the purposes of this Part an interference with the privacy of
an individual occurs if --
(a) a public organisation does any thing or engages in any
25 practice in relation to personal information about the
individual that contravenes the obligation in section 17;
or
(b) an organisation does any thing or engages in any
practice in relation to health information about the
30 individual that contravenes the obligation in section 20;
or
(c) an organisation does any thing or engages in any
practice in relation to personal information or health
page 47
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 69
information about the individual that contravenes the
obligation in section 65.
Division 2 -- Complaints and procedure for dealing with them
69. Complaints
5 A complaint may be made to the Commissioner about --
(a) an alleged interference with the privacy of an individual;
or
(b) an access decision; or
(c) an amendment decision; or
10 (d) an alleged contravention of a conciliation requirement.
70. Who may make a complaint
(1) A complaint about an alleged interference with the privacy of an
individual may be made by the individual concerned.
(2) A complaint about an access decision may be made by the
15 access applicant.
(3) A complaint about an amendment decision may be made by the
amendment applicant.
(4) A complaint about an alleged contravention of a conciliation
requirement may be made by the person who was the
20 complainant in the conciliation proceedings to which the
relevant conciliation proceedings record relates.
71. Complaint on behalf of an individual
(1) If an individual is incapable of making a complaint, a complaint
may be made on his or her behalf by an authorised
25 representative of the individual.
(2) For the purposes of subsection (1), an individual is incapable of
making a complaint if he or she is incapable by reason of age,
illness, physical impairment or mental disability of --
(a) understanding the general nature and effect of making
30 the complaint; or
page 48
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 72
(b) making the complaint,
despite the provision of reasonable assistance by another person.
72. How and when a complaint can be made
(1) A complaint must --
5 (a) be in writing; and
(b) give particulars of the alleged interference with privacy,
access decision, amendment decision or alleged
contravention of a conciliation requirement, as the case
requires; and
10 (c) give an address in Australia to which notices under this
Act can be sent; and
(d) give any other information or details required under the
regulations; and
(e) be lodged at the office of the Commissioner.
15 (2) A complaint about an alleged interference with privacy may be
lodged within 6 months after the day on which the complainant
first became aware of the alleged interference.
(3) A complaint about an access decision or amendment decision
may be lodged within 6 months after the complainant received
20 written notice of the decision.
(4) A complaint about an alleged contravention of a conciliation
requirement may be lodged within 6 months after the day on
which the complainant first became aware of the alleged
contravention.
25 (5) The Commissioner may allow a complaint to be lodged after the
period mentioned in subsection (2), (3) or (4) has expired.
page 49
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 73
73. Commissioner may decide not to deal with a complaint
(1) The Commissioner may, at any time after receiving a complaint,
decide not to deal with the complaint, or to stop dealing with the
complaint, because --
5 (a) it was lodged after the expiry of the period mentioned in
section 72(2), (3) or (4) or any further period allowed by
the Commissioner under section 72(5); or
(b) it does not relate to a matter the Commissioner has
power to deal with; or
10 (c) it is frivolous, vexatious, misconceived or lacking in
substance; or
(d) the complainant has not complained to the respondent
about the alleged interference with privacy, access
decision, amendment decision or alleged contravention
15 of a conciliation requirement and the Commissioner
considers that it would be appropriate for the respondent
to deal with the complaint; or
(e) the complainant has complained to the respondent about
the alleged interference with privacy, access decision,
20 amendment decision or alleged contravention of a
conciliation requirement and the Commissioner
considers that the respondent --
(i) has dealt adequately with the complaint; or
(ii) is dealing adequately with the complaint; or
25 (iii) has not yet had an adequate opportunity to deal
with the complaint;
or
(f) in the case of an alleged interference with privacy or
alleged contravention of a conciliation requirement, the
30 complainant has made a complaint about the alleged
interference or alleged contravention to the
Parliamentary Commissioner and that complaint is, or
has been, the subject of an investigation under the
Parliamentary Commissioner Act 1971.
page 50
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 74
(2) If the Commissioner decides not to deal with the complaint, or
to stop dealing with the complaint, the Commissioner must
inform the complainant, by notice in writing, of --
(a) the decision; and
5 (b) the reasons for the decision; and
(c) the rights, if any, of the complainant under section 75.
74. Referral of complaint to respondent in certain
circumstances
(1) If --
10 (a) the Commissioner has given a complainant a notice
under section 73(2); and
(b) the reason for the Commissioner's decision is a reason
referred to in section 73(1)(d) or (e)(ii) or (iii),
the Commissioner must --
15 (c) refer the complaint to the respondent and ask the
respondent to deal with, or continue to deal with, the
complaint; and
(d) notify the complainant in writing of the referral.
(2) If a complaint is referred under subsection (1) --
20 (a) the respondent must deal with, or continue to deal with,
the complaint (the "initial complaint"); and
(b) the complainant is not entitled to make another
complaint to the Commissioner about the alleged
interference with privacy, access decision, amendment
25 decision or alleged contravention of a conciliation
requirement that is the subject of the initial complaint
unless --
(i) the respondent has notified the complainant in
writing that the respondent has finished dealing
30 with the initial complaint; or
page 51
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 75
(ii) a period of 3 months has elapsed since the
referral of the initial complaint.
75. Referral of complaint to Tribunal if Commissioner decides
not to deal with it
5 (1) If --
(a) the Commissioner has given a complainant a notice
under section 73(2); and
(b) the reason for the Commissioner's decision is a reason
referred to in section 73(1)(a), (b), (c), (e)(i) or (f),
10 the complainant may require the Commissioner to refer the
complaint to the Tribunal.
(2) A requirement under subsection (1) is to be made by notice in
writing served on the Commissioner within the period of
21 days after the complainant receives the notice under
15 section 73(2).
(3) On receipt of a notice under subsection (2), the Commissioner
must refer the complaint to the Tribunal.
76. Notification of complaint
The Commissioner must notify the respondent in writing of a
20 complaint unless a decision not to deal with it has been made
under section 73.
77. Withdrawal of complaint
(1) A complainant may withdraw a complaint by notice in writing
served on the Commissioner.
25 (2) If a complaint is withdrawn, the Commissioner must notify the
respondent in writing of the withdrawal.
(3) A complainant who withdraws a complaint is not entitled to
make another complaint in respect of the same alleged
interference with privacy, access decision, amendment decision
page 52
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 78
or alleged contravention of a conciliation requirement without
the prior written permission of the Commissioner.
78. Parties to conciliation proceedings
(1) Each of the following is a party to conciliation proceedings --
5 (a) the complainant;
(b) the respondent.
(2) Without limiting section 79(1), if the Commissioner is satisfied
that another person or body might be affected by the outcome of
conciliation proceedings the Commissioner may obtain
10 information or receive submissions from that person or body.
79. Procedure
(1) In order to deal with a complaint the Commissioner may obtain
information from such persons and sources, and make such
investigations and inquiries, as the Commissioner thinks fit.
15 (2) Conciliation proceedings are to be conducted with as little
formality and technicality, and with as much expedition, as the
requirements of this Act and a proper consideration of the
matters before the Commissioner permit, and the Commissioner
is not bound by rules of evidence.
20 (3) The Commissioner must ensure that the parties to conciliation
proceedings are given a reasonable opportunity to make
submissions to the Commissioner.
(4) The Commissioner may determine the procedure for
conciliation proceedings and may give such directions and do
25 such other things as the Commissioner thinks fit in order to deal
with the complaint.
(5) Without limiting subsection (4), the Commissioner may --
(a) require the parties, or either of them, to appear before
the Commissioner, either separately or together; or
page 53
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 80
(b) nominate a person (a "conciliator") to deal with the
complaint.
(6) A conciliator --
(a) may require the parties, or either of them, to appear
5 before the conciliator, either separately or together; but
(b) does not have power to require information or
documents to be given or produced.
(7) If a party is required or permitted to appear in conciliation
proceedings, the party --
10 (a) is entitled to appear personally or by an agent other than
a solicitor or counsel; or
(b) may, by leave of the Commissioner, be represented by a
solicitor or counsel.
(8) No person other than a solicitor or counsel is entitled to demand
15 or receive any fee or reward for representing a party in
conciliation proceedings.
(9) If the complaint is referred to the Tribunal, evidence of anything
said or done in conciliation proceedings is not admissible before
the Tribunal.
20 80. Conciliation proceedings record
(1) If a complaint is resolved by conciliation the Commissioner, in
consultation with the parties to the conciliation proceedings,
must prepare a document that sets out --
(a) the terms on which the complaint is resolved; and
25 (b) any requirement that is to be complied with by the
respondent (a "conciliation requirement").
(2) Without limiting subsection (1)(b) a conciliation requirement
may consist of --
(a) a requirement to do a particular thing within a particular
30 period; or
(b) a requirement not to do a particular thing.
page 54
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 81
(3) If the Commissioner is of the opinion that --
(a) a complaint cannot be resolved by conciliation; or
(b) his or her endeavours to resolve a complaint by
conciliation have not been successful; or
5 (c) the nature of a complaint is such that it should be
referred to the Tribunal,
the Commissioner must prepare a document that includes a
statement of the Commissioner's opinion under
paragraph (a), (b) or (c).
10 (4) The Commissioner must give a copy of a document prepared
under subsection (1) or (3) to each party to the conciliation
proceedings.
(5) If the Commissioner has given a complainant a copy of a
document prepared under subsection (3), the Commissioner
15 must inform the complainant in writing of the complainant's
rights under section 85.
81. Power to obtain information and documents and compel
attendance
(1) If the Commissioner has reason to believe that a person has
20 information or a document relevant to a complaint, the
Commissioner may give to the person a written notice requiring
the person --
(a) to give the information to the Commissioner in writing
signed by the person or, in the case of a body corporate,
25 by an officer of the body corporate; or
(b) to produce the document to the Commissioner.
(2) A notice given by the Commissioner under subsection (1) must
state --
(a) the place at which the information or document is to be
30 given or produced to the Commissioner; and
page 55
Information Privacy Bill 2007
Part 5 Complaints
Division 2 Complaints and procedure for dealing with them
s. 82
(b) the time at which, or the period within which, the
information or document is to be given or produced.
(3) If the Commissioner has reason to believe that a person has
information relevant to a complaint, the Commissioner may
5 give to the person a written notice requiring the person to appear
before the Commissioner at a time and place specified in the
notice to answer questions relevant to the complaint.
82. Power to examine
(1) The Commissioner may administer an oath or affirmation to a
10 person required under section 81 to appear before the
Commissioner and may examine such a person on oath or
affirmation.
(2) The oath or affirmation to be taken or made by a person for the
purposes of this section is an oath or affirmation that the
15 answers the person will give will be true.
83. Commissioner to ensure non-disclosure of certain matter
(1) In dealing with a complaint the Commissioner must give such
directions and do such things as the Commissioner thinks
necessary to avoid the disclosure of protected matter.
20 (2) The Commissioner must not include protected matter in a
conciliation proceedings record.
84. Production of certain health records for inspection
(1) In dealing with a complaint about an access decision the
Commissioner may require an organisation to produce a health
25 record for inspection so that the Commissioner can consider
whether it contains protected matter.
(2) The Commissioner must do such things as the Commissioner
thinks necessary to ensure that any health record produced to
the Commissioner under subsection (1) is not disclosed to a
30 person other than a member of the staff of the Commissioner in
the course of the performance of his or her duties as a member
page 56
Information Privacy Bill 2007
Complaints Part 5
Complaints and procedure for dealing with them Division 2
s. 85
of that staff, and to ensure the return of the health record to the
organisation when the complaint has been dealt with.
(3) If the complaint is referred to the Tribunal, subsection (2) has
effect subject to section 86.
5 85. Referral of unresolved complaint to Tribunal
(1) If the Commissioner has given a complainant a copy of a
conciliation proceedings record prepared under section 80(3),
the complainant may require the Commissioner to refer the
complaint to the Tribunal.
10 (2) A requirement under subsection (1) is to be made by notice in
writing served on the Commissioner within the period of
21 days after the complainant receives the copy of the
conciliation proceedings record.
(3) On receipt of a notice under subsection (2), the Commissioner
15 must refer the complaint to the Tribunal.
86. Provision of information to Tribunal
(1) If a complaint is referred to the Tribunal under section 75 or 85,
the Commissioner must provide the following to the Tribunal --
(a) a statement of the reasons for referring the complaint to
20 the Tribunal;
(b) other documents and other material in the
Commissioner's possession or under the
Commissioner's control and relevant to the Tribunal's
consideration of the complaint.
25 (2) In the case of a referral under section 85, subsection (1)(b)
extends to a copy of the conciliation proceedings record but
does not extend to a document that records anything said or
done in the conciliation proceedings.
(3) Subsection (1) does not affect the organisation's obligation to
30 provide a statement, documents and material to the Tribunal
under the State Administrative Tribunal Act 2004 section 24.
page 57
Information Privacy Bill 2007
Part 5 Complaints
Division 3 Tribunal's jurisdiction as to complaints
s. 87
Division 3 -- Tribunal's jurisdiction as to complaints
87. Meaning of "complaint jurisdiction"
In this Division --
"complaint jurisdiction" means --
5 (a) the Tribunal's original jurisdiction, as defined in the
State Administrative Tribunal Act 2004 section 3(1),
in relation to an alleged interference with privacy or
alleged contravention of a conciliation requirement
that is the subject of a complaint referred to the
10 Tribunal under section 75 or 85; or
(b) the Tribunal's review jurisdiction, as defined in the
State Administrative Tribunal Act 2004 section 3(1),
in relation to an access decision or amendment
decision that is the subject of a complaint referred to
15 the Tribunal under section 75 or 85.
88. Presiding member of Tribunal
(1) When the Tribunal is exercising its complaint jurisdiction its
presiding member must be a legally qualified member.
(2) Terms used in subsection (1) relating to members of the
20 Tribunal have the meanings given in the State Administrative
Tribunal Act 2004 section 3(1).
89. Tribunal to ensure non-disclosure of certain matter
(1) In conducting a proceeding in its complaint jurisdiction the
Tribunal must avoid the disclosure of protected matter.
25 (2) If it is necessary to do so in the interests of justice, the Tribunal
may by order permit a solicitor or counsel representing a party
to a proceeding in its complaint jurisdiction to examine the
health record to which the proceeding relates.
(3) Permission may be given under subsection (2) on such terms
30 and conditions as the Tribunal thinks fit.
page 58
Information Privacy Bill 2007
Complaints Part 5
Tribunal's jurisdiction as to complaints Division 3
s. 90
(4) Without limiting subsection (3), permission may be given under
subsection (2) on the condition that the solicitor or counsel does
not disclose, to a party to the proceeding or to another person,
protected matter.
5 (5) If in the opinion of the Tribunal it is necessary to do so in order
to prevent disclosure of protected matter the Tribunal may
receive evidence and hear argument in the absence of the public
and any party or person representing a party.
(6) The Tribunal must not include protected matter in its decision or
10 in reasons given for the decision.
90. Decisions of the Tribunal
(1) At the conclusion of a proceeding in its complaint jurisdiction
relating to an alleged interference with privacy the Tribunal
may --
15 (a) dismiss the complaint; or
(b) find the complaint or any part of it substantiated and
make any one or more of the following orders --
(i) an order restraining the respondent from
repeating or continuing the interference with
20 privacy;
(ii) an order that the respondent perform any
reasonable act or course of conduct to redress
any loss or damage suffered by the complainant
as a result of the interference with privacy;
25 (iii) an order that the respondent pay to the
complainant a specified amount, not exceeding
$40 000, by way of compensation for any loss or
damage suffered by the complainant as a result
of the interference with privacy;
30 or
(c) find the complaint or any part of it substantiated but
decline to take any further action in relation to the
matter.
page 59
Information Privacy Bill 2007
Part 5 Complaints
Division 3 Tribunal's jurisdiction as to complaints
s. 90
(2) At the conclusion of a proceeding in its complaint jurisdiction
relating to an alleged contravention of a conciliation
requirement the Tribunal may --
(a) dismiss the complaint; or
5 (b) find the complaint or any part of it substantiated and
make an order that the respondent comply with the
conciliation requirement within the period (if any)
specified in the order; or
(c) find the complaint or any part of it substantiated but
10 decline to take any further action in relation to the
matter.
(3) In a proceeding in its complaint jurisdiction relating to an access
decision or amendment decision, the Tribunal has, in addition to
any other power it has under the State Administrative Tribunal
15 Act 2004, power to --
(a) review any decision of the organisation in respect of the
relevant access application or amendment application;
and
(b) decide any matter in relation to the relevant access
20 application or amendment application that could, under
Part 3, have been decided by the organisation.
(4) At the conclusion of a proceeding referred to in subsection (3),
the Tribunal may --
(a) affirm the decision to which the complaint relates; or
25 (b) vary the decision to which the complaint relates; or
(c) set aside the decision to which the complaint relates and
substitute its own decision.
(5) If it is established that a health record contains protected matter,
the Tribunal does not have power to make a decision to the
30 effect that access is to be given to the health record.
(6) Unless the Tribunal otherwise orders, a decision of the Tribunal
under subsection (4) has effect from when it is made.
page 60
Information Privacy Bill 2007
Complaints Part 5
Appeals Division 4
s. 91
91. Restrictions under other laws not applicable
(1) No obligation to maintain secrecy or other restriction on the
disclosure of information obtained by or given to organisations,
whether imposed under an enactment or other law, applies to the
5 disclosure of information to the Tribunal when it is exercising
its complaint jurisdiction.
(2) Legal professional privilege does not apply to the production of
documents or the giving of evidence by an organisation, or an
officer of an organisation, to the Tribunal when it is exercising
10 its complaint jurisdiction.
Division 4 -- Appeals
92. Terms used in this Division
In this Division --
"appeal" means an appeal on any question of law arising out of
15 any decision of the Tribunal on a complaint referred to it
under section 75 or 85;
"Supreme Court" means the General Division of that court or
the Court of Appeal, whichever is appropriate under the
State Administrative Tribunal Act 2004 section 105.
20 93. Appeal from Tribunal's decision
(1) An appeal may be brought under the State Administrative
Tribunal Act 2004 section 105.
(2) However there is no appeal in relation to a decision of the
Tribunal as to --
25 (a) the charges to be imposed for dealing with an access
application; or
(b) the payment of a deposit under section 31.
(3) The State Administrative Tribunal Act 2004 section 106 applies
in respect of an appeal.
page 61
Information Privacy Bill 2007
Part 5 Complaints
Division 4 Appeals
s. 94
94. No access to health record containing exempt matter
If it is established that a health record contains protected matter
the Supreme Court does not have power to make a decision to
the effect that access is to be given to the health record.
5 95. Power to impose terms on orders
(1) Subject to subsection (2), an order or decision made by the
Supreme Court on an appeal may be made on such terms and
conditions (including terms and conditions as to costs) as the
Supreme Court thinks fit.
10 (2) If the appellant is an organisation it bears its own costs.
96. Court to ensure non-disclosure of certain matter
(1) In hearing and determining an appeal the Supreme Court must
avoid the disclosure of protected matter.
(2) If it is necessary to do so in the interests of justice, the Supreme
15 Court may by order permit a solicitor or counsel representing a
party to an appeal to examine a health record to which the
appeal relates.
(3) Permission may be given under subsection (2) on such terms
and conditions as the Supreme Court thinks fit.
20 (4) Without limiting subsection (3), permission may be given under
subsection (2) on the condition that the solicitor or counsel does
not disclose, to a party to the appeal or to another person,
protected matter.
(5) If in the opinion of the Supreme Court it is necessary to do so in
25 order to prevent disclosure of protected matter the Supreme
Court may receive evidence and hear argument in the absence
of the public and any party or person representing a party.
(6) The Supreme Court must not include protected matter in its
decision on an appeal or in reasons given for the decision.
page 62
Information Privacy Bill 2007
Complaints Part 5
Appeals Division 4
s. 97
97. Production of documents
(1) For the purpose of hearing and determining an appeal the
Supreme Court may require an organisation to produce a
document in evidence before it.
5 (2) The Supreme Court must ensure that the confidentiality of a
document produced under this section is maintained and arrange
for its return to the organisation when the appeal has been
determined.
98. Restrictions under other laws not applicable
10 (1) No obligation to maintain secrecy or other restriction on the
disclosure of information obtained by or given to organisations,
whether imposed under an enactment or other law, applies to the
disclosure of information to the Supreme Court on an appeal.
(2) Legal professional privilege does not apply to the production of
15 documents or the giving of evidence by an organisation, or an
officer of an organisation, to the Supreme Court on an appeal.
99. Other procedure
To the extent that it is not prescribed by this Act or rules of
court the procedure on an appeal may be determined by the
20 Supreme Court.
page 63
Information Privacy Bill 2007
Part 6 Exchange of information
s. 100
Part 6 -- Exchange of information
100. Terms used in this Part
In this Part --
"agency" means --
5 (a) a person, body or office referred to in Schedule 1; or
(b) an exempt organisation;
"disclosing agency" means the agency disclosing or intending
to disclose information;
"information" means health information or personal
10 information;
"prescribed enactment" means an enactment declared by the
regulations to be a prescribed enactment for the purposes of
this Part;
"principal officer" of an agency or a disclosing agency
15 means --
(a) in relation to a department or organisation (as defined
in the Public Sector Management Act 1994
section 3(1)) -- the chief executive officer or chief
employee of the department or organisation; or
20 (b) in relation to the Police Force of Western
Australia -- the Commissioner of Police; or
(c) in relation to a local government -- the chief
executive officer of the local government; or
(d) in relation to a regional local government -- the chief
25 executive officer of the regional local government; or
(e) in relation to a court -- an officer of the court
declared by rules of court or the regulations to be the
principal officer of the court (not being a person
holding judicial office or an office the functions of
30 which include judicial functions); or
page 64
Information Privacy Bill 2007
Exchange of information Part 6
s. 101
(f) in relation to an agency that consists of one person
(not being a court or an incorporated body) -- that
person; or
(g) in relation to an agency for which the regulations
5 declare an officer to be the principal officer of the
agency -- that officer; or
(h) in relation to any other agency --
(i) if it is an incorporated body that has no
members, the person who manages the affairs
10 of the body; or
(ii) if it is a body (whether incorporated or not)
that is constituted by 2 or more persons, the
person who is entitled to preside at any
meeting of the body at which he or she is
15 present.
101. Construction of certain references for the purposes of this
Part
(1) In this section --
"relevant provision" means any of the following --
20 (a) IPP 2(1)(e), (f), (g), (h) or (i);
(b) IPP 2(3);
(c) IPP 8;
(d) HPP 2(1)(f), (g), (h), (i), (l), (m) or (n);
(e) HPP 2(5);
25 (f) HPP 8.
(2) For the purposes of this Part a reference in a relevant provision
to an organisation or a public organisation is to be regarded as
including a reference to an exempt organisation.
(3) If the application or operation of a relevant provision is
30 modified by an approved code of practice by which the
disclosing agency is bound, a reference in this Part to the
page 65
Information Privacy Bill 2007
Part 6 Exchange of information
s. 102
relevant provision is to be regarded as including a reference to
each provision of the approved code of practice that modifies its
application or operation.
102. Exchange of information between agencies
5 (1) An agency may disclose personal information held by the
agency to another agency if --
(a) the disclosure is for the purpose for which the
information was collected by the disclosing agency; or
(b) an exception set out in IPP 2(1)(e), (f), (g), (h), (i) or
10 (j)(iii) or (iv) applies to the disclosure; or
(c) the disclosure is permitted under IPP 2(3).
(2) An agency may disclose health information held by the agency
to another agency if --
(a) the disclosure is for the purpose for which the
15 information was collected by the disclosing agency; or
(b) an exception set out in HPP 2(1)(f), (g), (h), (i), (l), (m),
(n) or (q)(iii) or (iv) applies to the disclosure; or
(c) the disclosure is permitted under HPP 2(5).
(3) A decision to disclose information under this section may be
20 made by --
(a) the principal officer of the disclosing agency; or
(b) an officer of the disclosing agency authorised by the
principal officer for that purpose, either generally or in a
particular case.
25 103. Exchange of information between agencies and other
persons
(1) An agency may, with the approval of the Commissioner,
disclose information held by the agency to a person or body
other than an agency.
page 66
Information Privacy Bill 2007
Exchange of information Part 6
s. 103
(2) An application for approval may be made by --
(a) the principal officer of the disclosing agency; or
(b) an officer of the disclosing agency authorised by the
principal officer for that purpose, either generally or in a
5 particular case.
(3) Approval may be given for the purposes of subsection (1) either
generally or in respect of a particular disclosure or class of
disclosure.
(4) The Commissioner must not give approval for the purposes of
10 subsection (1) in relation to the disclosure of personal
information unless the Commissioner is satisfied that --
(a) the disclosure is for the purpose for which the
information was collected by the disclosing agency and,
if the disclosure is to a person or body outside Western
15 Australia, the requirements of IPP 8 are met; or
(b) an exception set out in IPP 2(1)(e), (f), (g), (h) or (i)
applies to the disclosure; or
(c) the disclosure is permitted under IPP 2(3).
(5) The Commissioner must not give approval for the purposes of
20 subsection (1) in relation to the disclosure of health information
unless the Commissioner is satisfied that --
(a) the disclosure is for the purpose for which the
information was collected by the disclosing agency and,
if the disclosure is to a person or body outside Western
25 Australia, the requirements of HPP 8 are met; or
(b) an exception set out in HPP 2(1)(f), (g), (h), (i), (l), (m)
or (n) applies to the disclosure; or
(c) the disclosure is permitted under HPP 2(5).
(6) The Commissioner must not give approval for the purposes of
30 subsection (1) if disclosure of the information by the agency or
an officer of the agency contravenes a prescribed enactment or
is required or authorised under a prescribed enactment.
page 67
Information Privacy Bill 2007
Part 6 Exchange of information
s. 104
104. Scope of disclosure powers
(1) Sections 102 and 103 do not authorise an agency to disclose
information if disclosure of the information by the agency or an
officer of the agency contravenes a prescribed enactment or is
5 required or authorised under a prescribed enactment.
(2) The powers conferred on an agency by sections 102 and 103 --
(a) may be exercised despite any enactment relating to
confidentiality or secrecy; and
(b) are in addition to any other powers the agency may have
10 to disclose information.
105. Protection from liability for disclosure
If information is disclosed, in good faith, under section 102
or 103 --
(a) no civil or criminal liability is incurred in respect of the
15 disclosure; and
(b) the disclosure is not to be regarded as a breach of any
duty of confidentiality or secrecy imposed by law; and
(c) the disclosure is not to be regarded as a breach of
professional ethics or standards or as unprofessional
20 conduct.
page 68
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Office of Privacy and Information Commissioner Division 1
s. 106
Part 7 -- Privacy and Information Commissioner
Division 1 -- Office of Privacy and Information Commissioner
106. Privacy and Information Commissioner
(1) An office of Privacy and Information Commissioner is
5 established.
(2) The office of Privacy and Information Commissioner is not an
office in the Public Service.
107. Appointment of Commissioner
(1) The Governor is to appoint a person to the office of Privacy and
10 Information Commissioner.
(2) Subject to this Act, the Commissioner holds office for a period,
not exceeding 7 years, fixed by the instrument of appointment.
(3) A person who has been appointed to the office of Privacy and
Information Commissioner is eligible for reappointment.
15 108. Remuneration
(1) The remuneration of the Commissioner is to be determined by
the Salaries and Allowances Tribunal under the Salaries and
Allowances Act 1975.
(2) The rate of remuneration of the Commissioner must not be
20 reduced during a term of office of the Commissioner without
the Commissioner's consent.
109. Leave and other conditions of service
(1) The Governor may determine --
(a) the leave of absence to which the Commissioner is
25 entitled; and
(b) other terms and conditions of service that apply to the
Commissioner.
page 69
Information Privacy Bill 2007
Part 7 Privacy and Information Commissioner
Division 1 Office of Privacy and Information Commissioner
s. 110
(2) Subject to any determination under subsection (1), the
Commissioner is entitled to leave of absence and other
conditions of service as applicable to public service officers.
110. Resignation of Commissioner
5 The Commissioner may resign from office by giving the
Governor a signed letter of resignation.
111. Removal and suspension from office
(1) The Commissioner may, at any time, be removed or suspended
from office by the Governor on addresses from both Houses of
10 Parliament.
(2) If the Commissioner has been suspended from office under
subsection (1), the suspension has effect until the Commissioner
is restored to or removed from office by the Governor on
addresses from both Houses of Parliament.
15 (3) Despite subsection (1), the Governor may suspend the
Commissioner from office if the Governor is satisfied that the
Commissioner --
(a) is incapable of performing the functions of the
Commissioner properly; or
20 (b) has performed the functions of the Commissioner
incompetently or has neglected to perform those
functions; or
(c) has been guilty of misconduct.
(4) If the Commissioner has been suspended from office under
25 subsection (3), the Commissioner is restored to office by
operation of this subsection if --
(a) by the end of the 7th sitting day of a House of Parliament
following the day of suspension, a full statement of the
grounds of the suspension has not been laid before that
30 House; or
page 70
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Office of Privacy and Information Commissioner Division 1
s. 112
(b) by the end of the relevant day for a House of Parliament,
that House has not passed an address requesting the
removal of the Commissioner from office.
(5) In subsection (4)(b) --
5 "relevant day" for a House of Parliament means --
(a) the 30th sitting day of that House following the day
on which the statement referred to in
subsection (4)(a) is laid before it; or
(b) the last day of the session during which the statement
10 referred to in subsection (4)(a) is laid before that
House, if that session ends before the sitting day
referred to in paragraph (a).
(6) The Interpretation Act 1984 section 52 does not apply to the
office of Commissioner.
15 112. Deputy Privacy and Information Commissioner
(1) An office of Deputy Privacy and Information Commissioner is
established.
(2) The office of Deputy Privacy and Information Commissioner is
not an office in the Public Service.
20 (3) The Governor may, if satisfied that it is necessary or expedient
to do so, appoint a person to the office of Deputy Privacy and
Information Commissioner.
(4) A Deputy Commissioner is to perform such functions as the
Commissioner directs.
25 (5) Sections 107(2) and (3), 108, 109, 110 and 111 apply to a
Deputy Commissioner as if references in those provisions to the
Commissioner were references to a Deputy Commissioner.
page 71
Information Privacy Bill 2007
Part 7 Privacy and Information Commissioner
Division 1 Office of Privacy and Information Commissioner
s. 113
113. Deputy Commissioner may act as Commissioner
(1) Subject to subsection (4), if there is a Deputy Commissioner the
Deputy Commissioner is to act in the office of Commissioner
during a period when --
5 (a) the Commissioner is absent from duty or is unable to
perform the functions of that office for any other reason;
or
(b) the Commissioner is suspended from that office; or
(c) that office is vacant.
10 (2) Without limiting subsection (1)(a), an inability to perform the
functions of the Commissioner arises if the Commissioner has
an actual or potential conflict of interest in relation to a matter
to be dealt with by the Commissioner under this Act or the
FOI Act.
15 (3) While a Deputy Commissioner is acting in the office of
Commissioner --
(a) the Deputy Commissioner may perform the functions of
the Commissioner and any act or thing done by the
Deputy Commissioner in performing those functions has
20 the like effect as if it were done by the Commissioner;
and
(b) any act or thing that is required under a written law to be
done to, by reference to or in relation to the
Commissioner is taken to be effectually done if done to,
25 by reference to or in relation to the Deputy
Commissioner; and
(c) the Deputy Commissioner has the same immunities as
the Commissioner.
(4) If an Acting Commissioner has been appointed under
30 section 114 for a period mentioned in subsection (1), a Deputy
Commissioner is not to act in the office of Commissioner during
that period unless the Acting Commissioner is absent from duty
page 72
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Office of Privacy and Information Commissioner Division 1
s. 114
or unable to perform the functions of the Commissioner for any
other reason.
114. Acting Commissioner
(1) The Governor may appoint a person to act in the office of
5 Commissioner during a period mentioned in section 113(1) but
a person is not to be appointed to act in that office for a period
exceeding 12 months.
(2) While an Acting Commissioner is acting in the office of
Commissioner --
10 (a) the Acting Commissioner may perform the functions of
the Commissioner and any act or thing done by the
Acting Commissioner in performing those functions has
the like effect as if it were done by the Commissioner;
and
15 (b) any act or thing that is required under a written law to be
done to, by reference to or in relation to the
Commissioner is taken to be effectually done if done to,
by reference to or in relation to the Acting
Commissioner; and
20 (c) the Acting Commissioner has the same immunities as
the Commissioner.
(3) An Acting Commissioner is entitled to such remuneration, leave
of absence and other terms and conditions of service as the
Governor may determine.
25 (4) An appointment under this section --
(a) may be made at any time and may be terminated at any
time by the Governor; and
(b) may be expressed to have effect only in the
circumstances specified in the instrument of
30 appointment.
page 73
Information Privacy Bill 2007
Part 7 Privacy and Information Commissioner
Division 1 Office of Privacy and Information Commissioner
s. 115
115. Oath or affirmation of office -- Commissioner, Deputy
Commissioner and Acting Commissioner
(1) Before performing the functions of Commissioner for the first
time, the Commissioner, a Deputy Commissioner or an Acting
5 Commissioner must take an oath or make an affirmation that he
or she will faithfully and impartially perform those functions,
and that he or she will not, except in accordance with this Act or
the FOI Act, divulge any information received in the
performance of those functions.
10 (2) The oath or affirmation is to be administered by the Speaker of
the Legislative Assembly.
(3) If the office of Speaker is vacant or the Speaker is absent or
otherwise unable to administer the oath or affirmation, the
President of the Legislative Council is to administer the oath or
15 affirmation.
(4) If subsections (2) and (3) do not enable the oath or affirmation
to be administered, it is to be administered by a person
appointed by the Governor for the purpose.
116. Staff of Commissioner
20 (1) The Commissioner may appoint such officers as are necessary
for the performance of the Commissioner's functions.
(2) Subject to this Act the remuneration, leave of absence and other
terms and conditions of service of a person appointed under
subsection (1) are as determined by the Commissioner.
25 (3) The Public Sector Management Act 1994 Part 3 does not apply
to a person appointed under subsection (1).
(4) The Commissioner may by arrangement with the employing
authority, within the meaning given in the Public Sector
Management Act 1994 section 5, of the officer or employee,
30 make use, either full-time or part-time, of the services of any
officer or employee employed in the Public Service or in a State
page 74
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Office of Privacy and Information Commissioner Division 1
s. 117
instrumentality or otherwise in the service of the Crown in right
of the State.
117. Oath or affirmation of office -- members of staff
(1) Before performing functions under this Act or the FOI Act for
5 the first time, a member of staff must take an oath or make an
affirmation that he or she will faithfully and impartially perform
those functions, and that he or she will not, except in accordance
with this Act or the FOI Act, divulge any information received
in the performance of those functions.
10 (2) The oath or affirmation is to be administered by the
Commissioner.
118. Rights of officers preserved
(1) In this section --
"officer of the Commissioner" means a person appointed
15 under section 116(1).
(2) If a person who is a public service officer is appointed as
Commissioner, Deputy Commissioner or an officer of the
Commissioner, the person is entitled to retain any accruing and
existing rights, including any rights under the Superannuation
20 and Family Benefits Act 1938, as if service as Commissioner,
Deputy Commissioner or an officer of the Commissioner were a
continuation of service as a public service officer.
(3) If a person ceases to be Commissioner, Deputy Commissioner
or an officer of the Commissioner and becomes a public service
25 officer, the service as Commissioner, Deputy Commissioner or
an officer of the Commissioner is to be regarded as service in
the Public Service for the purpose of determining that person's
rights as a public service officer and, if applicable, for the
purposes of the Superannuation and Family Benefits Act 1938.
30 (4) If --
(a) a person immediately before appointment as
Commissioner, Deputy Commissioner or an officer of
page 75
Information Privacy Bill 2007
Part 7 Privacy and Information Commissioner
Division 2 Functions and powers of Commissioner
s. 119
the Commissioner occupied an office under the Public
Sector Management Act 1994 Part 3; and
(b) the person's term of office expires by effluxion of time
and he or she is not reappointed,
5 the person is entitled to be appointed to an office under the
Public Sector Management Act 1994 Part 3 of at least the
equivalent level of classification as the office that the person
occupied immediately before appointment as Commissioner,
Deputy Commissioner or an officer of the Commissioner.
10 119. Offices of Commissioner and Parliamentary Commissioner
can be held concurrently
(1) The Commissioner may also hold the office of Parliamentary
Commissioner.
(2) Schedule 5 sets out provisions as to the term of office of a
15 person appointed to the offices of Commissioner and
Parliamentary Commissioner, his or her conditions of service,
his or her staff and other matters relevant to the operation of
subsection (1).
Division 2 -- Functions and powers of Commissioner
20 120. Functions of Commissioner
The Commissioner has the following functions --
(a) to promote understanding of and compliance with the
information privacy principles and the health privacy
principles;
25 (b) to conduct or commission audits of records of personal
information and health information maintained by an
organisation for the purpose of ascertaining whether the
records are maintained in accordance with the
information privacy principles, the health privacy
30 principles or any applicable code of practice;
page 76
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Functions and powers of Commissioner Division 2
s. 121
(c) to review an organisation's procedures for the handling
of personal information or health information to
determine whether or not the information is being
handled in accordance with this Act;
5 (d) to review an organisation's procedures --
(i) for giving access to health records under Part 3
Division 2; and
(ii) for amending health records under Part 3
Division 3;
10 (e) to review the operation of approved codes of practice;
(f) to examine, assess and report to the Minister on any
proposed legislation that is likely to have an impact on
the privacy of personal information or health
information;
15 (g) to research, monitor developments in, and report to the
Minister on, data processing and computer technology
(including data matching and data linkage) to ensure that
any adverse effects of such developments on the privacy
of personal information and health information are
20 minimised;
(h) to make reports and recommendations to the Minister, or
the Minister responsible for the administration of a
particular public organisation, on the need for, or
desirability of, legislative or administrative action in the
25 interests of the privacy of personal information and
health information;
(i) to provide assistance to members of the public and
organisations on matters relevant to this Act;
(j) other functions given to the Commissioner under this
30 Act and the FOI Act.
121. General powers of Commissioner
The Commissioner has all the powers that are needed for the
performance of the Commissioner's functions.
page 77
Information Privacy Bill 2007
Part 7 Privacy and Information Commissioner
Division 2 Functions and powers of Commissioner
s. 122
122. Powers relating to audit or review
(1) If the Commissioner has reason to believe that a person has
information or a document relevant to an audit under
section 120(b) or a review under section 120(c), (d) or (e), the
5 Commissioner may give to the person a written notice requiring
the person --
(a) to give the information to the Commissioner in writing
signed by the person or, in the case of a body corporate,
by an officer of the body corporate; or
10 (b) to produce the document to the Commissioner.
(2) A notice given by the Commissioner under subsection (1) must
state --
(a) the place at which the information or document is to be
given or produced to the Commissioner; and
15 (b) the time at which, or the period within which, the
information or document is to be given or produced.
(3) If the Commissioner has reason to believe that a person has
information relevant to an audit under section 120(b) or a
review under section 120(c), (d) or (e), the Commissioner may
20 give to the person a written notice requiring the person to appear
before the Commissioner at a time and place specified in the
notice to answer questions relevant to the audit or review.
(4) The Commissioner may administer an oath or affirmation to a
person required under subsection (3) to appear before the
25 Commissioner and may examine such a person on oath or
affirmation.
(5) The oath or affirmation to be taken or made by a person for the
purposes of this section is an oath or affirmation that the
answers the person will give will be true.
page 78
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Functions and powers of Commissioner Division 2
s. 123
123. Commissioner to report on audit or review
(1) As soon as practicable after the completion of an audit under
section 120(b) or a review under section 120(c), (d) or (e) the
Commissioner must --
5 (a) prepare a report on the audit or review; and
(b) give a copy of the report to each organisation affected
by the audit or review.
(2) The Commissioner may include in the report any
recommendations that the Commissioner considers appropriate
10 as a result of the audit or review.
(3) If a report includes recommendations that particular action be
taken by an organisation, the Commissioner may, by written
notice, request the organisation to inform the Commissioner
of --
15 (a) the steps it has taken, or proposes to take, to give effect
to the recommendations; or
(b) its reasons for not taking, or proposing to take, such
steps.
124. Delegation
20 (1) The Commissioner may delegate to a Deputy Commissioner or
a member of staff any power or duty of the Commissioner
under --
(a) another provision of this Act other than section 61(1),
73(1), 75(3), 84, 85(3) or 103(1); or
25 (b) the FOI Act other than section 67(1), 67B(3), 75 or
76(3) of that Act.
(2) The delegation must be in writing signed by the Commissioner.
(3) A person to whom a power or duty is delegated under this
section cannot delegate that power or duty.
30 (4) A person exercising or performing a power or duty that has been
delegated to the person under this section, is to be taken to do so
page 79
Information Privacy Bill 2007
Part 7 Privacy and Information Commissioner
Division 3 Reports to Parliament
s. 125
in accordance with the terms of the delegation unless the
contrary is shown.
(5) Nothing in this section limits the ability of the Commissioner to
perform a function through an officer or agent.
5 Division 3 -- Reports to Parliament
125. Annual report under Financial Management Act 2006 to
include certain information
(1) In this section --
"annual report" means the annual report for a financial year
10 required under the Financial Management Act 2006 Part 5
in respect of the department taken to be constituted under
section 5(1) of that Act by the administration of the
Commissioner.
(2) Without limiting the Financial Management Act 2006
15 section 61(1), the annual report must contain the following
information for the financial year --
(a) the number of complaints received by the
Commissioner;
(b) the number of complaints which the Commissioner
20 decided under section 73 not to deal with, or to stop
dealing with;
(c) the number of complaints resolved by conciliation;
(d) the number of complaints referred to the State
Administrative Tribunal;
25 (e) details of any audit under section 120(b) or review under
section 120(c), (d) or (e) including the following --
(i) the outcome of the audit or review;
(ii) any recommendations made as a result of the
audit or review;
30 (iii) any response to those recommendations;
(f) details of any report made under section 120(g);
page 80
Information Privacy Bill 2007
Privacy and Information Commissioner Part 7
Reports to Parliament Division 3
s. 126
(g) details of any report or recommendations made under
section 120(h);
(h) the information required under the FOI Act
section 111(2);
5 (i) any other information that is prescribed.
126. Special reports
(1) The Commissioner may, at any time, prepare a report on any
matter arising in connection with the performance of the
Commissioner's functions and may submit the report to both
10 Houses of Parliament.
(2) If the Commissioner wants to submit a report to a House of
Parliament and the House is not sitting, the Commissioner may
transmit a copy of the report to the Clerk of the House.
(3) A copy of a report transmitted to the Clerk of a House under
15 subsection (2) is taken to have been laid before the House.
(4) The laying of a copy of a report before a House that is taken to
have occurred under subsection (3) is to be reported to the
House by the Clerk, and recorded in the Votes and Proceedings
or Minutes of Proceedings, on the first sitting day of the House
20 after the Clerk received the copy.
page 81
Information Privacy Bill 2007
Part 8 Miscellaneous
s. 127
Part 8 -- Miscellaneous
127. Deceased individuals
(1) In this section --
"representative" means an authorised representative or a legal
5 representative.
(2) If an individual has died, a right or power conferred on an
individual by Part 3 or 5, an IPP or an HPP is exercisable in
relation to the deceased individual, so far as the circumstances
reasonably permit, by a representative of the deceased
10 individual.
128. Capacity of authorised representative to give consent
(1) If an IPP or an HPP requires the consent of an individual to the
doing of any thing and the individual is incapable of giving
consent, consent may be given on behalf of the individual by an
15 authorised representative of the individual.
(2) For the purposes of subsection (1), an individual is incapable of
giving consent if he or she is incapable by reason of age, illness,
physical impairment or mental disability of --
(a) understanding the general nature and effect of giving the
20 consent; or
(b) communicating the consent or refusal of consent,
despite the provision of reasonable assistance by another person.
129. Protection from legal action -- access to health records
(1) If access to a health record is given under a decision under this
25 Act, and the person who makes the decision believes, in good
faith, when making the decision, that this Act permits or
requires the decision to be made --
(a) an action for defamation or breach of confidence does
not lie against the State, an organisation or an officer or
page 82
Information Privacy Bill 2007
Miscellaneous Part 8
s. 130
employee of an organisation merely because of the
making of the decision or the giving of access; and
(b) an action for defamation or breach of confidence in
respect of any publication involved in, or resulting from,
5 the giving of access does not lie against the author of the
health record or any other person by reason of the author
or other person having supplied the health record to an
organisation.
(2) Neither the giving of access to a health record under a decision
10 under this Act nor the making of such a decision is to be
regarded as constituting, for the purpose of the law relating to
defamation or breach of confidence, an authorisation or
approval of the publication of the health record, or any matter it
contains, by the person to whom access is given.
15 (3) If access to a health record is given under a decision under this
Act, and the person who makes the decision believes, in good
faith, when making the decision, that this Act permits or
requires the decision to be made, neither the person who makes
the decision nor any other person concerned in giving access to
20 the health record is guilty of an offence merely because of the
making of the decision or the giving of access.
130. Restrictions under other laws not applicable
(1) No obligation to maintain secrecy or other restriction on the
disclosure of information obtained by or given to organisations,
25 whether imposed under an enactment or other law, applies to the
disclosure of information to the Commissioner for the purposes
of Part 5 Division 2 or Part 7 Division 2.
(2) Legal professional privilege does not apply to the production of
documents or the giving of evidence by an organisation, or an
30 officer of an organisation, to the Commissioner for the purposes
of Part 5 Division 2 or Part 7 Division 2.
(3) Subject to subsections (1) and (2), every party to conciliation
proceedings or person who complies with a requirement under
page 83
Information Privacy Bill 2007
Part 8 Miscellaneous
s. 131
section 122 has the same privileges in relation to the giving of
evidence and the production of documents and things that he or
she would have as a witness in proceedings before a court.
131. Confidentiality of information
5 (1) In this section --
"confidential information" means information obtained in the
course of the performance of functions under this Act or
the FOI Act;
"relevant person" means a person who is or has been the
10 Commissioner, a Deputy Commissioner or a member of
staff.
(2) Except as required for the purposes of proceedings arising under
or in relation to this Act or the FOI Act, a relevant person
cannot be required to disclose confidential information in court
15 or in any judicial proceedings.
(3) The Commissioner, a Deputy Commissioner or a member of the
Commissioner's staff authorised for the purposes of this
subsection by the Commissioner may disclose confidential
information to --
20 (a) the Parliamentary Commissioner; or
(b) the Deputy Parliamentary Commissioner; or
(c) a member of the Parliamentary Commissioner's staff
authorised for the purposes of this paragraph by the
Parliamentary Commissioner,
25 if the information concerns a matter that is relevant to the
functions of the Parliamentary Commissioner.
(4) Subsection (3) does not authorise the disclosure of confidential
information that is exempt matter for the purposes of the
FOI Act.
page 84
Information Privacy Bill 2007
Miscellaneous Part 8
s. 132
(5) A relevant person must not disclose confidential information
except --
(a) for the purposes of this Act or the FOI Act or
proceedings arising under or in relation to this Act or the
5 FOI Act; or
(b) as authorised by subsection (3).
Penalty: a fine of $6 000.
(6) A relevant person must not take advantage of confidential
information to benefit that person or another person.
10 Penalty: a fine of $6 000.
132. Protection from liability for wrongdoing
(1) An action in tort does not lie against the Commissioner, a
Deputy Commissioner or a member of staff for anything that the
person has done, in good faith, in the performance or purported
15 performance of a function under this Act or the FOI Act.
(2) The State is also relieved of any liability that it might otherwise
have had for another person having done anything as described
in subsection (1).
(3) The protection given by this section applies even though the
20 thing done as described in subsection (1) may have been
capable of being done whether or not this Act or the FOI Act
had been enacted.
(4) In this section, a reference to the doing of anything includes a
reference to an omission to do anything.
25 133. Failure to provide information or document or to appear
If a person who has been required under Part 5 Division 2 or
Part 7 Division 2 --
(a) to give information to the Commissioner; or
(b) to produce a document to the Commissioner; or
page 85
Information Privacy Bill 2007
Part 8 Miscellaneous
s. 134
(c) to appear before the Commissioner or a conciliator,
refuses or fails, without reasonable excuse, to comply with the
requirement, the person commits an offence.
Penalty:
5 (a) for an individual -- a fine of $6 000;
(b) for a body corporate -- a fine of $10 000.
134. Regulations
(1) The Governor may make regulations prescribing all matters that
by this Act are required or permitted to be prescribed or that are
10 necessary or convenient to be prescribed for giving effect to
this Act.
(2) Without limiting subsection (1) and subject to section 29, the
regulations may prescribe or provide for --
(a) fees for lodging access applications; and
15 (b) charges for dealing with access applications or rates to
be used in calculating such charges; and
(c) the extent to which --
(i) a fee paid for lodging an access application; or
(ii) an advance deposit paid under section 31 in
20 relation to an access application,
is to or may be refunded to the access applicant in the
event of the access applicant withdrawing the access
application or being regarded as having withdrawn the
access application.
25 (3) In the making of regulations under subsection (2) (as read with
the Interpretation Act 1984 section 45) regard is to be had to the
need to ensure that fees and charges are reasonable and as low
as is practicable, and special regard is to be had to --
(a) the need to ensure that financially disadvantaged
30 persons are not precluded from exercising their rights
under this Act merely because of financial hardship; and
page 86
Information Privacy Bill 2007
Miscellaneous Part 8
s. 135
(b) the particular relationship between an individual and
health records relating to that individual.
135. Review of Act
(1) In this section --
5 "review day" means the expiry day of a period of 5 years
after --
(a) the commencement of this section; or
(b) the day on which a report is tabled in the Legislative
Assembly under subsection (3).
10 (2) The Minister must carry out a review of the operation and
effectiveness of this Act as soon as is practicable after each
review day.
(3) The Minister must prepare a report based on each review and
must cause the report to be tabled before each House of
15 Parliament as soon as is practicable after it is prepared.
page 87
Information Privacy Bill 2007
Part 9 Amendment of other written laws
Division 1 Freedom of Information Act 1992
s. 136
Part 9 -- Amendment of other written laws
Division 1 -- Freedom of Information Act 1992
136. The Act amended
The amendments in this Division are to the Freedom of
5 Information Act 1992*.
[* Reprint 4 as at 10 September 2004.
For subsequent amendments see Western Australian
Legislation Information Tables for 2005, Table 1 and Acts
Nos. 41 and 43 of 2006.]
10 137. Part 4 Division 1 repealed
Part 4 Division 1 is repealed.
138. Heading to Part 4 Division 2 amended
The heading to Part 4 Division 2 is amended by deleting
"Information".
15 139. Section 63 amended
Section 63(1) is amended by deleting "The main function of the
Commissioner is" and inserting instead --
" It is a function of the Commissioner ".
140. Section 64 repealed
20 Section 64 is repealed.
141. Heading to Part 4 Division 4 amended
The heading to Part 4 Division 4 is amended by deleting
"Information".
142. Section 79 repealed
25 Section 79 is repealed.
page 88
Information Privacy Bill 2007
Amendment of other written laws Part 9
Freedom of Information Act 1992 Division 1
s. 143
143. Section 80 repealed
Section 80 is repealed.
144. Section 82 repealed
Section 82 is repealed.
5 145. Section 111 amended
(1) Section 111(1) is repealed and the following subsection is
inserted instead --
"
(1) In this section --
10 "report" means the annual report referred to in the
Information Privacy Act 2007 section 125.
".
(2) Section 111(2) is amended as follows:
(a) after paragraph (k) by deleting "; and" and inserting a
15 full stop instead;
(b) by deleting paragraph (l).
(3) Section 111(3)(a) is amended by deleting "preparation of a
report under this section" and inserting instead --
" ensuring that the report complies with subsection (2) ".
20 (4) Section 111(5) is repealed.
146. Schedule 2 amended
Schedule 2 is amended as follows:
(a) after the item relating to the Auditor General by
inserting --
25 " The Commissioner. ";
(b) by deleting the item relating to the Information
Commissioner.
page 89
Information Privacy Bill 2007
Part 9 Amendment of other written laws
Division 2 Parliamentary Commissioner Act 1971
s. 147
147. Glossary amended
The Glossary clause 1 is amended by inserting in the
appropriate alphabetical position --
"
5 "Commissioner" has the meaning given in the Information
Privacy Act 2007 section 4(1);
".
Division 2 -- Parliamentary Commissioner Act 1971
148. The Act amended
10 The amendments in this Division are to the Parliamentary
Commissioner Act 1971*.
[* Reprint 7 as at 1 October 2004.
For subsequent amendments see Western Australian
Legislation Information Tables for 2005, Table 1 and Act
15 No. 77 of 2006.]
149. Section 4 amended
Section 4 is amended by inserting in the appropriate
alphabetical position --
"
20 "remuneration" has the meaning given in the Salaries
and Allowances Act 1975 section 4(1);
".
150. Section 5 amended
(1) Section 5(5) and (6) are repealed and the following subsections
25 are inserted instead --
"
(5) The remuneration of the Commissioner and Deputy
Commissioner is to be determined by the Salaries and
page 90
Information Privacy Bill 2007
Amendment of other written laws Part 9
Parliamentary Commissioner Act 1971 Division 2
s. 151
Allowances Tribunal under the Salaries and
Allowances Act 1975.
(6) The rate of remuneration of the Commissioner or
Deputy Commissioner must not be reduced during the
5 term of office of the Commissioner or Deputy
Commissioner without the consent of the
Commissioner or Deputy Commissioner, as the case
requires.
".
10 (2) Section 5(7) is amended by deleting "such travelling and other
allowances" and inserting instead --
" other terms and conditions of service ".
(3) After section 5(9) the following subsection is inserted --
"
15 (9a) Subsection (9), to the extent that it applies to the
Commissioner, is subject to section 12A.
".
151. Section 7 amended
Section 7(3) is amended by deleting "such travelling and other
20 allowances" and inserting instead --
" other terms and conditions of service ".
152. Section 12A inserted
After section 12 the following section is inserted in Part II --
"
25 12A. Offices of Commissioner and Privacy and
Information Commissioner can be held
concurrently
(1) The Commissioner may also hold the office of Privacy
and Information Commissioner under the Information
30 Privacy Act 2007.
page 91
Information Privacy Bill 2007
Part 9 Amendment of other written laws
Division 2 Parliamentary Commissioner Act 1971
s. 153
(2) The Information Privacy Act 2007 Schedule 5 applies
for the purposes of subsection (1).
".
153. Section 22B amended
5 Section 22B is amended as follows:
(a) after paragraph (d) by deleting the full stop and
inserting --
"
; or
10 (e) is disclosed to a person who is --
(i) the Privacy and Information
Commissioner under the Information
Privacy Act 2007; or
(ii) a Deputy Privacy and Information
15 Commissioner under that Act; or
(iii) a member of the staff of the Privacy and
Information Commissioner authorised
by the Privacy and Information
Commissioner for the purposes of this
20 subparagraph,
and concerns a matter that is relevant to the
functions of the Privacy and Information
Commissioner.
";
25 (b) after each of paragraphs (aa) and (b) and
paragraph (b)(i) by inserting --
" or ".
154. Section 31 amended
Section 31 is amended by deleting "$1 000." and inserting
30 instead --
" $6 000. ".
page 92
Information Privacy Bill 2007
Amendment of other written laws Part 9
Other Acts amended Division 3
s. 155
155. Schedule 1 amended
Schedule 1 is amended by deleting the item relating to the
Information Commissioner and inserting instead --
"
5 The Privacy and Information Commissioner under the
Information Privacy Act 2007.
".
Division 3 -- Other Acts amended
156. Constitution Acts Amendment Act 1899
10 (1) The amendments in this section are to the Constitution Acts
Amendment Act 1899*.
[* Reprint 14 as at 21 April 2006.
For subsequent amendments see Western Australian
Legislation Information Tables for 2005, Table 1 and Acts
15 Nos. 34 of 2004, 18, 32 and 38 of 2005, 5, 28, 41, 43, 56, 60,
64 and 77 of 2006.]
(2) Schedule V Part 1 Division 2 is amended as follows:
(a) by deleting the item relating to the Information
Commissioner;
20 (b) by inserting in the appropriate alphabetical position --
"
Privacy and Information Commissioner appointed under the
Information Privacy Act 2007.
".
25 157. Financial Management Act 2006
(1) The amendments in this section are to the Financial
Management Act 2006*.
[* Act No. 76 of 2006.
For subsequent amendments see Act No. 77 of 2006.]
page 93
Information Privacy Bill 2007
Part 9 Amendment of other written laws
Division 3 Other Acts amended
s. 158
(2) Section 5(1)(e) is deleted and the following paragraph is
inserted instead --
"
(e) the Privacy and Information Commissioner,
5 ".
(3) Schedule 2 is amended in column 2 in the item relating to
section 54 as follows:
(a) by inserting before "Information Commissioner" --
" Privacy and ";
10 (b) by deleting "Freedom of Information Act 1992," and
inserting instead --
" Information Privacy Act 2007, ".
158. State Records Act 2000
(1) The amendments in this section are to the State Records
15 Act 2000*.
[* Act No. 52 of 2000.
For subsequent amendments see Acts Nos. 18 of 2005 and
77 of 2006.]
(2) Section 58 is amended as follows:
20 (a) after paragraph (a) by inserting --
" and ";
(b) by deleting paragraph (b) and inserting instead --
"
(b) the person who is the Privacy and Information
25 Commissioner, or who is acting in that office,
under the Information Privacy Act 2007; and
".
page 94
Information Privacy Bill 2007
Amendment of other written laws Part 9
Amendment of subsidiary legislation Division 4
s. 159
Division 4 -- Amendment of subsidiary legislation
159. Power to amend subsidiary legislation
(1) The Governor, on the recommendation of the Minister, may
make regulations amending subsidiary legislation made under
5 any Act.
(2) The Minister may make a recommendation under subsection (1)
only if the Minister considers that each amendment proposed to
be made by the regulations is necessary or desirable as a
consequence of the enactment of this Act.
10 (3) Nothing in this section prevents subsidiary legislation from
being amended in accordance with the Act under which it is
made.
page 95
Information Privacy Bill 2007
Part 10 Transitional provisions
s. 160
Part 10 -- Transitional provisions
160. Terms used in this Part
In this Part --
"commencement day" means the day on which this Part comes
5 into operation;
"former Commissioner" means the Information Commissioner
under the FOI Act;
"new Commissioner" means the Commissioner.
161. Continuation of office
10 The office of Privacy and Information Commissioner
established under this Act is to be taken to be a continuation of
the office of Information Commissioner established under the
FOI Act.
162. Staff of former Commissioner
15 (1) On the commencement day a person who, immediately before
that day, was a member of the former Commissioner's staff
appointed under the FOI Act section 61(1) becomes a member
of the new Commissioner's staff as if appointed under
section 116(1).
20 (2) The operation of subsection (1) in relation to a person does
not --
(a) unless the person agrees otherwise, affect the person's
remuneration or terms and conditions of appointment; or
(b) prejudice the person's existing or accruing rights; or
25 (c) affect any rights under a superannuation scheme; or
(d) interrupt continuity of service.
page 96
Information Privacy Bill 2007
Transitional provisions Part 10
s. 163
163. References to former Commissioner
If in a written law or other document or instrument there is a
reference to the former Commissioner, the reference may,
where the context so requires, be read as if it had been amended
5 to be a reference to the new Commissioner.
page 97
Information Privacy Bill 2007
Schedule 1 Public organisations
Schedule 1 -- Public organisations
[s. 4(1)]
1. A court.
2. A department of the Public Service.
5 3. An organisation specified in the Public Sector Management Act 1994
Schedule 2 column 2.
4. The Police Force of Western Australia.
5. A local government or a regional local government.
6. A body or office that is established for a public purpose under a
10 written law.
7. A body or office that is established by the Governor or a Minister.
8. Any other body or office that is declared by the regulations to be a
public organisation being --
(a) a body or office established under a written law; or
15 (b) a corporation or association over which control can be
exercised by the State, a Minister, a body referred to in
item 3, 6 or 7 or paragraph (a), or the holder of an office
referred to in item 7 or paragraph (a).
page 98
Information Privacy Bill 2007
Exempt organisations Schedule 2
Schedule 2 -- Exempt organisations
[s. 4(1)]
1. The Governor and the Governor's establishment.
2. The Legislative Council or a member or committee of the Legislative
5 Council.
3. The Legislative Assembly or a member or committee of the
Legislative Assembly.
4. A joint committee or standing committee of the Legislative Council
and the Legislative Assembly.
10 5. A department of the staff of Parliament.
6. A Minister in his or her official capacity.
7. A parliamentary secretary in his or her official capacity.
8. The Auditor General and the Office of the Auditor General.
9. The Commissioner.
15 10. The Corruption and Crime Commission.
11. The Inspector of Custodial Services appointed under the Inspector of
Custodial Services Act 2003.
12. The Parliamentary Commissioner.
13. The Parliamentary Inspector of the Corruption and Crime
20 Commission appointed under the Corruption and Crime Commission
Act 2003.
14. A Royal Commission or member of a Royal Commission.
15. The State Administrative Tribunal.
16. A person who holds an office established under a written law for the
25 purposes of a body referred to in this Schedule.
page 99
Information Privacy Bill 2007
Schedule 3 Information privacy principles
cl. 1
Schedule 3 -- Information privacy principles
[s. 4(1), 15(1)]
1. Collection
(1) A public organisation must not collect personal information unless the
5 information is necessary for one or more of its functions or activities.
(2) A public organisation must collect personal information only by
lawful and fair means and not in an unreasonably intrusive way.
(3) If it is reasonable and practicable to do so, a public organisation must
collect personal information about an individual only from that
10 individual.
(4) At or before the time (or, if that is not practicable, as soon as
practicable after) a public organisation collects personal information
about an individual from the individual, it must take reasonable steps
to ensure that the individual is aware of --
15 (a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the
information; and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to
20 which) the organisation usually discloses information of that
kind; and
(e) any law that requires the particular information to be
collected; and
(f) the main consequences (if any) for the individual if all or part
25 of the information is not provided,
except to the extent that making the individual aware of the matters
would pose a serious threat to the life, health, safety or welfare of any
individual.
(5) If a public organisation collects personal information about an
30 individual from someone else (other than an authorised representative
of the individual), it must take reasonable steps to ensure that the
page 100
Information Privacy Bill 2007
Information privacy principles Schedule 3
cl. 2
individual is or has been made aware of the matters listed in
subclause (4) except --
(a) to the extent that making the individual aware of the matters
would --
5 (i) pose a serious threat to the life, health, safety or
welfare of any individual; or
(ii) enable the existence, or non-existence, or identity of
any confidential source of information, in relation to
the enforcement or administration of the law, to be
10 discovered;
or
(b) in prescribed circumstances (if any).
2. Use and disclosure
(1) A public organisation that holds personal information about an
15 individual must not use or disclose the information for a purpose other
than the purpose for which it was collected unless --
(a) the other purpose is related to the purpose for which it was
collected and the individual would reasonably expect the
organisation to use or disclose the information for that other
20 purpose; or
(b) the individual consents to the use or disclosure; or
(c) the use or disclosure is required or authorised by or under
law; or
(d) the use or disclosure is necessary for the purpose of --
25 (i) research; or
(ii) the compilation or analysis of statistics,
relevant to the development or evaluation of government
funded policies or programmes and it is impracticable for the
organisation to seek the individual's consent to the use or
30 disclosure; or
(e) the organisation reasonably believes that the use or disclosure
is necessary to lessen or prevent --
(i) a serious threat to an individual's life, health, safety
or welfare; or
page 101
Information Privacy Bill 2007
Schedule 3 Information privacy principles
cl. 2
(ii) a serious threat to public health, public safety or
public welfare;
or
(f) the organisation reasonably believes that the use or disclosure
5 is necessary to safeguard or promote the wellbeing of a child
or a class or group of children; or
(g) the organisation has reason to suspect that unlawful activity
has been, is being, or may be, engaged in and uses or
discloses the information as a necessary part of its
10 investigation of the matter or in reporting its concerns to
relevant persons or authorities; or
(h) the organisation reasonably believes that the use or disclosure
is necessary for one or more of the law enforcement functions
of a law enforcement agency; or
15 (i) the organisation reasonably believes that the use or disclosure
is necessary for one or more of the licensing functions of a
licensing agency; or
(j) in the case of a disclosure, any of the following applies --
(i) the disclosure is to a person for the purpose of
20 research in relation to the person's Aboriginal family
history;
(ii) the disclosure is to a representative Aboriginal/Torres
Strait Islander body, as defined in the Native Title
Act 1993 (Commonwealth) section 253, or a public
25 organisation for the purpose of preparation for, or use
in relation to, an application that has been made
under Part 3 of that Act;
(iii) the disclosure is to the Parliamentary Commissioner;
(iv) the disclosure is to a coroner or the Coroner's Court
30 of Western Australia;
(v) the organisation is a public health agency and the
disclosure is to another public health agency.
(2) If a public organisation uses or discloses personal information for a
purpose other than the purpose for which it was collected, it must
35 make a record of the use or disclosure.
page 102
Information Privacy Bill 2007
Information privacy principles Schedule 3
cl. 3
(3) Despite subclause (1), a public organisation may use or disclose
personal information about an individual where --
(a) it is known or suspected that the individual is dead; or
(b) it is known or suspected that the individual is missing; or
5 (c) the individual has been involved in an accident or other
misadventure and is incapable of consenting to the use or
disclosure,
and the use or disclosure is to the extent reasonably necessary --
(d) to identify the individual or ascertain his or her location; or
10 (e) to ascertain the identity and location of a relative of the
individual for the purpose of --
(i) enabling a member of the Police Force, a coroner or
other prescribed organisation to contact the relative
for compassionate reasons; or
15 (ii) assisting in the identification of the individual.
(4) If a disclosure to which subclause (1) or (3) applies involves the
disclosure of personal information to a person (other than the
individual) who is outside Western Australia, the requirements of
IPP 8 must also be met.
20 (5) Nothing in this principle is to be taken to prevent the disclosure of
personal information by a public organisation to the Minister
responsible for the administration of that organisation.
3. Data quality
A public organisation must take reasonable steps to ensure that the
25 personal information it collects, uses or discloses is accurate,
complete and up to date.
4. Data security
(1) A public organisation must take reasonable steps to protect the
personal information it holds from misuse and loss and from
30 unauthorised access, modification or disclosure.
(2) A public organisation must take reasonable steps to destroy or
permanently de-identify personal information if it is no longer needed
for any purpose.
page 103
Information Privacy Bill 2007
Schedule 3 Information privacy principles
cl. 5
(3) The operation of subclause (2) is subject to the State Records
Act 2000.
5. Openness
(1) A public organisation must set out in a document clearly expressed
5 policies on its management of personal information and must make
the document available to anyone who asks for it.
(2) On request by a person, a public organisation must take reasonable
steps to let the person know, generally, what sort of personal
information it holds, for what purposes, and how it handles that
10 information.
6. Identifiers
(1) A public organisation must not assign identifiers to individuals unless
the assignment of identifiers is necessary to enable the organisation to
carry out any of its functions efficiently.
15 (2) A public organisation must not adopt as its own identifier of an
individual an identifier of the individual that has been assigned by
another public organisation unless --
(a) it is necessary to enable the public organisation to carry out
any of its functions efficiently; or
20 (b) the individual consents to the adoption of the same identifier.
(3) A public organisation must not use or disclose an identifier assigned
to an individual by another public organisation unless --
(a) the use or disclosure is necessary to enable the public
organisation to carry out any of its functions efficiently; or
25 (b) the use or disclosure is necessary for the public organisation
to fulfil its obligations to the other organisation; or
(c) one or more of IPP 2(1)(c) or (e) to (h) applies to the use or
disclosure; or
(d) the individual consents to the use or disclosure.
30 (4) A public organisation must not require an individual to provide an
identifier in order to obtain a service unless the provision of the
identifier is required or authorised by law or the provision is in
page 104
Information Privacy Bill 2007
Information privacy principles Schedule 3
cl. 7
connection with the purpose (or a directly related purpose) for which
the identifier was assigned.
7. Anonymity
Wherever it is lawful and practicable, individuals must have the
5 option of not identifying themselves when dealing with a public
organisation.
8. Transborder data flows
A public organisation must not disclose personal information about an
individual to a person (other than the individual) outside Western
10 Australia unless --
(a) the disclosure is required or authorised by or under law; or
(b) the organisation reasonably believes that --
(i) the information is relevant to the functions or
activities of the person receiving the information; and
15 (ii) the person receiving the information is subject to a
law, administrative scheme by which the person is
bound, or contract, that requires the person to comply
with principles for handling the information that are
substantially similar to the information privacy
20 principles;
or
(c) the individual consents to the disclosure; or
(d) the disclosure is necessary for the performance of a contract
between the individual and the organisation or for the
25 implementation of pre-contractual measures taken in response
to the individual's request; or
(e) the disclosure is necessary for the performance or completion
of a contract between the organisation and a third party, the
performance or completion of which benefits the individual;
30 or
(f) all of the following apply --
(i) the disclosure is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the
individual to the disclosure;
page 105
Information Privacy Bill 2007
Schedule 3 Information privacy principles
cl. 8
(iii) if it were practicable to obtain that consent, the
individual would be likely to give it;
or
(g) the organisation --
5 (i) reasonably believes that the information is relevant to
the functions or activities of the person receiving the
information; and
(ii) has taken reasonable steps to ensure that the
information will not be held, used or disclosed by the
10 person receiving the information in a manner that is
inconsistent with the information privacy principles.
page 106
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 1
Schedule 4 -- Health privacy principles
[s. 4(1), 18(1)]
1. Collection
(1) An organisation must not collect health information about an
5 individual unless the information is necessary for one or more of its
functions or activities and at least one of the following applies --
(a) the individual consents to the collection;
(b) the collection is required or authorised by or under law;
(c) the information is necessary to provide a health service to the
10 individual and the individual is incapable of giving consent
and --
(i) it is not reasonably practicable to obtain the consent
of an authorised representative of the individual; or
(ii) the individual does not have an authorised
15 representative;
(d) the collection is the result of a disclosure made in accordance
with HPP 2(1)(a), (f), (j), (k), (l) or (p), (4) or (5);
(e) the collection is necessary for the purpose of research, or the
compilation or analysis of statistics, in the public interest and
20 all of the following apply --
(i) that purpose cannot be served by the collection of
information that does not identify the individual or
from which the individual's identity cannot
reasonably be ascertained;
25 (ii) it is impracticable for the organisation to seek the
individual's consent to the collection;
(iii) if there is no applicable code of practice relating to
the collection of information under this paragraph,
the information is collected in accordance with
30 guidelines approved under the Privacy Act 1988
(Commonwealth) section 95A(4);
(f) the collection is necessary to lessen or prevent --
(i) a serious threat to an individual's life, health, safety
or welfare; or
page 107
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 1
(ii) a serious threat to public health, public safety or
public welfare and the collection is by or on behalf of
a public organisation;
(g) the collection is necessary for the establishment, exercise or
5 defence of a legal or equitable claim;
(h) the information is a family or social medical history, or other
relevant information about an individual, that is collected for
the purpose of providing a person (including the individual)
with a health service, and is collected by a health service
10 provider --
(i) from the person who is to receive that service; or
(ii) from a relative, carer, or authorised representative, of
the individual in circumstances where --
(I) the health service provider believes that the
15 collection of the information would
reasonably be expected by the individual;
and
(II) the collection of the information is not
contrary to any wish previously expressed
20 by the individual of which the health
service provider is aware or of which the
health service provider could reasonably be
expected to be aware.
(2) An organisation must collect health information only by lawful and
25 fair means and not in an unreasonably intrusive way.
(3) If it is reasonable and practicable to do so, an organisation must
collect health information about an individual only from that
individual.
(4) At or before the time (or, if that is not practicable, as soon as
30 practicable after) an organisation collects health information about an
individual from the individual, it must take reasonable steps to ensure
that the individual is aware of --
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the
35 information; and
(c) the purposes for which the information is collected; and
page 108
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 2
(d) to whom (or the types of individuals or organisations to
which) the organisation usually discloses information of that
kind; and
(e) any law that requires the particular information to be
5 collected; and
(f) the main consequences (if any) for the individual if all or part
of the information is not provided.
(5) If an organisation collects health information about an individual from
someone else (other than an authorised representative of the
10 individual), it must take reasonable steps to ensure that the individual
is or has been made aware of the matters listed in subclause (4)
except --
(a) to the extent that subclause (1)(b) or (h) applies to the
information or its collection; or
15 (b) to the extent that making the individual aware of the matters
would --
(i) pose a serious threat to the life, health, safety or
welfare of any individual; or
(ii) enable the existence, or non-existence, or identity of
20 any confidential source of information, in relation to
the enforcement or administration of the law, to be
discovered;
or
(c) in prescribed circumstances (if any).
25 2. Use and disclosure
(1) An organisation must not use or disclose health information about an
individual for a purpose other than the purpose for which it was
collected unless --
(a) the other purpose is related to the purpose for which it was
30 collected and the individual would reasonably expect the
organisation to use or disclose the information for that other
purpose; or
(b) the individual consents to the use or disclosure; or
(c) the use or disclosure is required or authorised by or under
35 law; or
page 109
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 2
(d) all of the following apply --
(i) the organisation is a health service provider providing
a health service to the individual;
(ii) the use or disclosure for the other purpose is
5 reasonably necessary for the provision of the health
service;
(iii) the individual is incapable of giving consent and --
(I) it is not reasonably practicable to obtain the
consent of an authorised representative of
10 the individual; or
(II) the individual does not have an authorised
representative;
or
(e) all of the following apply --
15 (i) the organisation is a health service provider providing
a health service to the individual;
(ii) the use or disclosure is for the purpose of the
provision of a further health service to the individual
by the organisation;
20 (iii) the use or disclosure is reasonably necessary for the
provision of the further health service;
or
(f) the use or disclosure is for the purpose of the funding,
management, planning, monitoring, improvement or
25 evaluation of health services or for the purpose of training
provided by a health service provider to employees or persons
working with or being trained by the organisation and --
(i) it is impracticable for the organisation to seek the
individual's consent to the use or disclosure; and
30 (ii) either --
(I) in circumstances where that purpose cannot
be served by the use or disclosure of
information that does not identify the
individual or from which the individual's
page 110
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 2
identity cannot reasonably be ascertained,
the information is not published in a
generally available publication; or
(II) reasonable steps are taken to de-identify the
5 information;
or
(g) the use or disclosure is necessary for the purpose of research,
or the compilation or analysis of statistics, in the public
interest and all of the following apply --
10 (i) that purpose cannot be served by the use or disclosure
of information that does not identify the individual or
from which the individual's identity cannot
reasonably be ascertained;
(ii) it is impracticable for the organisation to seek the
15 individual's consent to the use or disclosure;
(iii) if there is no applicable code of practice relating to
the use or disclosure of information under this
paragraph, the information is used or disclosed in
accordance with guidelines approved under the
20 Privacy Act 1988 (Commonwealth) section 95A(2),
and, in addition, in the case of disclosure --
(iv) the organisation reasonably believes that the recipient
of the information will not disclose the information;
and
25 (v) the information will not be published in a form that
identifies particular individuals or from which an
individual's identity can reasonably be ascertained;
or
(h) the organisation reasonably believes that the use or disclosure
30 is necessary to lessen or prevent --
(i) a serious threat to an individual's life, health, safety
or welfare; or
(ii) a serious threat to public health, public safety or
public welfare;
35 or
page 111
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 2
(i) the organisation reasonably believes that the use or disclosure
is necessary to safeguard or promote the wellbeing of a child
or a class or group of children; or
(j) in the case of the use of genetic information about an
5 individual in a form which is, or could be, predictive of the
health of another individual, the organisation reasonably
believes that the use is necessary to lessen or prevent a
serious threat to that other individual's life, health, safety or
welfare and any of the following apply --
10 (i) reasonable steps have been taken to obtain the
consent of the first-mentioned individual;
(ii) it is not reasonably practicable to obtain the consent
of that individual;
(iii) that individual is incapable of giving consent;
15 or
(k) in the case of the disclosure of genetic information about an
individual in a form which is, or could be, predictive of the
health of another individual --
(i) the organisation reasonably believes that the
20 disclosure is necessary to lessen or prevent a serious
threat to that other individual's life, health, safety or
welfare and any of the following apply --
(I) reasonable steps have been taken to obtain
the consent of the first-mentioned
25 individual;
(II) it is not reasonably practicable to obtain the
consent of that individual;
(III) that individual is incapable of giving
consent;
30 and
(ii) subject to subclause (2), at or before the time of
disclosure (or, if that is not practicable, as soon as
practicable after disclosure) the organisation takes
page 112
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 2
reasonable steps to inform the first-mentioned
individual --
(I) that the organisation has disclosed, or is
about to disclose, genetic information about
5 that individual that is necessary to lessen or
prevent a serious threat to another
individual's life, health, safety or welfare;
and
(II) of the name of that other individual; and
10 (III) of the name of the person or body to whom
the information has been or will be
disclosed; and
(IV) in general terms, of the nature of the
information disclosed or to be disclosed;
15 or
(l) the organisation has reason to suspect that unlawful activity
has been, is being, or may be, engaged in and uses or
discloses the information as a necessary part of its
investigation of the matter or in reporting its concerns to
20 relevant persons or authorities; or
(m) the organisation reasonably believes that the use or disclosure
is necessary for one or more of the law enforcement functions
of a law enforcement agency; or
(n) the organisation reasonably believes that the use or disclosure
25 is necessary for one or more of the licensing functions of a
licensing agency; or
(o) the use or disclosure is necessary for the establishment,
exercise or defence of a legal or equitable claim; or
(p) in the case of a disclosure, the information is about a
30 deceased individual and is disclosed to --
(i) a legal representative of the deceased individual; or
(ii) an authorised representative of the deceased
individual, and the disclosure is for a purpose related
to the former powers, functions or duties of that
35 person; or
page 113
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 2
(iii) a person nominated in writing by the deceased
individual as eligible to receive the information; or
(iv) a relative of the deceased individual in circumstances
where the organisation has no reasonable grounds to
5 believe that the deceased individual would have
objected to the disclosure to that person;
or
(q) in the case of a disclosure, any of the following applies --
(i) the disclosure is to a person for the purpose of
10 research in relation to the person's Aboriginal family
history;
(ii) the disclosure is to a representative Aboriginal/Torres
Strait Islander body, as defined in the Native Title
Act 1993 (Commonwealth) section 253, or a public
15 organisation for the purpose of preparation for, or use
in relation to, an application that has been made
under Part 3 of that Act;
(iii) the disclosure is to the Parliamentary Commissioner;
(iv) the disclosure is to a coroner or the Coroner's Court
20 of Western Australia;
(v) the organisation is a public health agency and the
disclosure is to another public health agency.
(2) An organisation --
(a) is not required to take steps to inform an individual of a
25 matter referred to in subclause (1)(k)(ii) if the individual is
already aware of that matter; and
(b) must not take such steps if to do so could result in a serious
threat to the life, health, safety or welfare of any individual.
(3) If an organisation discloses health information under
30 subclause (1)(l), (m) or (n), it must make a record of the disclosure.
(4) Despite subclause (1), where an individual is incapable of giving
consent, an organisation providing a health service to the individual
page 114
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 2
may disclose health information about the individual to another
person if --
(a) the disclosure is made to a relative, carer or authorised
representative of the individual and, in the opinion of the
5 organisation, is necessary for the continued provision of
appropriate health services to, or care of, the individual; or
(b) the disclosure is made for compassionate reasons and --
(i) the organisation believes that the disclosure would
reasonably be expected by the individual; and
10 (ii) the disclosure is not contrary to any wish previously
expressed by the individual of which the organisation
is aware or of which the organisation could
reasonably be expected to be aware;
or
15 (c) the disclosure is made to the individual's authorised
representative in order for the representative to make
decisions about the individual's care and treatment or to
perform functions or duties related to the individual.
(5) Despite subclause (1), an organisation may use or disclose health
20 information about an individual where --
(a) it is known or suspected that the individual is dead; or
(b) it is known or suspected that the individual is missing; or
(c) the individual has been involved in an accident or other
misadventure and is incapable of consenting to the use or
25 disclosure,
and the use or disclosure is to the extent reasonably necessary --
(d) to identify the individual or ascertain his or her location; or
(e) to ascertain the identity and location of a relative of the
individual for the purpose of --
30 (i) enabling a member of the Police Force, a coroner or
other prescribed organisation to contact the relative
for compassionate reasons; or
(ii) assisting in the identification of the individual.
(6) If a disclosure to which subclause (1), (4) or (5) applies involves the
35 disclosure of health information to a person (other than the individual)
page 115
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 3
who is outside Western Australia, the requirements of HPP 8 must
also be met.
(7) Nothing in this principle is to be taken to prevent the disclosure of
health information by a public organisation to the Minister
5 responsible for the administration of that organisation.
3. Data quality
An organisation must take reasonable steps to ensure that the health
information it collects, uses or discloses is accurate, complete and up
to date.
10 4. Data security and data retention
(1) An organisation must take reasonable steps to protect the health
information it holds from misuse and loss and from unauthorised
access, modification or disclosure.
(2) A health service provider must retain, and must not delete or destroy,
15 health information relating to an individual, even if it is later found or
claimed to be inaccurate, unless --
(a) the deletion or destruction is required or authorised by or
under law; or
(b) the deletion or destruction is not prohibited by any other law
20 and occurs --
(i) in the case of health information collected while the
individual was a child, after the individual reaches
25 years of age; or
(ii) in any case, more than 7 years after the last occasion
25 on which a health service was provided to the
individual by the provider,
whichever is the later.
(3) A health service provider must create and maintain a register of health
information that has been deleted or destroyed or transferred to
30 another individual or organisation as follows --
(a) in the case of health information that has been deleted or
destroyed, the provider must adequately identify the
individual to whom the information related, the period of
page 116
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 5
time that the information covered and the date on which it
was deleted or destroyed;
(b) in the case of health information that has been transferred, the
provider must record the name of the individual to whom the
5 information relates and the name and address of the
individual or organisation to whom it was transferred.
(4) An organisation other than a health service provider must take
reasonable steps to destroy or permanently de-identify health
information if it is no longer needed for the purpose for which it was
10 collected or any other purpose authorised by this Act or any other law.
(5) In the case of a public organisation, the operation of
subclauses (2), (3) and (4) is subject to the State Records Act 2000.
5. Openness
(1) An organisation must set out in a document --
15 (a) clearly expressed policies on its management of health
information; and
(b) the steps that an individual must take if the individual wishes
to obtain access to his or her health records or to have his or
her health records corrected, whether under Part 3 or
20 otherwise,
and the organisation must make the document available to anyone
who asks for it.
(2) On request by an individual or an authorised representative of an
individual, an organisation must take reasonable steps --
25 (a) to let the individual or authorised representative know --
(i) whether the organisation holds health information
relating to the individual; and
(ii) the steps that the individual or authorised
representative must take if he or she wishes to obtain
30 access to the individual's health records or to have his
or her health records corrected, whether under Part 3
or otherwise;
and
page 117
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 6
(b) if the organisation holds health information relating to the
individual, to let the individual or authorised representative
know in general terms --
(i) the nature of the information; and
5 (ii) the purposes for which the information is used; and
(iii) how the organisation handles the information.
6. Identifiers
(1) An organisation must not assign identifiers to individuals unless the
assignment of identifiers is necessary to enable the organisation to
10 carry out any of its functions efficiently.
(2) A private organisation must not adopt as its own identifier of an
individual an identifier of the individual that has been assigned by
another organisation unless --
(a) the individual consents to the adoption of the same identifier;
15 or
(b) the use or disclosure of the identifier is required or authorised
by or under law.
(3) A private organisation must not use or disclose an identifier assigned
to an individual by another organisation unless --
20 (a) the use or disclosure is required for the purpose for which it
was assigned or for a purpose referred to in one or more of
HPP 2(1)(c) to (o); or
(b) the individual consents to the use or disclosure; or
(c) the disclosure is to the public organisation which assigned the
25 identifier to enable the public organisation to identify the
individual for its own purposes.
(4) A public organisation must not adopt as its own identifier of an
individual an identifier of the individual that has been assigned by
another public organisation unless --
30 (a) it is necessary to enable the public organisation to carry out
any of its functions efficiently; or
(b) the individual consents to the adoption of the same identifier.
page 118
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 7
(5) A public organisation must not use or disclose an identifier assigned
to an individual by another public organisation unless --
(a) the use or disclosure is necessary to enable the public
organisation to carry out any of its functions efficiently; or
5 (b) the use or disclosure is necessary for the public organisation
to fulfil its obligations to the other organisation; or
(c) one or more of HPP 2(1)(c) to (o) applies to the use or
disclosure; or
(d) the individual consents to the use or disclosure.
10 7. Anonymity
Wherever it is lawful and practicable, individuals must have the
option of not identifying themselves when dealing with an
organisation.
8. Transborder data flows
15 An organisation must not disclose health information about an
individual to a person (other than the individual) outside Western
Australia unless --
(a) the disclosure is required or authorised by or under law; or
(b) the organisation reasonably believes that --
20 (i) the information is relevant to the functions or
activities of the person receiving the information; and
(ii) the person receiving the information is subject to a
law, administrative scheme by which the person is
bound, or contract, that requires the person to comply
25 with principles for handling the information that are
substantially similar to the health privacy principles;
or
(c) the individual consents to the disclosure; or
(d) the disclosure is necessary for the performance of a contract
30 between the individual and the organisation or for the
implementation of pre-contractual measures taken in response
to the individual's request; or
(e) the disclosure is necessary for the performance or completion
of a contract between the organisation and a third party, the
page 119
Information Privacy Bill 2007
Schedule 4 Health privacy principles
cl. 9
performance or completion of which benefits the individual;
or
(f) all of the following apply --
(i) the disclosure is for the benefit of the individual;
5 (ii) it is impracticable to obtain the consent of the
individual to the disclosure;
(iii) if it were practicable to obtain that consent, the
individual would be likely to give it;
or
10 (g) the organisation --
(i) reasonably believes that the information is relevant to
the functions or activities of the person receiving the
information; and
(ii) has taken reasonable steps to ensure that the
15 information will not be held, used or disclosed by the
person receiving the information in a manner that is
inconsistent with the health privacy principles.
9. Transfer or closure of the practice of a health service provider
(1) In the interests of facilitating safe and effective treatment through the
20 timely provision of access to health information, where the practice or
business of a health service provider (the "provider") is, or is
proposed to be --
(a) sold, amalgamated or otherwise transferred and the provider
will not be providing health services in the new practice or
25 business; or
(b) closed down,
the provider or, if the provider is deceased, the legal representative of
the provider, as soon as practicable, must take reasonable steps to --
(c) make individuals who have received health services from the
30 provider aware of the sale, amalgamation, transfer or closure
of the practice or business; and
(d) inform those individuals about the proposed arrangements for
the transfer or storage of health information held by the
practice or business; and
page 120
Information Privacy Bill 2007
Health privacy principles Schedule 4
cl. 10
(e) make appropriate entries in the register required under
HPP 4(3) about any transfer, storage or destruction of health
information held by the practice or business.
(2) If an individual requests a health service provider whose practice or
5 business is being sold, amalgamated, transferred or closed down to
transfer health information held by the health service provider about
the individual to another health service provider, the request is to be
treated as a request to which HPP 10(1)(a) applies.
(3) For the purposes of subclause (2), references in that subclause and
10 HPP 10 to a health service provider are to be taken to include
references to the legal representative of a health service provider if the
health service provider is deceased.
10. Making health information available to other health service
providers
15 (1) If an individual --
(a) requests a health service provider to make health information
held by the health service provider about the individual
available to another health service provider (the "other
provider"); or
20 (b) authorises a health service provider (the "requesting
provider") to request another health service provider to make
available health information held by that other health service
provider about the individual to the requesting provider,
the health service provider to whom the request is made, if it holds
25 health information about the individual, must, on payment of the fee
(if any) charged by the health service provider, give to the other
provider or the requesting provider, as the case requires --
(c) the health information; or
(d) a copy of the health information; or
30 (e) a summary of the health information.
(2) A fee charged by a health service provider for the purposes of
subclause (1) must not exceed the prescribed amount (if any).
(3) This principle does not limit or otherwise affect the operation of
Part 3 Division 2.
page 121
Information Privacy Bill 2007
Schedule 5 Concurrent appointment as Commissioner and Parliamentary
Commissioner
cl. 1
Schedule 5 -- Concurrent appointment as Commissioner
and Parliamentary Commissioner
[s. 119]
1. Term of office
5 (1) If a person is appointed at the same time to the offices of
Commissioner and Parliamentary Commissioner, the period for which
the person is appointed to the office of Commissioner must be
5 years.
(2) If the Commissioner is appointed to the office of Parliamentary
10 Commissioner, then, despite the Parliamentary Commissioner
Act 1971 section 5(3), the period for which he or she is appointed to
that office must not exceed the period remaining before his or her
term of office as Commissioner expires.
(3) If the Parliamentary Commissioner is appointed to the office of
15 Commissioner, the period for which he or she is appointed to that
office must not exceed the period remaining before his or her term of
office as Parliamentary Commissioner expires.
2. Remuneration and other conditions of service
(1) If a person is appointed at the same time to the offices of
20 Commissioner and Parliamentary Commissioner, the Parliamentary
Commissioner Act 1971 section 5(5) and (7) do not apply in relation
to the office of Parliamentary Commissioner and the person's
remuneration and other conditions of service are to be determined
under sections 108 and 109.
25 (2) If the Commissioner is appointed to the office of Parliamentary
Commissioner, the Parliamentary Commissioner Act 1971
section 5(5) and (7) do not apply in relation to that appointment.
(3) If the Parliamentary Commissioner is appointed to the office of
Commissioner, sections 108 and 109 do not apply in relation to that
30 appointment.
page 122
Information Privacy Bill 2007
Concurrent appointment as Commissioner and Parliamentary Schedule 5
Commissioner
cl. 3
3. Rights preserved
(1) If a person is appointed at the same time to the offices of
Commissioner and Parliamentary Commissioner --
(a) section 118 applies; and
5 (b) the Parliamentary Commissioner Act 1971 section 10(3), (4)
and (5) do not apply,
to the person.
(2) If --
(a) the Commissioner is appointed to the office of Parliamentary
10 Commissioner; or
(b) the Parliamentary Commissioner is appointed to the office of
Commissioner,
the appointment does not affect his or her existing or accruing rights,
including superannuation rights, unless he or she otherwise agrees.
15 4. Resignation from office
If a person who holds the offices of Commissioner and Parliamentary
Commissioner resigns from one of those offices, the person is to be
taken to have resigned from the other office.
5. Removal or suspension from office
20 (1) If a person who holds the offices of Commissioner and Parliamentary
Commissioner is removed or suspended from one of those offices, the
person is to be taken to have been removed or suspended from the
other office.
(2) If a person who holds the offices of Commissioner and Parliamentary
25 Commissioner is restored to one of those offices after having been
suspended from office, the person is to be taken to have been restored
to the other office.
6. Application of clauses 7 to 10
Clauses 7, 8, 9 and 10 apply during, and in relation to, any period
30 when a person holds the offices of Commissioner and Parliamentary
Commissioner.
page 123
Information Privacy Bill 2007
Schedule 5 Concurrent appointment as Commissioner and Parliamentary
Commissioner
cl. 7
7. Deputy Commissioners and Acting Commissioners
(1) A direction given to a Deputy Commissioner under section 112(4)
may include a direction as to functions under the Parliamentary
Commissioner Act 1971.
5 (2) A Deputy Commissioner has, in relation to the performance of
functions referred to in subclause (1), the powers, obligations,
responsibilities and protections that are conferred or imposed on the
Deputy Parliamentary Commissioner by the Parliamentary
Commissioner Act 1971.
10 (3) Without limiting subclause (2), before carrying out duties referred to
in subclause (1) for the first time a Deputy Commissioner must take
an oath or make an affirmation as described in the Parliamentary
Commissioner Act 1971 section 8(1).
(4) Section 113(1) does not apply.
15 (5) A direction given to the Deputy Parliamentary Commissioner under
the Parliamentary Commissioner Act 1971 section 6A(1) may include
a direction as to functions under this Act and the FOI Act.
(6) The Deputy Parliamentary Commissioner has, in relation to the
performance of functions referred to in subclause (5), the powers,
20 obligations, responsibilities and protections that are conferred or
imposed on a Deputy Commissioner by this Act or the FOI Act.
(7) Without limiting subclause (6), before carrying out duties referred to
in subclause (5) for the first time the Deputy Parliamentary
Commissioner must take an oath or make an affirmation as described
25 in section 115.
(8) The Parliamentary Commissioner Act 1971 section 6A(2) applies,
with necessary modifications, as if references in it to --
(a) the Commissioner were references to the person who holds
the offices of Commissioner and Parliamentary
30 Commissioner; and
(b) the office of Commissioner were references to the offices of
Commissioner and Parliamentary Commissioner.
(9) A person may be appointed at the same time --
(a) under section 114 to act in the office of Commissioner; and
page 124
Information Privacy Bill 2007
Concurrent appointment as Commissioner and Parliamentary Schedule 5
Commissioner
cl. 8
(b) under the Parliamentary Commissioner Act 1971 section 7 to
act in the office of Parliamentary Commissioner.
8. Functions of staff
(1) In this clause --
5 "office holder" means the person who holds the offices of
Commissioner and Parliamentary Commissioner.
(2) A member of the Commissioner's staff may, if authorised to do so by
the office holder, perform the functions of a member of the
Parliamentary Commissioner's staff under the Parliamentary
10 Commissioner Act 1971.
(3) A member of the Commissioner's staff has, in relation to the
performance of functions referred to in subclause (2), the powers,
obligations, responsibilities and protections that are given to or
imposed on a member of the Parliamentary Commissioner's staff by
15 the Parliamentary Commissioner Act 1971.
(4) Without limiting subclause (3), before performing functions referred
to in subclause (2) for the first time, a member of the Commissioner's
staff must take an oath or make an affirmation as described in the
Parliamentary Commissioner Act 1971 section 9(4).
20 (5) A member of the Parliamentary Commissioner's staff may, if
authorised to do so by the office holder, perform functions of a
member of the Commissioner's staff under this Act or the FOI Act.
(6) A member of the Parliamentary Commissioner's staff has, in relation
to the performance of functions referred to in subclause (5), the
25 powers, obligations, responsibilities and protections that are given to
or imposed on a member of the Commissioner's staff by this Act or
the FOI Act.
(7) Without limiting subclause (6), before performing functions referred
to in subclause (5) for the first time, a member of the Parliamentary
30 Commissioner's staff must take an oath or make an affirmation as
described in section 117.
(8) An authorisation given for the purposes of subclause (2) or (5) may --
(a) be expressed to apply generally or in relation to particular
functions; and
page 125
Information Privacy Bill 2007
Schedule 5 Concurrent appointment as Commissioner and Parliamentary
Commissioner
cl. 9
(b) specify the circumstances in which functions are to be
performed.
9. Delegation
(1) A delegation may be made under the Parliamentary Commissioner
5 Act 1971 section 11 to --
(a) a Deputy Commissioner as if he or she were the Deputy
Parliamentary Commissioner; or
(b) a member of the Commissioner's staff as if he or she were a
member of the Parliamentary Commissioner's staff.
10 (2) A delegation may be made under section 124(1) to --
(a) the Deputy Parliamentary Commissioner as if he or she were
a Deputy Commissioner; or
(b) a member of the Parliamentary Commissioner's staff as if he
or she were a member of the Commissioner's staff.
15 10. Confidentiality provisions
(1) Without limiting clause 7(2) or 8(3), the Parliamentary Commissioner
Act 1971 section 23 applies to information obtained by a Deputy
Commissioner or a member of the Commissioner's staff in the course
of, or for the purposes of, an investigation under that Act in the same
20 way that it applies to such information obtained by the Deputy
Parliamentary Commissioner or a member of the Parliamentary
Commissioner's staff.
(2) Nothing in the Parliamentary Commissioner Act 1971 section 23 is to
be taken to prevent the disclosure of information by --
25 (a) the Parliamentary Commissioner; or
(b) the Deputy Parliamentary Commissioner; or
(c) a member of the Parliamentary Commissioner's staff,
to a Deputy Commissioner or a member of the Commissioner's staff.
(3) Without limiting clause 7(6) or 8(6), section 131 applies to a person
30 who is or has been the Deputy Parliamentary Commissioner or a
member of the Parliamentary Commissioner's staff in the same way
that it applies to a person who is or has been a Deputy Commissioner
or a member of the Commissioner's staff.
page 126
Information Privacy Bill 2007
Concurrent appointment as Commissioner and Parliamentary Schedule 5
Commissioner
cl. 10
(4) Nothing in section 131 is to be taken to prevent the disclosure of
information by --
(a) the Commissioner; or
(b) a Deputy Commissioner; or
5 (c) a member of the Commissioner's staff,
to the Deputy Parliamentary Commissioner or a member of the
Parliamentary Commissioner's staff.
page 127
Information Privacy Bill 2007
Defined Terms
Defined Terms
[This is a list of terms defined and the provisions where they are defined.
The list is not part of the law.]
Defined Term Provision(s)
access applicant........................................................................................... 4(1)
access application........................................................................................ 4(1)
access decision ............................................................................................... 67
Acting Commissioner.................................................................................. 4(1)
agency.......................................................................................................... 100
amendment applicant................................................................................... 4(1)
amendment application................................................................................ 4(1)
amendment decision ....................................................................................... 67
annual report ............................................................................................125(1)
appeal ............................................................................................................ 92
applicable code of practice........................................................................... 4(1)
application .................................................................................................53(1)
approved code of practice ............................................................................ 4(1)
authorised representative ............................................................................. 4(1)
body tissue .................................................................................................. 5(2)
child............................................................................................................ 4(1)
child protection agency................................................................................ 4(1)
child protection functions ............................................................................ 4(1)
code of practice .............................................................................................. 56
commencement day...................................................................................... 160
Commissioner ......................................................................................4(1), 147
complainant.................................................................................................... 67
complaint .................................................................................................... 4(1)
complaint jurisdiction..................................................................................... 87
compliance notice.......................................................................................41(1)
conciliation proceedings ................................................................................. 67
conciliation proceedings record....................................................................... 67
conciliation requirement .......................................................................67, 80(1)
conciliator ............................................................................................67, 79(5)
confidential information ...........................................................................131(1)
contractor.................................................................................................... 4(1)
contravene................................................................................................... 4(1)
Corruption and Crime Commission.............................................................. 4(1)
court ........................................................................................................... 4(1)
deal with ........................................................................................................ 67
Deputy Commissioner ................................................................................. 4(1)
disability ..................................................................................................... 4(1)
disclosing agency ......................................................................................... 100
document .................................................................................................... 4(1)
page 128
Information Privacy Bill 2007
Defined Terms
entity........................................................................................................... 7(1)
exempt organisation .................................................................................... 4(1)
FOI Act....................................................................................................... 4(1)
former Commissioner................................................................................... 160
handle ......................................................................................................... 4(1)
health information ....................................................................................... 4(1)
health privacy code of practice........................................................................ 56
health privacy principle ............................................................................... 4(1)
health record ............................................................................................... 4(1)
health service .............................................................................................. 4(1)
health service provider................................................................................. 4(1)
HPP ............................................................................................................ 4(1)
identifier ..................................................................................................... 4(1)
illness.......................................................................................................... 4(1)
information .................................................................................................. 100
information privacy code of practice ............................................................... 56
information privacy principle....................................................................... 4(1)
initial complaint .........................................................................................74(2)
IPP.............................................................................................................. 4(1)
judicial office .............................................................................................. 4(1)
law enforcement agency .............................................................................. 4(1)
law enforcement functions........................................................................... 4(1)
legal representative...................................................................................... 4(1)
licensing agency.......................................................................................... 4(1)
licensing functions....................................................................................... 4(1)
member of staff ........................................................................................... 4(1)
mental disability.......................................................................................... 4(1)
new Commissioner....................................................................................... 160
news activity ..............................................................................................55(1)
news medium .............................................................................................55(1)
office holder................................................................................ Sch. 5, cl. 8(1)
officer ......................................................................................................... 7(1)
officer of the Commissioner .....................................................................118(1)
organisation................................................................................................. 4(1)
other provider.............................................................................Sch. 4, cl. 10(1)
Parliamentary Commissioner ....................................................................... 4(1)
parliamentary secretary................................................................................ 4(1)
permitted period .............................................................................. 26(1), 45(1)
personal information.................................................................................... 4(1)
prescribed amount ......................................................................................30(4)
prescribed enactment .................................................................................... 100
principal officer............................................................................................ 100
private organisation ..................................................................................... 4(1)
protected matter.............................................................................................. 67
provider ...................................................................................... Sch. 4, cl. 9(1)
page 129
Information Privacy Bill 2007
Defined Terms
public health agency.................................................................................... 4(1)
public organisation ...................................................................................... 4(1)
public service officer ................................................................................... 4(1)
record.......................................................................................................... 4(1)
registration board ........................................................................................ 4(1)
relative........................................................................................................ 4(1)
relevant day..............................................................................................111(5)
relevant Minister ............................................................................................ 56
relevant person .........................................................................................131(1)
relevant provision.....................................................................................101(1)
remuneration ........................................................................................4(1), 149
report .......................................................................................................145(1)
representative ...........................................................................................127(1)
requesting provider.....................................................................Sch. 4, cl. 10(1)
respondent...................................................................................................... 67
review day................................................................................................135(1)
Supreme Court ............................................................................................... 92
transitional period.......................................................................................20(1)
Tribunal ......................................................................................................... 67
wellbeing .................................................................................................... 4(1)
page 130
[Index] [Search] [Download] [Related Items] [Help]