Western Australian Bills Explanatory Memoranda Western Australian Bills Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
Information Privacy Bill 2007
Explanatory Memorandum
General
In general, this Bill --
regulates the handling of personal information by the public sector;
regulates the handling of health information by the public and private sectors;
creates a right to apply for access to, and amendment of, health records held by the private sector;
and
facilitates the exchange of personal or health information held by the public sector in appropriate
circumstances.
The Bill --
establishes a set of Information Privacy Principles governing the handling of personal information
by the public sector;
establishes a set of Health Privacy Principles governing the handling of health information by the
public and private sectors;
provides for the making and approval of information privacy codes of practice and health privacy
codes of practice;
provides for the making of complaints in respect of alleged interferences with privacy and decisions
relating to access to and amendment of health records, and establishes processes for the resolution of
those complaints;
establishes the office of Privacy and Information Commissioner, which encompasses the existing
office of Information Commissioner;
enables the offices of Parliamentary Commissioner and Privacy and Information Commissioner to
be held concurrently; and
amends the Freedom of Information Act 1992 ("the FOI Act"), the Parliamentary Commissioner Act
1971, and other Acts as a consequence of the enactment of the Information Privacy Act.
Clause Notes
Part 1 -- Preliminary
Clause 1. Short title
The Act may be cited as the Information Privacy Act 2007.
Clause 2. Commencement
Clauses 1 and 2 come into operation on the day of Royal Assent while the balance of the
Act comes into operation on a day to be fixed by proclamation. Different days may be fixed
for different provisions.
Clause 3. Objects of the Act
States the main objects of the Act.
34738R1
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 4. Terms used in the Act
Defines terms used in the Act for the purpose of their interpretation. Among other terms --
"authorised representative" defines who may be an authorised representative in relation to
an individual. An "authorised representative" may, for instance, consent to the disclosure of
an individual's personal information to another person (see cl.128), or request access to the
health information of an individual where the individual is incapable of making the relevant
decision (see cl.53);
"child protection agency" means the Public Service department principally assisting the
Minister administering the Children and Community Services Act 2004, or a prescribed
person, body or office. In certain circumstances a child protection agency does not have to
comply with some of the information privacy principles or health privacy principles (cl.11).
"child protection functions" means functions under an enactment prescribed for the
purposes of this definition.
"Commissioner" means the person holding the office of Privacy and Information
Commissioner established under this Act;
"contractor" means a person/body that handles personal information under a contract
between the person/body and a public organisation listed in Schedule 1 to the Act;
"disability" has the meaning given in s.3 of the Disability Services Act 1993.
"exempt organisation" means a person, body or office referred to in Schedule 2 including
staff.
"handle" in relation to personal or health information, means to collect, hold, use or
disclose that information.
"health service" means an activity performed in relation to an individual that is intended or
claimed by the organisation performing it, to assess, maintain or improve the individual's
health, or to diagnose or treat the individual's actual or suspected illness, injury or
disability. It also includes: disability services; palliative care services; aged care services;
and the dispensing of prescriptions for drugs or medicinal preparations by a pharmacist.
The definition does not include a health service or class of health service that is prescribed
as an exempt service;
"health service provider" means an organisation to the extent that it provides a "health
service" in Western Australia other than a health service provider or class of health service
provider that is prescribed as an exempt health service provider;
"information privacy principle" or "IPP" means an information privacy principle set out in
Schedule 3. "Health privacy principle" or "HPP" means a health privacy principle set out
in Schedule 4 to the Act. In the Act, each principle is referred to by its number. For
instance, Health Privacy Principle 1 is described as "HPP 1". The IPPs and HPPs are
broadly consistent, but the HPPs are specifically tailored to health information and the
provision of health services;
"law enforcement agency" includes the Western Australian Police, the Australian Federal
Police, the police forces of other States and Territories, the Commissioner for Public Sector
Standards, the Commissioner for State Revenue, the Corruption and Crime Commission and
other specified public bodies that carry out law enforcement or related functions. A law
enforcement agency is not required to comply with certain IPPS and HPPs if it believes on
reasonable grounds that non-compliance is necessary for the purposes of its or another law
enforcement agency's law enforcement functions (cl.11);
"licensing agency" means a person, body or office prescribed for the purposes of this
definition. This permits a person, body, or office to be prescribed as a "licensing agency"
either in respect of all, or part, of its functions and activities relating to issuing licences or
permits or any other kind of authorisations under legislation.
"mental disability" has the meaning given in s.3(1) of the Guardianship and Administration
Act 1990 -- that is, it includes "an intellectual disability, a psychiatric condition, an
acquired brain injury and dementia";
Page 2 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
"organisation" includes a public or private organisation;
"private organisation" means an individual, body corporate, partnership, trust,
unincorporated association or body other than an exempt organisation or small business
operator. Small business operators (those business operators who have an annual turnover
of less than $3,000,000 and who are not health service providers) are not included within the
definition of "private organisation" so as not to impose an undue burden on them. The
effect is that a small business that is not a health service provider, for instance a hairdresser
or sporting organisation, will not be required to comply with the HPPs. However, all health
service providers, including small businesses such as medical practitioners and others who
provide a health service, must comply with the HPPs. This approach reflects that adopted in
the Privacy Act 1988 (Cth);
"public health agency" means: the department of the Public Service principally assisting
the Minister administering the Health Act 1911; a board as defined in s.2 of the Hospitals
and Health Services Act 1927; or a person, body or office prescribed by the regulations
"public organisation" means an organisation referred to in Schedule 1 or a contractor, but
does not include an exempt organisation specified in Schedule 2 (for instance, the
Corruption and Crime Commission). Consequently, private sector contractors to public
organisations must comply with relevant IPPs and HPPs;
"record" means a record of information irrespective of the means (paper, electronic,
pictorial etc) by which the information is recorded;
"wellbeing" has the meaning given in s.3 of the Children and Community Services Act 2004
-- that is, "wellbeing of a child includes the care, development, health and safety of the
child";
Clause 4(4) clarifies that a reference in the Act to the Commissioner's functions includes a
reference to functions given to the Information Commissioner under the FOI Act. The
Privacy and Information Commissioner appointed under this Act has the functions given to
the Commissioner under the FOI Act in addition to functions under this Act.
Clause 5. Meaning of "health information"
Defines "health information". "Health information"--
· includes personal information (defined in cl.6) that is--
information or an opinion about: an individual's physical, mental or psychological
health; an individual's disability; an individual's expressed wishes about the future
provision of health services to him or her; or a health service provided to an
individual; or
collected to provide, or in providing, a "health service"; or
collected in connection with the donation of body tissue (defined in cl.5(2)); or
genetic information in a form that is, or could be, predictive of the health of an
individual or any other individual; but
· does not include--
information, or a class of information, prescribed as exempt health information.
Clause 6. Meaning of "personal information"
Defines "personal information". "Personal information" --
includes information or an opinion about an individual, whether living or dead: whose
identity is apparent or can reasonably be ascertained from the information or opinion; or
who can be identified by reference to an identifier or identifying feature; but
does not include information about an individual: who has been dead for more than 30
years; who is included in a witness protection program or subject to witness protection
arrangements; arising out of a Royal Commission; contained in an appropriate
disclosure of public interest information under the Public Interest Disclosure Act 2003;
contained in a document containing matter that is exempt matter under clause 1 of
Page 3 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Schedule 1 to the FOI Act; or that is of a class, or contained in a document of a class,
prescribed for the purposes of this section.
Clause 7. When information is held
Sets out when personal information or health information is held by an "entity" (a public
organisation, a private organisation or an exempt organisation) or an "officer" of an entity.
The entity holds personal information or health information if the information is contained
in a document that is in the possession or control of the entity or an officer of the entity
whether alone or jointly with other personal or bodies.
Sets out when a health record is held by an entity. An entity holds a health record if the
health record is in the possession or under the control of the entity, whether alone or jointly
with other persons or bodies. This provision is relevant to determining whether a private
organisation holds health records to which an individual may apply for access under the Act.
Clause 8. Related public organisations
Provides that persons are not to be regarded as separate public organisations for the
purposes of the Act by reason of holding office as a member or officer of the organisation or
holding an office established for the purposes of a public organisation.
Clause 9. Application to courts, registries and judicial officers
Provides that courts and tribunals are only required to comply with the Act in so far as the
personal or health information that they handle relates to matters of an administrative nature.
Personal or health information which is handled by a court or tribunal and which relates to
the performance by the court or tribunal of its judicial functions is not subject to the Act.
Clause 10. Publicly available information
Provides that the Act does not apply to specified types of personal or health information that
are regarded as publicly available information, such as personal information contained in
public registers which is available for inspection.
Clause 11. Application of certain privacy principles to law enforcement agencies and child
protection agencies
Provides that a law enforcement agency (as defined in cl.4) is not required to comply with
certain IPPs and certain HPPs if the agency believes on reasonable grounds that the non-
compliance is necessary for one or more of its or another law enforcement agency's law
enforcement functions.
Provides that a child protection agency (as defined in cl.4) is not required to comply with
certain IPPs and certain HPPs if the agency believes on reasonable grounds that the non-
compliance is necessary for one or more of its, or another child protection agency's, child
protection functions or in connection with proceedings in court.
Clause 12. Relationship to FOI Act and State Records Act 2000
Clarifies that this Act does not affect the operation of the FOI Act or the State Records Act
2000.
Clause 13. Nature of rights created by this Act
Clarifies that neither the Act nor an approved code of practice creates any cause of action or
enforceable right, and that a contravention of the Act or an approved code of practice is not
a criminal offence, other than in so far as is expressly provided by the Act.
Clause 14. Act binds the Crown
Provides that the Act binds the Crown.
Page 4 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Part 2 -- Personal information privacy
Clause 15. Information privacy principles
States that the IPPs are set out in Schedule 3. If there is an inconsistency between an IPP
and an approved code of practice, the code of practice prevails to the extent of the
inconsistency. If there is an inconsistency between an IPP and another enactment, the other
enactment prevails to the extent of the inconsistency.
Clause 16. Application of information privacy principles
Specifies that the IPPs apply to public organisations (as defined in cl.4), unless this Act or
another enactment provides otherwise. The application of an IPP may be modified by an
approved code of practice. The IPPs do not apply to health information.
IPP 1 (collection) and IPP 3 (data quality as it relates to collection) only apply to personal
information collected on or after the commencement of this section. IPP 2 (use and
disclosure), IPP 3 (as it relates to information used or disclosed), IPP 4 (data security), IPP 5
(openness), IPP 6 (identifiers) and IPP 8 (transborder data flows) apply to all personal
information held by a public organisation, irrespective of when it was collected.
Clause 17. Public organisations to comply with information privacy principles
Provides that a public organisation must not do anything, or engage in any practice, that
contravenes an IPP that applies to that organisation.
Part 3 -- Health information privacy
Clause 18. Health privacy principles
States that the HPPs are set out in Schedule 4. If there is an inconsistency between an HPP
and an approved code of practice, the code of practice prevails to the extent of the
inconsistency. If there is an inconsistency between an HPP and another enactment, the other
enactment prevails to the extent of the inconsistency.
The core elements of the HPPs are consistent with the IPPs. However, the HPPs
specifically address issues pertaining to health information (for instance, disclosure of
genetic information) and the provision of health services (for instance, making health
information available to other health service providers), and have been modified so as to
apply to both public and private organisations. (In contrast, the IPPs only apply to public
organisations and contractors to public organisations.)
Clause 19. Application of health privacy principles
Specifies that the HPPs apply to both public and private organisations that are health service
providers or that collect, hold or use health information unless this Act or another enactment
provides otherwise. (As noted above at cl.4, small business operators who have an annual
turnover of less than $3,000,000 who are not health service providers are excluded even if
they collect, hold or use health information.)
Provides for the application of an HPP to be modified by an approved code of practice.
Specifies that HPP 1 (collection) and HPP 3 (data quality as it relates to collection), only
apply to health information collected on or after commencement of this section. HPP 2,
(use and disclosure), HPP 3 (as it relates to health information used or disclosed), HPP 4
(data security and retention), HPP 5 (openness), HPP 6 (identifiers), HPP 8 (transborder data
flows), HPP 9 (transfer or closure of practice), and HPP 10 (making health information
available to other health service providers) apply to all health information held irrespective
of when it was collected.
Page 5 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 20. Organisations to comply with health privacy principles
Provides that, subject to the transitional arrangements set out in this clause, an organisation
must not do any thing, or engage in any practice, that contravenes an HPP that applies to the
organisation.
Allows for a transitional period and the extension of that period. This recognises that
compliance with HPP 1 or HPP 2 from the first day of commencement may not always be
feasible where a contract entered into before the commencement of this section requires the
performance of an act or practice that would contravene either of these principles.
Division 2 -- Access to health records
Contains provisions relating to the right of an individual to access a health record held by a private
organisation. These provisions are modelled on those contained in the FOI Act.
Subdivision 1 -- Preliminary
Clause 21. Application of Division
Specifies that this Division does not apply to a health record held by an organisation that is
an agency under the FOI Act. If an individual's health record is held by such an agency, the
individual already has a right of access to the record under the FOI Act.
Provides that this Division applies to all health records (other than those of an agency under
the FOI Act) irrespective of when the health information in the record was collected.
Subdivision 2 -- Right of access and access applications
Clause 22. Right of access
Creates a right for an individual to be given access to a health record about that individual
that is held by a private organisation. The right of access is not affected by the individual's
reasons for wishing to obtain access or an organisation's belief as to those reasons.
Clause 23. Access application
Provides that an individual who wishes to access his or her health record must make an
application to the organisation that holds the record. If necessary the organisation must
assist the individual to make the application in a manner that complies with the requirements
specified in cl.24.
Clause 24. How access application is made
Provides that an access application must be in writing, and specifies the matters that must be
addressed in the application. Also allows for an application to include a request that access
be given in a particular way, for instance by being given a copy of the health record or by
being given a summary (see cl.38).
Clause 25. Withdrawal of access application
Provides that an applicant may withdraw an access application.
Subdivision 3 -- Procedure for dealing with access applications
Clause 26. Decisions as to access and charges
Requires an organisation to decide whether to give or refuse access as soon as practicable or
before the end of the "permitted period" (45 days, subject to extensions or reductions of that
period, as agreed between the applicant and the organisation or permitted by the
Commissioner) and to notify the applicant in writing of the decision and of any charge
Page 6 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
payable. If an access applicant is not notified of the outcome of the application within the
permitted period, the applicant is taken to have received written notice that the application
has been refused. On application by the applicant, the Commissioner may reduce the time
allowed to deal with the access application. On application by the organisation, the
Commissioner may grant an extension of time to the organisation to deal with the access
application in which case the organisation must notify the applicant of the extension as soon
as practicable.
Clause 27. Organisation may request consultation or further information
Provides that an organisation may request the applicant to consult with or provide further
information to the organisation about the access application, but must not request or inquire
into the applicant's reasons for requesting access.
Clause 28. Ambit of access application may be reduced by agreement
Permits an organisation, with the agreement of the applicant, to deal with the access
application as if it related to only the part of the health record that contains information of
the kind requested by the applicant.
Clause 29. Charges for access to health records
Provides that an organisation may require an applicant to pay a charge before being given
access to a health record. If an applicant is required to pay such a charge, the amount of the
charge must be calculated by the organisation in accordance with the principles set out in
this clause, or, where those principles require, the charge must be waived. Except where an
advance deposit is required under cl.31, an organisation must not require the payment of a
charge until it has notified the applicant of the decision to give access to the health record.
Clause 30. Estimate of charges
Requires an organisation, when requested by an access applicant, to provide the applicant
with an estimate of the charges that might be payable for dealing with the application and
the basis on which the estimate is made. Irrespective of whether or not the applicant has
requested an estimate, if the organisation estimates the charges might exceed a prescribed
amount (presently set at $60), the organisation must notify the applicant and ask whether the
applicant wishes to proceed.
Clause 31. Advance deposits
Permits an organisation to give a notice to an access applicant requiring the applicant to pay
a deposit for dealing with the access application, and sets out the obligations of the
organisation if a deposit is required including, if the applicant so requests, discussing means
to reduce the charges.
Clause 32. Failure of access applicant to notify intention or pay deposit
Provides that if a notice is given to an access applicant in respect of an estimate of charges
and the applicant does not notify the organisation within 30 days that he or she intends to
proceed, the applicant is to be taken to have withdrawn the application. Similarly, if a
notice is given that the applicant must pay a deposit and the deposit is not paid within 30
days, the applicant is to be taken to have withdrawn the application.
Clause 33. Organisation may refuse to deal with an application in certain cases
Requires an organisation to help an access applicant to change the access application so as
to reduce the amount of work needed to deal with it, if that work would divert a substantial
and unreasonable portion of the organisation's resources from its other operations.
Permits an organisation to refuse to deal with an application if the work needed to deal with
it cannot be sufficiently reduced, or the application is substantially in the same terms as one
Page 7 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
already made by the applicant to the organisation. In either case the organisation must
notify the applicant in writing stating the reasons for refusal and the applicant's appeal
rights.
Clause 34. Giving access
Requires the organisation to give the access applicant access to the health record if it has
decided to give access and any charges have been paid.
Clause 35. Refusal of access
Lists the grounds on which an organisation may refuse to give access to a health record.
Refusal is subject to cl.36.
Clause 36. Access to edited copy of health record
Allows an organisation to give access to an edited copy of a health record if it is practicable
to do so, if the organisation consider the applicant would wish to be given access to an
edited copy, and either one or more of the grounds for refusal of access apply to particular
matter in the record, or the record contains matter that may reasonably be regarded as being
outside the ambit of the application.
Clause 37. Health records that cannot be found or do not exist
Permits an organisation to notify an applicant that access to a health record cannot be given
because the requested record cannot be found or does not exist. The sending of such a
notice is to be regarded as a decision to refuse access.
Clause 38. Ways in which access may be given
Specifies the ways in which access may be given to a health record. These include:
inspection of the record; giving the applicant a copy of the record; giving the applicant a
summary of the record; and/or giving an explanation of the health information in the record.
However, this does not preclude an organisation giving access in some other way agreed
between the organisation and the applicant.
Provides that if access to a health record is given in a way other than that requested by the
applicant, any charge imposed by the organisation must not exceed the charge which the
applicant would have been required to pay if access had been given in the way requested.
Provides that if all of the health information contained in a health record was collected
before the commencement of this Act, access may be given by giving a summary of the
information.
Clause 39. Information detrimental to health of access applicant
Provides that it is sufficient for access to information in a health record to be given to a
suitably qualified person nominated by the applicant if in the opinion of the organisation the
information may have a substantial adverse effect on the physical, mental or psychological
health of the applicant. The organisation may withhold access until a person who is, in the
opinion of the organisation, suitably qualified, is nominated.
Clause 40. Notice of decision
Specifies the details that must be included in a notice given under cl.26 in respect of a
decision as to access to a health record.
Clause 41. Applications may be regarded as having been withdrawn in certain circumstances
Permits an organisation to give an access applicant a "compliance notice" advising the
applicant that he or she may be regarded as having withdrawn the access application if the
applicant does not do certain things, namely providing information or consulting with the
Page 8 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
organisation (under cl.27), nominating a suitably qualified person (under cl.39) or obtaining
access to a health record. The compliance notice must contain the details specified in the
clause.
Allows an organisation to regard an applicant as having withdrawn the application if the
applicant has not complied with the requirements of a compliance notice within 30 days. If
the organisation decides to regard an access applicant as having withdrawn the application,
the organisation must give the applicant a written notice of that decision, which contains the
details set out in the clause.
Division 3 -- Amendment of health records
Contains provisions relating to the right of an individual to apply for an amendment of a health record
held by a private sector organisation. These provisions are modelled on those in the FOI Act.
Subdivision 1 -- Preliminary
Clause 42. Application of Division
Specifies that this Division does not apply to a health record held by an organisation if that
organisation is an agency under the FOI Act. If an individual's health record is held by such
an agency, the individual already has a right to apply for amendment of the record under the
FOI Act.
Provides that this Division applies to all health records irrespective of when the health
information in the record was collected.
Subdivision 2 -- Right to apply for amendment and amendment applications
Clause 43. Right to apply for health record to be amended
Creates a right for an individual to apply for amendment of a health record relating to that
individual which is held by a private sector organisation if the record is inaccurate,
incomplete, out of date or misleading. If necessary the organisation must assist the
individual to make the application so that it complies with the requirements specified in this
Division.
Clause 44. How amendment application is made
Provides that an amendment application must be in writing, and specifies the matters that
must be addressed in the application. Also provides that the application may include a
request that the amendment be made in a particular way or ways, namely by altering, but not
by deleting, information in the health record, or by inserting information or a note into the
health record.
Subdivision 3 -- Procedure for dealing with amendment applications
Clause 45. Decisions as to amendment
Requires an organisation to deal with an amendment application as soon as practicable or
before the end of the "permitted period" (30 days, subject to extensions or reductions of that
period, as agreed between the applicant and the organisation or permitted by the
Commissioner) and to notify the applicant in writing of the decision and of any charge
payable. If an access applicant is not notified of the outcome of the application within the
permitted period, the applicant is taken to have received written notice that the application
has been refused. On application by the organisation, the Commissioner may grant an
extension of time to the organisation to deal with the amendment application in which case
the organisation must notify the applicant as soon as practicable.
Page 9 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 46. Notice of decision
Requires the organisation to give the amendment applicant a notice specifying the date of
the decision, who made the decision, and either the details of the amendment made or the
reasons for refusal to amend, together with the applicant's appeal rights and right to request
a notation or attachment be made to the health record.
Clause 47. How organisation may amend health record
Specifies the ways in which an organisation may decide to amend a health record, namely
by altering information in the record (otherwise than by deletion) or by inserting
information or a note into the health record. Also specifies what must be included in any
note inserted in a health record.
Clause 48. Request for notation or attachment disputing accuracy of health record
Provides for an amendment applicant whose amendment application has been refused to
request in writing that the organisation make a notation or attachment to the health record.
Such a request may be made irrespective of whether or not the applicant has made a
complaint in respect of the organisation's decision.
Requires an organisation to comply with a request for notation or attachment unless the
requested notation or attachment is defamatory or unnecessarily voluminous.
Obliges the organisation to give the applicant a written notice of a decision not to comply
with a request for notation or attachment.
Clarifies that the organisation may include an edited or abbreviated form of the requested
notation or attachment, but this does not constitute compliance with the request.
Clause 49. Other users of health record to be advised of requested amendment
Requires an organisation that gives a health record to another person (including another
organisation) to advise the other person if a claim has been made that the record is
inaccurate, incomplete, out of date or misleading, and to include or attach particulars of any
attachment or notation made to the record under cl.48.
Clause 50. Organisation may give reasons for not amending information
Confirms that an organisation is not prevented from adding to a notation or attachment made
under cl.48 the organisation's reasons for deciding not to amend the health record in
accordance with the amendment application, or from including them in, or attaching them
to, a statement given under cl.49(1).
Clause 51. No charge for application or request
Provides that no fee or other charge is payable in respect of an application or request under
this Division.
Division 4 -- General
Clause 52. Part not intended to limit access or amendment that is otherwise lawful
Clarifies that this Part is not intended to prevent or discourage the giving of access or the
amendment of health records, otherwise than under this Part if that can properly be done or
is permitted or required by law to be done.
Clause 53. Application on behalf of an individual
Permits an authorised representative of an individual to make an access application, an
amendment application, or a request referred to in HPP 9(2) or 10(1) on behalf of the
individual if the individual is incapable of making the application or request.
Page 10 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Specifies when an individual is incapable of making an application or request.
Clause 54. Personal, family or household affairs
Provides that neither this Part of the Act, nor an HPP, applies to health information held by
an individual or the handling of health information by an individual only for the purposes of,
or in connection with, his/her personal, family or household affairs.
Clause 55. News media
Exempts a "news medium" (as defined) from the application of the HPPs and Part 3 of the
Act but only in respect of the handling of health information by the news medium in
connection with its "news activities" (as defined). The provision does not exempt a news
medium from complying with the HPPs in other circumstances, for instance, where the
news medium holds health information about its staff.
Part 4 -- Codes of practice
Provides for the making of codes of practice modifying the application or operation of one or more of
the IPPs or HPPs.
Clause 56. Terms used in this part
Defines terms used in Part 4 of the Act.
Clause 57. Information privacy code of practice
Provides that an information privacy code of practice is a code that modifies the application
or operation of one or more of the IPPs. An information privacy code of practice may apply
to specified personal information or a class thereof, a specified activity or class thereof, and
a specified public organisation or class thereof. An information privacy code: must specify
the public organisations bound by it; only applies to a public organisation that agrees to be
bound by it; must not modify the application or operation of an IPP unless the organisation
otherwise would not reasonably be capable of complying with the IPP; and the application
or operation of the IPP may be modified only to the extent reasonably necessary to enable
compliance.
Clause 58. Health privacy code of practice
Provides that a health privacy code of practice is a code of practice that modifies the
application or operation of one or more of the HPPs. A health privacy code of practice may
apply to specified health information or a class thereof, a specified activity or class thereof,
and a specified organisation or class thereof. A health privacy code: must specify the
organisations bound by it; only applies to a public or private organisation that agrees to be
bound by it; must not modify the application or operation of an HPP unless the organisation
otherwise would be incapable of complying with the HPP; and the application or operation
of the HPP may be modified only to the extent reasonably necessary to enable compliance.
Clause 59. Preparation of code of practice by organisation
Provides for a public organisation to prepare an information privacy code and submit it to
the Commissioner. Provides for a public or private organisation to prepare a health privacy
code and submit it to the Commissioner. Permits consultation with third parties or the
public in the preparation of the Code.
Clause 60. Preparation of code of practice by Commissioner
Permits the Commissioner to prepare a code of practice on his or her own initiative. Permits
consultation with third parties or the public in the preparation of the Code.
Page 11 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 61. Submission of code of practice to relevant Minister
Provides for the Commissioner to submit a code of practice to the relevant Minister for
approval. In the case of an information privacy code the relevant Minister is the Minister
administering this Act, and in the case of a health privacy code the relevant Minister is the
Minister administering the Health Act 1911 (see definition of "relevant Minister" at cl.56).
Clause 62. Approval of code of practice
Provides for the relevant Minister to approve a code of practice by notice published in the
Gazette provided the Minister is satisfied that the code of practice complies with the
requirements of cl.57 or cl.58, as the case requires.
Clause 63. Publication and operation of approved code of practice
Requires an approved code of practice to be published in the Gazette, and specifies when it
comes into operation.
Clause 64. Amendment, revocation or replacement of approved code of practice.
Permits the relevant Minister to amend, replace or revoke an approved code of practice by
notice published in the Gazette, and specifies the date on which a revocation takes effect.
Clause 65. Organisation to comply with applicable code of practice
Provides that an organisation must not contravene an approved code of practice that applies
to that organisation.
Clause 66. Register
Requires the Commissioner to keep a register of approved codes of practice, and permits a
person to inspect and obtain a copy of or an extract from that register.
Part 5 -- Complaints
Provides a process for making and resolving complaints in respect of alleged interferences with
privacy or decisions in respect of an application for access to, or amendment of, a health record.
Division 1 -- Preliminary
Clause 67. Terms used in this part
Defines terms used in Part 5 of the Act. Among other terms --
"complainant" includes the individual who makes a complaint and the individual who
makes a complaint on behalf of another individual.
"protected matter" is matter contained in a health record that gives rise to a ground for
refusal of access to the health record (cl.35).
"Tribunal" means the State Administrative Tribunal.
Clause 68. What constitutes an interference with privacy
Specifies when "an interference with the privacy of an individual" occurs which may be the
subject of a complaint under the Act. An interference with privacy includes: a
contravention by a public organisation of any of the IPPs; a contravention by a public or
private organisation of any of the HPPs; and a contravention by a public or private
organisation of an applicable code of practice.
Page 12 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Division 2 -- Complaints and procedures for dealing with them
Clause 69. Complaints
Provides that a complaint may be made to the Commissioner about: an alleged interference
with privacy; a decision under the Act by an organisation in respect of access to or
amendment of a health record; or an alleged contravention of a conciliation requirement.
Clause 70. Who may make a complaint
Specifies who may make a complaint.
Clause 71. Complaint on behalf of an individual
Permits an authorised representative of an individual (as defined in cl.4) to make a
complaint on behalf of the individual if the individual is incapable. Specifies that an
individual is incapable if he or she is incapable because of age, illness, physical impairment
or mental disability of understanding the general nature and effect of making the complaint,
or of making the complaint, despite reasonable assistance.
Clause 72. How and when a complaint can be made
Specifies how, where and the time limits within which, a complaint may be made: a
complaint must be in writing, give particulars of the complaint, give an address in Australia
to which notices can be sent, give any other information required by regulations, and be
lodged at the office of the Commissioner. A complaint must be lodged within 6 months of
the complainant becoming aware of the alleged interference with privacy or the alleged
contravention of a conciliation requirement, or within 6 months of the complainant's receipt
of the organisation's written decision, but the Commissioner may allow a complaint to be
lodged at a later date.
Clause 73. Commissioner may decide not to deal with a complaint
Gives the Commissioner a discretion to refuse to deal with a complaint in specified
circumstances, for instance, if the complaint is frivolous, vexatious, misconceived or lacking
in substance, or the complainant has not first complained about the matter to the respondent.
If the Commissioner decides not to deal with the complaint, he or she must notify the
complainant of the decision, the reasons for it, and any rights of appeal to the State
Administrative Tribunal ("the SAT").
Clause 74. Referral of complaint to respondent in certain circumstances
Requires the Commissioner, if he or she has refused to deal with a complaint, to refer the
complaint to the respondent in certain circumstances. Requires the respondent, if the
Commissioner has referred a complaint to it, to deal or continue to deal with it. In such
circumstances the complainant may not complain again to the Commissioner until the
respondent has notified the complainant that the respondent has finished dealing with the
complaint, or until 3 months have passed since the complaint was referred to the respondent.
Clause 75. Referral of complaint to Tribunal if Commissioner decides not to deal with it
Provides for the complainant to serve a written notice on the Commissioner requiring the
Commissioner to refer the complaint to the SAT if the Commissioner has notified the
complainant under cl.73(2) that he or she refuses to deal with the complaint for a reason
referred to in cl.73(1)(a), (b), (c), (e)(i), or (f). The notice must be served on the
Commissioner within 21 days of the complainant receiving the cl.73(2) notice.
Page 13 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 76. Notification of complaint
Requires the Commissioner to notify the respondent in writing of a complaint unless the
Commissioner has decided not to deal with it.
Clause 77. Withdrawal of complaint
Provides for a complainant to withdraw a complaint. A complainant who withdraws a
complaint may not make another complaint about the same matter without the prior written
permission of the Commissioner.
Clause 78. Parties to conciliation proceedings
Identifies the parties to conciliation proceedings.
Clause 79. Procedure
Sets out the procedure to be followed in conciliation proceedings. Gives the Commissioner
the power to obtain information and make investigations and inquiries. Requires
conciliation proceedings to be conducted informally and expeditiously and provides that the
Commissioner is not bound by the rules of evidence. Permits the Commissioner to
determine the procedure for conciliation proceedings and requires the Commissioner to
ensure the parties are given a reasonable opportunity to make submissions. Enables the
Commissioner to appoint a conciliator to deal with the complaint, and gives a conciliator the
power to require the parties to appear before him or her. Provides for a party in conciliation
proceedings to appear personally or by an agent other than a solicitor or counsel, or, with the
leave of the Commissioner, to be represented by a solicitor or counsel.
Makes evidence of things said or done in the course of conciliation proceedings
inadmissible in SAT proceedings. This is intended to encourage open discussion in
conciliation proceedings, without the parties fearing that what they say or do may be used
against them in SAT proceedings if conciliation is not successful.
Clause 80. Conciliation proceedings record
Requires the Commissioner, if conciliation is successful, to prepare a document (a
"conciliation record") in consultation with the parties setting out the outcome of the
proceedings, the terms on which the complaint is resolved, any "conciliation requirement"
that must be complied with by the respondent, and to give a copy to each party.
Requires the Commissioner, if he or she is of the opinion that the complaint cannot be
conciliated, or conciliation has not been successful or the nature of the complaint is such
that it should be referred to the SAT, to prepare and give to each party a document which
sets out that opinion and to inform the complainant of his or her appeal rights to the SAT.
Clause 81. Power to obtain information and documents and compel attendance
Gives the Commissioner the power to require any person who has information or a
document relevant to the complaint to provide the information or produce the document or
appear before the Commissioner. Mirrors the power in s.72 of the FOI Act.
Clause 82. Power to examine
Gives the Commissioner the power to examine witnesses who have been required to attend
under cl.81. Mirrors the power in s.73 of the FOI Act.
Clause 83. Commissioner to ensure non-disclosure of certain matter
Requires the Commissioner in dealing with a complaint to ensure non-disclosure of
protected matter (defined in cl.67) by reference to the grounds for refusal of access to a
health record under cl.35.
Page 14 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 84. Production of certain health records for inspection
Gives the Commissioner the power to require an organisation to produce a health record for
inspection so that the Commissioner can consider whether it contains protected matter.
Requires the Commissioner to ensure that any such health record is not disclosed and that it
is returned to the organisation when the complaint has been dealt with. This obligation is
subject to the Commissioner's obligation to provide the Tribunal with the matter set out in
cl.86.
Clause 85. Referral of unresolved complaint to Tribunal
Provides that a complainant who has been notified by the Commissioner that a complaint
cannot be, or has not been, conciliated, or should be referred to the SAT, may within 21
days require the Commissioner to refer the complaint to the SAT.
Clause 86. Provision of information to Tribunal
Provides that if a complaint is referred to the SAT, the Commissioner must give to the SAT
a statement of the reasons for the referral and other documents and material relevant to the
SAT's consideration of the complaint. Clarifies that an organisation's obligation to provide
a statement, documents and material to the SAT under s.24 of the SAT Act is not affected.
Division 3 -- State Administrative Tribunal's jurisdiction as to
complaints
Clause 87. Meaning of "complaint jurisdiction"
Defines "complaint jurisdiction" to mean the SAT's original jurisdiction under the SAT
Act in relation to a complaint of an alleged interference with privacy or alleged
contravention of a conciliation agreement, and the SAT's review jurisdiction under the SAT
Act in relation to a complaint about an access or amendment decision.
Clause 88. Presiding member of Tribunal
Specifies that a legally qualified member must preside when the SAT is exercising its
complaint jurisdiction.
Clause 89. Tribunal to ensure non-disclosure of certain matter
Requires the SAT when exercising its complaint jurisdiction to avoid disclosure of protected
matter.
Permits the SAT to allow a solicitor or counsel representing a party to examine a health
record on such terms and conditions as the SAT thinks fit including that the solicitor or
counsel does not disclose protected matter to a party to the proceeding or to another person.
Permits the SAT to receive evidence and hear argument in the absence of the public and any
party or person representing a party in order to prevent the disclosure of protected matter.
Proscribes the inclusion of protected matter in a decision of the SAT or its reasons.
Clause 90. Decisions of the Tribunal
Provides that after hearing a complaint relating to an alleged interference with privacy the
SAT may dismiss the complaint, or find the complaint or part of it substantiated and:
order that the respondent-- cease the interference; and/or perform any reasonable act or
course of conduct to redress any loss or damage suffered by the complainant; and/or pay
compensation to the complainant of up to $40,000 for any loss or damage suffered as a
result of the interference with privacy; or
decline to take further action.
Page 15 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Provides that after hearing a complaint relating to an alleged contravention of a conciliation
requirement the SAT may: dismiss the complaint; or find the complaint or part of it
substantiated and order that the respondent comply with the conciliation requirement; or
find the complaint or part of it substantiated but decline to take further action.
Enables the SAT, in determining a complaint relating to an access or amendment decision,
to review any decision of the organisation and decide any matter in relation to the relevant
access or amendment application. These powers are in addition to any other power the SAT
has under the SAT Act.
Provides that after hearing a complaint relating to an access or amendment decision the SAT
may: affirm the decision under review; vary the decision; or set aside the decision under
review and substitute its own decision. For instance, the SAT may order that the
organisation must provide access to the health record the subject of the dispute or to an
edited copy of that record. Provides that if it is established that a health record contains
protected matter, the SAT does not have power to decide that access is to be given to that
health record.
Provides that a decision of the SAT has effect from when it is made.
Clause 91. Restrictions under other laws not applicable
Provides that no legal obligation to maintain secrecy or not to disclose information applies
to the disclosure of information by an organisation for the purposes of the exercise by the
SAT of its complaint jurisdiction.
Division 4 -- Appeals
Clause 92. Terms used in this Division
Defines "appeal" and "Supreme Court" for the purposes of this Division.
Clause 93. Appeal from the Tribunal's decision
Provides for a party to a proceeding to appeal from a decision of the SAT to the Supreme
Court except in respect of certain matters (listed in cl.93(2)). An appeal may only be
brought on a question of law and only if the court gives leave (SAT Act s.105). An appeal
does not affect the operation or implementation of the decision appealed against unless the
Supreme Court stays the operation of the decision (SAT Act s.106).
Clause 94. No access to health record containing exempt matter
Provides that if it is established that a health record contains protected matter, the Supreme
Court does not have power to decide that access is to be given to that health record.
Clause 95. Power to impose terms on orders
Provides that an order of the Supreme Court on an appeal may be made on terms and
conditions that the Court thinks fit, and that if the appellant is an organisation it bears its
own costs.
Clause 96. Court to ensure non-disclosure of certain matter
Requires the Supreme Court in hearing and determining an appeal to avoid disclosure of
protected matter. Allows the Court to permit a solicitor or counsel representing a party to
examine the health record on the condition that the solicitor or counsel does not disclose the
protected matter to a party to the proceeding or to another person. Permits the Court to
receive evidence and hear argument in the absence of the public and any party or
representative in order to prevent the disclosure of protected matter. Provides that the Court
must not include protected matter in its decision or reasons for decision on the appeal.
Page 16 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 97. Production of documents
Provides that for the purposes of hearing and determining an appeal the Supreme Court may
require an organisation to produce documents, and obliges the Court to ensure the
confidentiality of such documents and arrange for their return to the organisation.
Clause 98. Restrictions under other laws not applicable
Provides that no legal obligation to maintain secrecy or not to disclose information applies
to the disclosure of information by an organisation to the Supreme Court on an appeal.
Clause 99. Other procedure
Provides that, unless otherwise provided for, the Supreme Court may determine its
procedure on an appeal.
Part 6 -- Exchange of information
This Part overrides prohibitions on the disclosure by public organisations of personal and health
information, whether those prohibitions result from other statutes, the common law, or ethical or
professional obligations, provided the disclosure meets certain criteria, for example, that the
disclosure is for the purpose for which the information was collected, or that the disclosure falls
within certain specified exceptions to IPP & HPP 2 (Use and disclosure). These exceptions include
disclosure: to lessen or prevent a serious threat to an individual's life, or to an individual's or public
health, to an individual's or public safety or to an individual's or public welfare; to safeguard or
promote the wellbeing of a child or group of children; for law enforcement; for the performance of the
licensing functions of a licensing agency; and for the purposes of health research in the public
interest. Personal or health information may be disclosed by a public organisation within these
circumstances despite any law relating to confidentiality or secrecy, and without any civil or criminal
liability, or breach of any common law or ethical duty of confidentiality or professional standards.
Clause 100.Terms used in this part
Defines the meaning of terms used in Part 6 of the Act--
"agency" includes the public organisations listed in Schedule 1 and exempt organisations
(for instance, a Minister, the Corruption and Crime Commission, the Ombudsman);
"information" includes health information and personal information;
"prescribed enactment" means an enactment declared by the regulations to be a prescribed
enactment for the purposes of this Part.
Clause 101.Construction of certain references for the purposes of this Part
Provides that for the purposes of this Part a reference in specified IPPs and HPPs to an
organisation or a public organisation is to be regarded as including a reference to an exempt
organisation.
Provides that if the application or operation of any of certain specified IPPs and HPPs is
modified by an approved code of practice by which the disclosing agency is bound, a
reference in Part 6 to that IPP or HPP is to be regarded as including a reference to each
provision of the approved code of practice that modifies the application or operation of that
IPP or HPP.
Clause 102.Exchange of information between agencies.
Specifies the circumstances in which an agency may disclose personal information or
health information to another agency so as to attract the protection from liability afforded
by Part 6.
The circumstances of disclosure include --
· personal information may be disclosed by an agency if the agency reasonably believes
that the disclosure is necessary: to lessen or prevent a serious threat to an individual's
Page 17 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
life, health, safety or welfare (IPP 2(1)(e)(i)); to safeguard or promote the wellbeing of a
child (IPP 2(1)(f)); or for the law enforcement functions of a law enforcement agency
(IPP 2(1)(h));
· health information may be disclosed by an agency if the agency reasonably believes that
the disclosure is necessary for the purpose of research, or the compilation or analysis of
statistics, in the public interest provided certain specified conditions are satisfied (HPP
2(1)(g)); or to lessen or prevent a serious threat to public health, public safety or public
welfare (HPP 2(1)(h)(ii)).
Provides that a decision to disclose information under this clause may be made by the
principal officer of the agency or by an officer authorised by the principal officer for that
purpose.
Clause 103.Exchange of information between agencies and other persons
Permits an agency (as defined in cl.100) with the approval of the Commissioner, to disclose
personal or health information held by the agency to a person or body other than an agency,
but only in limited circumstances (specified in cl.103(4), (5) and (6)) so as to attract the
protection from liability afforded by Part 6. For instance, personal information about an
individual may be disclosed to a person or body other than an agency if it is known or
suspected that the individual is dead or missing and the disclosure is necessary to identify
the individual (IPP 2(3)), or if the disclosure is necessary for the licensing functions of a
licensing agency (IPP 2(1)(i)).
Sets out the procedure to be followed by the disclosing agency in applying to the
Commissioner for approval for such a disclosure of information, and the criteria to be
applied by the Commissioner in determining whether to approve the disclosure of personal
information (cl.103(4)) or health information (cl.103(5)). The Commissioner must not
approve a disclosure if it contravenes a prescribed enactment or is required or authorised
under a prescribed enactment.
Clause 104.Scope of disclosure powers
Provides that cl.102 and cl.103 do not authorise disclosure of information if disclosure of
the information contravenes a prescribed enactment or is required or authorised under a
prescribed enactment. Clarifies that the powers conferred on an agency by cl.102 and 103
may be exercised despite any enactment relating to confidentiality or secrecy and are in
addition to any other powers the agency may have.
Clause 105.Protection from liability for disclosure
Provides that a person who in good faith discloses personal information or health
information in accordance with cl.102 or cl.103 does not incur any civil or criminal liability
in respect of the disclosure, is not regarded as in breach of any legal duty of confidence or
secrecy and is not regarded as a breach of any professional ethics or standards or as
unprofessional conduct.
Part 7 -- Privacy and Information Commissioner
Establishes the Office of Privacy and Information Commissioner and sets out the functions
and powers of that Office.
Division 1 -- Office of Privacy and Information Commissioner
Clause 106.Privacy and Information Commissioner
Establishes an office of Privacy and Information Commissioner.
Clause 107.Appointment of Commissioner
Page 18 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Sets out the method and term of appointment of the Commissioner.
Clause 108.Remuneration
Provides for remuneration of the Commissioner to be determined by the Salaries and
Allowances Tribunal.
Clause 109.Leave and other conditions of service
Provides for leave and other conditions of service of the Commissioner to be determined by
the Governor.
Clause 110.Resignation of Commissioner
Sets down how the Commissioner may resign from office.
Clause 111.Removal and suspension from office
Provides for: the removal or suspension from office of the Commissioner by the Governor
on addresses from both Houses of Parliament; and suspension from office of the
Commissioner by the Governor if the Commissioner is incapable, has performed
incompetently, or has been guilty of misconduct.
Clause 112.Deputy Privacy and Information Commissioner
Establishes an office of Deputy Privacy and Information Commissioner. Permits the
appointment of a Deputy Privacy and Information Commissioner by the Governor if the
Governor is satisfied that it is necessary or expedient to do so.
Clause 113.Deputy Commissioner may act as Commissioner
Provides that if there is a Deputy Commissioner, the Deputy Commissioner is to act in the
office of Commissioner and perform the functions of that office during a period when the
Commissioner is absent from duty or unable to perform the functions of the office, is
suspended or the office is vacant.
Clause 114.Acting Commissioner
Provides for the appointment by the Governor of an Acting Commissioner to act in the
office of Commissioner and perform the functions of that office for a period not exceeding
12 months if the Commissioner is absent from duty or unable to perform the functions of the
office, is suspended or the office is vacant.
Clause 115.Oath or affirmation of office - Commissioner, Deputy Commissioner and Acting
Commissioner
Requires an appointee to the office of Commissioner, Deputy Commissioner or Acting
Commissioner to take an oath or make an affirmation before performing the functions of
Commissioner.
Clause 116.Staff of Commissioner
Enables the Commissioner to appoint staff for the performance of the Commissioner's
functions and provides for the determination of the remuneration and terms and conditions
of service of those staff. Permits the Commissioner to make use of staff of the Public
Service or other State instrumentalities.
Clause 117.Oath or affirmation - members of staff
Requires staff of the Commissioner to take an oath or make an affirmation before
performance of functions under this Act or the FOI Act.
Page 19 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 118.Rights of officers preserved
Entitles a public service officer appointed as Commissioner, Deputy Commissioner or a
member of staff of the Commissioner to retain any accruing and existing rights including
any rights to superannuation. Provides that the service of a person who ceases to be
Commissioner, Deputy Commissioner or a member of staff of the Commissioner is to be
regarded as service in the Public Service for the purposes of determining that person's rights
as a public service officer and any superannuation entitlement.
Clause 119.Offices of Commissioner and Parliamentary Commissioner can be held concurrently
Permits a person to be appointed concurrently to the offices of Commissioner and
Parliamentary Commissioner. Schedule 5 to this Act sets out matters relevant to a
concurrent appointment.
Division 2 -- Functions and powers of Commissioner
Clause 120.Functions of Commissioner
Sets out the functions of the Privacy and Information Commissioner. These include--
to promote understanding of and compliance with the IPPs and HPPs;
to audit an organisation's records of personal and health information to ascertain
whether the records are maintained in accordance with the IPPs, the HPPs or any
applicable code of practice;
to review an organisation's procedures for handling personal or health information to
determine whether or not the information is being handled in accordance with the Act;
to review an organisation's procedures for giving access to or amending health records;
to review the operation of approved codes of practice;
to report to the Minister on the privacy implications of proposed legislation;
to report to the Minister on the privacy implications of developments in data processing
and computer technology;
to make recommendations to the relevant Minister on the need for or desirability of
legislative or administrative action in the interests of privacy;
to assist the public and organisations on matters relevant to the Act; and
other functions given to the Commissioner under this Act and the FOI Act.
Clause 121.General powers of the Commissioner
Provides that the Commissioner has all the powers necessary to perform the functions of the
Commissioner.
Clause 122.Powers relating to audit or review
Sets out the powers of the Commissioner in the exercise of his/her audit or review functions.
These include that the Commissioner may give a person a notice requiring the person to
provide information or produce a document relevant to the audit or review to the
Commissioner. The Commissioner may also give a person a notice requiring that the person
appear before the Commissioner and the Commissioner may examine that person under oath
or affirmation.
Clause 123.Commissioner to report on audit or review
Requires the Commissioner to prepare a report on an audit or review as soon as practicable
after completion and to give a copy to each organisation affected. The report may include
recommendations and the Commissioner may request that the organisation inform him or
her of the steps taken or proposed to give effect to the recommendations, or its reasons for
not taking or proposing to take such steps.
Page 20 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 124.Delegation
Permits the Commissioner to delegate to a Deputy Commissioner or member of staff any
power or duty of the Commissioner under this Act or the FOI Act except his or her powers:
to submit a code of practice to the relevant Minister for approval cl.61(1); to decide not to
deal with a complaint, or to stop dealing with a complaint cl.73(1); to refer a complaint to
the SAT if the Commissioner decides not to deal with it cl.75(3); to produce a health
record for inspection so the Commissioner can consider if it contains protected matter
cl.84; to refer an unresolved complaint to the SAT cl.85(3); to approve the disclosure of
information held by an agency to a person or body other than an agency cl.103(1); to not
deal with a complaint FOI Act s.67(1); to refer a complaint to the SAT if the
Commissioner decides not to deal with it FOI Act s.67B(3); to require an agency to
produce a document for inspection so the Commissioner can consider whether the document
contains exempt matter or is a document of the agency FOI Act s.75; or to refer an
unresolved complaint to the SAT FOI Act s.76(3). Proscribes sub-delegation.
Division 3 -- Reports to Parliament
Clause 125.Annual report under Financial Management Act 2006 to include certain information
Specifies information that must be included in the annual report of the Commissioner
required under Part 5 of the Financial Management Act 2006.
Clause 126.Special reports
Permits the Commissioner to prepare a special report on any matter arising in connection
with the performance of his or her functions and to submit the report to both Houses of
Parliament. Sets out the procedure to be followed in respect of the submission of a special
report to a House of Parliament in the event that the House is not sitting.
Part 8 -- Miscellaneous
Clause 127.Deceased individuals
Permits an authorised representative or legal representative of a deceased individual to
exercise a right or power conferred on that individual under Part 3 or 5 of the Act, or by an
IPP or HPP.
Clause 128.Capacity of authorised representative to give consent
Permits an authorised representative of an individual to give consent under any IPP or HPP
in respect of the doing of any thing, where the individual is incapable of giving consent. An
individual is incapable of giving consent if, despite the provision of reasonable assistance by
another person, he or she is incapable of understanding the general nature and effect of
giving the consent, or communicating the consent or refusal of consent, by reason of age,
illness, physical impairment or mental disability.
Clause 129.Protection from legal action -- access to health records
Protects --
the State, an organisation, an officer or employee of an organisation from an action for
defamation or breach of confidence in respect of a decision to give access or the giving
of access;
the author of the health record or any other person who supplies the record to an
organisation from an action for defamation or breach of confidence in respect of any
publication involved in or resulting from the giving of access; and
a person who gives access to a health record or a person who provides access to a health
record in accordance with that decision from criminal liability,
Page 21 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
if the decision to give access to the health record under the Act is made in good faith in the
belief that the Act permits or requires the decision to be made.
Clause 130.Restrictions under other laws not applicable
Establishes that no legal obligation to maintain secrecy or not to disclose information
applies to disclosure of information by an organisation for the purposes of dealing with a
complaint (Part 5 Division 2) or the exercise of the Commissioner's functions and powers
under Part 7, Division 2.
Also establishes that legal professional privilege does not apply to the production of
documents or the giving of evidence for the purposes of Part 5 Division 2 or Part 7 Division
2.
Provides that, subject to the above, a party to conciliation proceedings or a person who
complies with an audit or review requirement has the same privileges in relation to giving
evidence and production of documents that he or she would have as a witness in a court.
Clause 131.Confidentiality of information
Provides that except when required for the purposes of legal proceedings arising under or in
relation to this Act or the FOI Act, a person who is or has been Commissioner, a Deputy
Commissioner or a member of staff (a "relevant person") cannot be required to disclose
"confidential information" (as defined in the clause) in court or judicial proceedings.
Permits the Commissioner, a Deputy Commissioner or an authorised member of the
Commissioner's staff to disclose confidential information, other than confidential
information that is exempt matter for the purposes of the FOI Act, to the Parliamentary
Commissioner, the Deputy Parliamentary Commissioner or an authorised member of the
Parliamentary Commissioner's staff if the information concerns a matter that is relevant to
the functions of the Parliamentary Commissioner.
Provides that a relevant person who discloses confidential information other than in the
circumstances contemplated in this clause, or who takes advantage of confidential
information to benefit him/herself or another person, commits an offence.
Clause 132.Protection from liability for wrongdoing
Protects the Commissioner, a Deputy Commissioner or a member of staff from an action in
tort for anything done, or omitted to be done, in good faith, by that person in the
performance or purported performance of a function under this Act or the FOI Act, and
relieves the State of any liability in these circumstances.
Clause 133.Failure to provide information or document or to appear
Creates an offence and establishes penalties for refusal or failure of a person to comply with
a requirement to give information to the Commissioner or produce a document to the
Commissioner or attend before the Commissioner or a conciliator.
Clause 134.Regulations
Permits the Governor to make regulations. In the case of regulations in respect of fees and
charges, requires that regard be had to the need to ensure that fees and charges are
reasonable.
Clause 135.Review of the Act
Requires the Minister to conduct a review of the operation and effectiveness of the Act
every 5 years and to table a report of the review before both Houses of Parliament.
Page 22 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Part 9 -- Amendment of other written laws
Division 1 -- Freedom of Information Act 1992
Clause 136.The Act amended
Specifies that the amendments in this Division are to the FOI Act.
Clause 137.Part 4 Division 1 repealed
Repeals Part 4 Division 1 of the FOI Act ("Information Commissioner"). Provisions
relating to the office of Privacy and Information Commissioner are contained in Part 7
Division 1 of this Act.
Clause 138.Heading to Part 4 Division 2 amended
Amends the heading to Part 4 Division 2 of the FOI Act ("Functions of the Information
Commissioner") as this Act provides that the functions of the former office of Information
Commissioner are those of the Commissioner appointed under this Act.
Clause 139.Section 63 amended
Amends s.63 of the FOI Act ("Functions of Commissioner") to delete reference to the
"main" function of the Commissioner, as cl.117 of this Act provides that the functions of the
Commissioner appointed under this Act include functions given to the Commissioner under
the FOI Act.
Clause 140.Section 64 repealed
Repeals s.64 of the FOI Act ("General powers") as cl.120 of this Act specifies that the
Commissioner appointed under this Act has all the powers necessary to perform his or her
functions. These include functions both in respect of this Act and the FOI Act (cl.119).
Clause 141.Heading to Part 4 Division 4 amended
Amends the heading to Part 4 Division 4 of the FOI Act ("General provisions as to the
Information Commissioner and staff") with the effect that the heading refers to the
Commissioner appointed under this Act.
Clause 142.Section 79 repealed
Repeals s.79 of the FOI Act ("Delegation") as cl.123 of this Act permits the Commissioner
to delegate powers or duties under this Act or the FOI Act except for certain specified
powers and duties.
Clause 143.Section 80 repealed
Repeals s.80 of the FOI Act ("Commissioner and staff not to be sued") as protection for the
Commissioner and staff from liability for wrongdoing is provided by cl.131 of this Act.
Clause 144.Section 82 repealed
Repeals s.82 of the FOI Act ("Secrecy") as cl.130 of this Act contains an equivalent
provision that applies in respect of both this Act and the FOI Act.
Clause 145.Section 111 amended
Amends s.111 of the FOI Act ("Report to Parliament") to refer to the report referred to in
cl.124 of this Act. The report referred to in cl.124 is required to include the matters referred
to in s.111 of the FOI Act (cl.124(2)(h)).
Page 23 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 146.Schedule 2 amended
Amends the list of Exempt agencies in Schedule 2 to the FOI Act to include reference to the
Commissioner under this Act and to delete reference to the FOI Commissioner as provisions
relating to the office of Commissioner are contained in Part 7 Division 1 of this Act.
Clause 147.Glossary amended
Amends the Glossary to the FOI Act by inserting a definition of "Commissioner" which
refers to the office of Commissioner established under this Act.
Division 2 -- Parliamentary Commissioner Act 1971
Clause 148.The Act amended
States the amendments in this Division are to the Parliamentary Commissioner Act 1971.
Clause 149.Section 4 amended
Inserts a definition of "remuneration" in section 4 ("Definitions") of the Parliamentary
Commissioner Act 1971. The amendment is a result of the amendment to s.5 of that Act by
cl.150 of this Act.
Clause 150.Section 5 amended
Repeals s.5(5) and s.5(6) of the Parliamentary Commissioner Act 1971 and inserts a
provision that requires the remuneration of the Commissioner and Deputy Commissioner
under that Act to be determined by the Salaries and Allowances Tribunal. (The
remuneration of the Commissioner and Deputy Commissioner under this Act is to be
determined by the Salaries and Allowances Tribunal (cl.108 and cl.112).) Amends s5(7) of
the Parliamentary Commissioner Act 1971 so that it is consistent with cl.109 of this Act.
These amendments are consequential on cl.119 and cl.152 of this Act which permit the
offices of Parliamentary Commissioner and the Commissioner under this Act to be held
concurrently.
Clause 151.Section 7 amended
Amends Parliamentary Commissioner Act 1971 s.7 by deleting references to "such
travelling and other allowances" and substituting a reference to "other terms and conditions
of service".
Clause 152.Section 12A inserted
Inserts a new s.12A into the Parliamentary Commissioner Act 1971 so that the offices of
Parliamentary Commissioner and of the Commissioner under this Act may be held
concurrently. In the event of a concurrent appointment, the provisions of Schedule 5 to this
Act apply.
Clause 153.Section 22B amended
Amends the Parliamentary Commissioner Act 1971 s.22B to permit the disclosure of
information obtained by the Parliamentary Commissioner, Deputy Parliamentary
Commissioner or a member of the Parliamentary Commissioner's staff in the course of, or
for the purpose of, an investigation under that Act, to the Privacy and Information
Commissioner, a Deputy Privacy and Information Commissioner, or an authorised member
of staff of the Privacy and Information Commissioner if the information concerns a matter
relevant to the functions of the Commissioner under this Act.
Page 24 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 154.Section 31 amended
Amends the Parliamentary Commissioner Act 1971 s.31 to increase the "General penalty"
for an offence under that Act from $1,000 to $6,000 consistent with the penalty for an
offence under cl.131 and cl.133 of this Act.
Clause 155.Schedule 1 amended
Amends Schedule 1 ("Entities, and extent, to which this Act does not apply") to the
Parliamentary Commissioner Act 1971 by inserting reference to the Privacy and
Information Commissioner in place of Information Commissioner.
Division 3 -- Other Acts amended
Clause 156.Constitution Acts Amendment Act 1899
Amends the Constitution Acts Amendment Act 1899 by inserting reference to the Privacy
and Information Commissioner (in place of the Information Commissioner).
Clause 157.Financial Management Act 2006
Amends the Financial Management Act 2006 by inserting references to the Privacy and
Information Commissioner and the Information Privacy Act 2007 (in place of the
Information Commissioner and FOI Act).
Clause 158.State Records Act 2000
Amends the State Records Act 2000 by inserting a provision to the effect that the Privacy
and Information Commissioner is a member of the State Records Commission (in place of
the Information Commissioner).
Division 4 -- Amendment of subsidiary legislation
Clause 159.Power to amend subsidiary legislation
Confers a power on the Governor, on the recommendation of the Minister, to make
regulations amending subsidiary legislation under any Act that may be necessary or
desirable as a consequence of the enactment of this Act.
Part 10 -- Transitional provisions
Clause 160.Terms used in this Part
Defines terms used in Part 10.
Clause 161.Continuation of office
Provides for the office of Privacy and Information Commissioner to be a continuation of the
office of Information Commissioner under the FOI Act.
Clause 162.Staff of former Commissioner
Provides for a person who immediately before commencement of this Act was a member of
staff of the Information Commissioner under the FOI Act to become a member of staff of
the Privacy and Information Commissioner under this Act at commencement on the same
terms and conditions.
Clause 163.References to former Commissioner
Provides that a reference in a written law, other document or instrument to the former
Information Commissioner may be read as a reference to the Commissioner under this Act.
Page 25 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Schedule 1 -- Public organisations
Lists persons, bodies and offices that are "public organisations" for the purposes of the Act.
Schedule 2 -- Exempt organisations
Lists persons, bodies and offices that are "exempt organisations" for the purposes of the Act.
In general, the Act does not apply to exempt organisations. However the disclosure of
information by an exempt organisation, in the circumstances specified in Part 6, may attract
the protection from liability for disclosure in cl.104 of this Act.
Schedule 3 -- Information privacy principles
IPP 1. Collection
Governs how a public organisation may collect personal information. In general, personal
information must only be collected if it is necessary for one or more of the organisation's
functions or activities.
IPP 1(1) limits the collection of personal information to that which is necessary to be
collected for one or more of the functions or activities of the organisation.
IPP 1(2) requires a public organisation to collect personal information only by lawful and
fair means and not in an unreasonably intrusive way.
IPP 1(3) specifies that where it is reasonable and practicable, collection of personal
information must only be from the individual concerned.
IPP 1(4) requires a public organisation to ensure that the person to whom the information
relates is made aware of, among other things, the purposes for which the information is
collected and to whom the public organisation usually discloses information of that kind,
except where making the person aware would pose a serious threat to the life, health,
safety, or welfare of any individual.
IPP 1(5) prescribes what a public organisation must do if it collects personal information
about an individual from someone else (other than an authorised representative of the
individual).
IPP 2. Use and disclosure
Governs the use and disclosure of personal information by public organisations. In general,
organisations must only use or disclose personal information for the purpose for which it
was collected under IPP 1(1).
IPP 2(1)(a) to (j) set out the circumstances in which an organisation may use or disclose
personal information for a purpose other than the purpose for which the information was
collected. By way of example, personal information may be used or disclosed for another
purpose if: the individual consents IPP 2(1)(b); or the disclosure is required by law IPP
2(1)(c); or the organisation reasonably believes that the use or disclosure is necessary for
the performance of one or more of the law enforcement functions of a law enforcement
agency IPP 2(1)(h), or for one or more of the licensing functions of a licensing agency
IPP 2(1)(i); or the disclosure is to a person for the purpose of research in relation to the
person's Aboriginal family history IPP 2(1)(j)(i).
IPP 2(2) requires the organisation to make a record if the use or disclosure is for a purpose
other than that for which the information was collected.
IPP 2(3) permits use or disclosure of personal information in limited circumstances if the
individual is dead, missing or injured and incapable of consenting.
Page 26 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
IPP 2(4) provides that if the disclosure is to a person outside the State, the requirements of
IPP 8 must also be met.
IPP 2(5) makes clear that IPP 2 does not prevent the disclosure of personal information by a
public organisation to the Minister responsible for the administration of that organisation.
IPP 3. Data quality
Requires a public organisation to take reasonable steps to ensure that the personal
information it collects, uses or discloses is accurate, complete and up to date.
IPP 4. Data security
Requires a public organisation to take reasonable steps to ensure that the personal
information it holds is protected from misuse, loss and unauthorised access, modification or
disclosure, or, subject to the State Records Act 2000, is destroyed or de-identified if it is no
longer needed.
IPP 5. Openness
Requires public organisations to clearly document their policies on management of
personal information and to make those policies available to anyone who asks. The
intention of the principle is to promote transparency.
Requires a public organisation to take reasonable steps, on a request by a person, to let that
person know, generally, what sort of personal information it holds, for what purposes and
how it handles that information.
IPP 6. Identifiers
Imposes limits on public organisations concerning the assignment, adoption, use and
disclosure of "identifiers" in relation to individuals.
IPP 6(1) prohibits a public organisation from assigning an identifier unless it is necessary
for that organisation to carry out any of its functions efficiently.
IPP 6(2) prohibits a public organisation from adopting an identifier that has been assigned
by another public organisation unless it is necessary for the organisation to carry out any of
its functions efficiently or the individual has consented to the adoption of the identifier.
IPP 6(3) prohibits a public organisation from using or disclosing an identifier that has been
assigned by another public organisation except in the circumstances specified.
IPP 6(4) prohibits a public organisation from requiring an individual to provide an
identifier in order to obtain a service unless the provision of the identifier is required or
authorised by law or in connection with the purpose (or a directly related purpose) for
which the identifier was assigned.
IPP 7. Anonymity
Preserves the right of an individual to remain anonymous when dealing with a public
organisation, where this is lawful and practicable.
IPP 8. Transborder data flows
Places limits on the disclosure of personal information by public organisations to persons
outside Western Australia.
A public organisation must not disclose personal information outside Western Australia
unless the requirements of IPP 2 are satisfied (IPP 2(4)) and one or more of the conditions
set out in paragraphs (a) to (g) of IPP 8 apply. For instance, IPP 8 permits a disclosure
outside Western Australia if the disclosure is required or authorised by law, the individual
consents, the disclosure is necessary for the performance of a contract, or the information is
relevant to the functions or activities of the person receiving the information and that
Page 27 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
person is subject to a law, administrative scheme or contract which imposes restrictions on
the handling of personal information that are substantially similar to the IPPs.
Schedule 4 -- Health privacy principles
HPP 1. Collection
Governs the collection of health information by public and private organisations.
HPP 1(1) prohibits the collection of health information about an individual unless the
information is necessary for one or more of the functions or activities of the organisation
and one or more of the circumstances specified in HPP 1(1) applies, for example: the
individual consents to the collection (HPP 1(1)(a)); the collection is required or
authorised by law (HPP 1(1)(b)); or the collection is necessary to lessen or prevent a
serious threat to an individual's life, health, safety or welfare (HPP 1(1)(f)(i)).
HPP 1(2) provides that an organisation must collect health information only by lawful and
fair means, and not in an unreasonably intrusive way;
HPP 1(3) requires an organisation to collect health information about an individual only
from that individual, if it is reasonable and practicable to do so.
HPP 1(4) provides that if health information is collected from an individual, the collecting
organisation must take reasonable steps to inform the individual of: who is collecting the
information; the fact that the individual may obtain access to the information; the purpose
of the collection; to whom the organisation usually discloses such information; any law
requiring collection of the information; and the main consequences if the information is not
provided to the organisation.
HPP 1(5) provides that if health information about an individual is collected from a third
person, the collecting organisation must take reasonable steps to inform the individual of
the matters listed in HPP 1(4) except in certain circumstances, for instance: if making the
individual aware would pose a serious threat to the life, health, safety or welfare of any
individual.
HPP 2. Use and disclosure
Governs the use and disclosure of health information. In general, an organisation must not
use or disclose health information for a purpose other than that for which it was collected.
HPP 2(1) prohibits the use or disclosure of health information for a purpose other than that
for which it was collected unless one or more of the circumstances specified in paragraphs
(a) to (q) applies. By way of example, health information may be used or disclosed for a
purpose other than the purpose for which it was collected if: the use or disclosure is for a
purpose related to the purpose for which the information was collected, and the individual
would reasonably expect such use or disclosure (HPP 2(1)(a)); the individual consents
(HPP 2(1)(b)); the use or disclosure is required or authorised by or under law (HPP
2(1)(c)); the organisation reasonably believes the use or disclosure is necessary to lessen or
prevent a serious and imminent threat to an individual's life, health, safety or welfare, or a
serious threat to public health or safety (HPP 2(1)(h)); the organisation reasonably believes
the use or disclosure is necessary to safeguard or promote the wellbeing of a child or a class
or group of children (HPP 2(1)(i)); the information is genetic information about an
individual which could be predictive of the health of another individual and the specified
other conditions are satisfied (HPP 2(1)(j) and (k)); the organisation suspects that unlawful
activity has been, is being, or may be, engaged in (HPP 2(1)(l)); or the organisation
believes that the use or disclosure is necessary for one or more of the law enforcement
functions of a law enforcement agency (HPP 2(1)(m)) or the licensing functions of a
licensing agency (HPP 2(1)(n)).
Page 28 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
HPP 2(2) provides that an organisation is not required to inform an individual of the
disclosure of their genetic information under HPP 2(1)(k)(ii) if the individual is aware of
that disclosure, and prohibits the organisation from informing the individual if to do so
could result in a serious threat to the life, health, safety or welfare of any individual.
HPP 2(3) requires the organisation to record any disclosure of health information under the
provisions of HPP 2(1)(l), (m) or (n).
HPP 2(4) permits disclosure of health information to another person in circumstances
where the individual is incapable of giving consent, and the disclosure is --
(a) to a relative, carer or authorised representative assisting with the health care of the
individual if the disclosures is necessary for the continued provision of that care or a
health service; or
(b) for compassionate reasons and is consistent with the expectations or wishes of the
individual; or
(c) to enable the individual's authorised representative to make decisions about the care of
the individual or to perform functions or duties relating to the individual.
HPP 2(5) permits use or disclosure of health information in limited circumstances if the
individual is dead, missing or injured and incapable of consenting.
HPP 2(6) provides that the requirements of HPP 8 must be met if the disclosure of health
information under HPP 2(1), 2(4) or 2(5) is to a person outside Western Australia.
HPP 2(7) makes clear that HPP 2 does not prevent the disclosure of health information by a
public organisation to the Minister responsible for the administration of that organisation.
HPP 3. Data quality
Requires an organisation to take reasonable steps to ensure that the health information it
collects, uses or discloses is accurate, complete and up to date.
HPP 4. Data security and data retention
Governs the storage and security of health information by an organisation.
Requires an organisation to take reasonable steps to protect health information it holds from
misuse, loss, unauthorised access, modification or disclosure (HPP 4(1)).
Requires a health service provider to retain, and not to destroy or delete, health information
about an individual unless the destruction or deletion is required or authorised by law (HPP
4(2)(a); or if not prohibited by any other law, if the destruction or deletion occurs more than
7 years after the last occasion on which the health service provider provided a health
service to the individual, or in the case of a health service provided to a child, the deletion
or destruction occurs after the individual reaches 25 years of age (HPP 4(2)(b)).
Requires a health service provider to keep a register of health information that has been
deleted, destroyed, or transferred to another person or organisation (HPP 4(3)).
Requires an organisation that is not a health service provider to destroy or permanently de-
identify health information if it is no longer needed for the purpose for which it was
collected or any other purpose authorised by this Act, or any other law (HPP 4(4)).
In the case of public organisations, the provisions of this clause concerning the destruction,
deletion or transfer of health information are subject to the State Records Act also applies.
HPP 5. Openness
Requires an organisation to document and make publicly available its policies on the
management of health information and how an individual may access, or seek correction of,
his or her health records.
Requires an organisation, on request, to inform an individual or his or her authorised
representative whether it holds health information relating to that individual, the steps
which must be taken to obtain access to that information or to have the information
Page 29 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
corrected, and in general terms, the nature of the information, the purpose for which it is
used and how the organisation handles the information.
HPP 6. Identifiers
Regulates the assignment, adoption, use or disclosure of "identifiers" in relation to an
individual.
Proscribes the assignment of an identifier to an individual unless it is necessary to enable
the organisation to carry out any of its functions efficiently.
Provides that a private organisation must not--
adopt an identifier that has been assigned by another organisation except if the individual
consents to the adoption of the identifier, or if the use or disclosure of the identifier is
required or authorised by or under law.
use or disclose an identifier assigned by another organisation unless: the disclosure is
required for the purpose for which it was assigned or a purpose referred to HPP 2(1)(c)
to (o); or the individual consents to the use or disclosure; or the disclosure is to the
public organisation which assigned the identifier to enable it to identify the individual.
Provides that a public organisation must not--
adopt an identifier that has been assigned by another public organisation unless it is
necessary to enable the public organisation to carry out any of its functions efficiently or
the individual consents to the adoption of the identifier;
use or disclose an identifier assigned by another organisation unless: the use or disclosure
is necessary to enable the public organisation to carry out any of its functions efficiently;
or the use or disclosure is necessary for the public organisation to fulfil its obligations to
the other organisation; or the use or disclosure is required for the purpose referred to in
HPP 2(1)(c) to (o); or the individual consents to the use or disclosure.
HPP 7. Anonymity
Preserves an individual's right to anonymity in his or her transactions with an organisation
where this is lawful and practicable.
HPP 8. Transborder data flows
An organisation is prohibited from disclosing health information outside the State unless
the requirements of HPP 2 are satisfied and one or more of the conditions set out in
paragraphs (a) to (g) of HPP 8 apply. For instance, a disclosure outside Western Australia
may be made if the disclosure is required or authorised by law; the individual consents; the
disclosure is necessary for the performance of a contract, or the information is relevant to
the functions or activities of the person receiving the information and that person is subject
to a law, administrative scheme or contract which imposes restrictions on the handling of
personal information that are substantially similar to the HPPs.
HPP 9. Transfer or closure of the practice of a health service provider
Prescribes what a health service must do with its health records when the practice or
business closes, is sold, transferred or amalgamated.
HPP 9(1) sets out what a health service provider, or the provider's legal representative if
the provider is deceased, must do in relation to the health information it holds when the
provider's practice or business closes, or is sold, amalgamated, transferred and the provider
will no longer be providing the health service in the new practice or business.
HPP 9(2) provides that in the event that a health service provider's practice is being sold,
amalgamated, transferred or closed down, if an individual requests the health service
provider to transfer his or her health information to another practitioner, then the
information must be made available to the other practitioner in accordance with HPP 10.
Page 30 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
HPP 10. Making health information available to other health service providers
Provides for an individual's health information to be made available to another health
service provider in certain circumstances.
HPP 10(1) requires a health service provider, upon written request by the individual or
another health service provider authorised by the individual, to give to the other practitioner
the individual's health information, or a copy or summary of that health information.
HPP 10(2) regulates the fee that may be charged for the provision of health information to
another health service provider.
Schedule 5 -- Concurrent appointment as Commissioner and
Parliamentary Commissioner
[cl. 118]
Clause 1. Term of office
Provides for the term of office of a person appointed to the offices of Commissioner under
this Act and Parliamentary Commissioner ("the offices").
Clause 2. Remuneration and other conditions of service
Provides for the remuneration and other conditions of service of a person appointed to the
offices.
Clause 3. Rights preserved
Preserves the rights of a person appointed to the offices.
Clause 4. Resignation from office
Provides that if a person who holds the offices resigns from one of the offices, he or she is
to be taken to have resigned from the other office.
Clause 5. Removal or suspension from office
Provides that if a person who holds the offices is removed or suspended from one of the
offices, he or she is to be taken to have been removed or suspended from the other office.
Makes similar provision in respect of such a person who is restored to one of the offices.
Clause 6. Applications of clauses 7 to 10
Provides that clauses 7 to 10 of Schedule 5 apply during, and in relation to, any period
when a person holds the offices.
Clause 7. Deputy Commissioners and Acting Commissioners
Provides that a direction given to a Deputy Commissioner under cl.112(4) of this Act may
include a direction as to functions under the Parliamentary Commissioner Act 1971, and a
direction given to the Deputy Parliamentary Commissioner under the Parliamentary
Commissioner Act may include a direction as to functions under this Act and the FOI Act.
In these circumstances, the Deputy Commissioner or Deputy Parliamentary Commissioner
has the powers, obligations, responsibilities and protections conferred on the Deputy
Commissioner under the Parliamentary Commissioner Act, or under this Act or the FOI
Act, as the case may be.
Permits a person to be appointed at the same time to act in the offices of Commissioner
under this Act and Parliamentary Commissioner under the Parliamentary Commissioner
Act.
Page 31 of 32
Information Privacy Bill 2007 Explanatory Memorandum (Bill LA 193-1)
Clause 8. Functions of staff
Provides for the holder of the offices to authorise a member of the Commissioner's staff
appointed under this Act to perform the functions of a member of the Parliamentary
Commissioner's staff, and vice versa. In these circumstances, the member of the
Commissioner's staff has the powers, obligations, responsibilities and protections conferred
on a member of the Parliamentary Commissioner's staff under the Parliamentary
Commissioner Act, and vice versa. An authorization may apply to the performance of
functions generally, or may be limited to the performance of functions in specified
circumstances.
Clause 9. Delegation
Provides for a delegation to be made--
under the Parliamentary Commissioner Act to a Deputy Commissioner under this Act as
if he or she were the Deputy Parliamentary Commissioner, or to a member of the
Commissioner's staff appointed under this Act as if he or she were a member of the
Parliamentary Commissioner's staff; and
under this Act to the Deputy Parliamentary Commissioner as if he or she were a Deputy
Commissioner, or to a member of the Parliamentary Commissioner's staff as if he or she
were a member of the Commissioner's staff.
Clause 10. Confidentiality provisions
Provides that the secrecy provisions set out in --
s.23 of the Parliamentary Commissioner Act 1971 apply to information obtained by a
Deputy Commissioner or a member of the Commissioner's staff in the course of, or for
the purposes of, an investigation under the Parliamentary Commissioner Act 1971 in the
same way that they apply to the Deputy Parliamentary Commissioner or a member of
the Parliamentary Commissioner's staff; and
cl.131 of this Act apply to a person who is or has been the Deputy Parliamentary
Commissioner or a member of the Parliamentary Commissioner's staff in the same way
that they apply to a person who is or has been a Deputy Commissioner or a member of
the Commissioner's staff.
s.23 of Parliamentary Commissioner Act 1971 and cl.131 of this Act do not prevent the
disclosure of information by the Parliamentary Commissioner, Deputy Parliamentary
Commissioner or a member of the Parliamentary Commissioner's staff to the Privacy
and Information Commissioner, Deputy Privacy and Information Commissioner and a
member of the Privacy and Information Commissioner's staff and vice versa.
------------------
Page 32 of 32