Issue Date: 29 April 2015€¦ · consent of the MCRI General Compliance Officer. If you have any questions in relation to your responsibilities in regards to privacy matters, please

Privacy Compliance Manual

Issue Date: 29 April 2015

Piper Alderman

Lawyers

Melbourne office

Level 24, 385 Bourke Street

Melbourne Vic 3000

Australia

t +61 3 8665 5555

f +61 3 8665 5500

www.piperalderman.com.au

Melbourne . Sydney . Brisbane . Adelaide

© Piper Alderman

Contents page

30517976v3 page i

1. Introduction 1

1.1 Overview 1 1.2 Purpose of this Privacy Compliance Manual 1 1.3 Scope of this Privacy Compliance Manual 2 1.4 Dealing with Contractors and Agents 2 1.5 Consequences of a contravention 2 1.6 Updating the Privacy Compliance Manual 3

2. Privacy Compliance Framework 4

2.1 Privacy legislation 4 2.2 What is “personal information”? 4 2.3 What is “sensitive information”? 5 2.4 What is “health information”? 6 2.5 What is a “Health Service” 6 2.6 Employee records 7

3. Open and transparent management of personal information 9

3.1 General overview 9 3.2 MCRI Privacy Policy 9

4. Collection of personal information 10

4.1 Collection of solicited personal information 10 4.2 Collection of solicited sensitive information 10 4.3 Dealing with unsolicited personal information 11 4.4 Dealing with children, young people and incapacity to give consent 12

5. Dealing with personal information 14

5.1 General use and disclosure 14 5.2 Use and disclosure of health information 15 5.3 Disclosure to related body corporates 16 5.4 Cross-border disclosures 16 5.5 Use for direct marketing 18 5.6 Adoption, use or disclosure of government related identifiers 21

6. Integrity, quality and security of personal information 23

6.1 Quality of personal information 23 6.2 Storage and retention of personal information 23 6.3 Security of personal information 23 6.4 Privacy Audits 24

7. Managing enquires, requests, complaints and incidents 25

7.1 General Overview 25 7.2 Dealing with requests for a copy of the MCRI Privacy Policy 25 7.3 Dealing with requests for access to personal information 25 7.4 Correction of personal information 28 7.5 Dealing with requests to destroy, delete or remove personal information and other

complaints generally 29 7.6 Anonymity 31 7.7 Verification of identity 31 7.8 Privileged documents or confidential documents 32

Contents page

30517976v3 page ii

8. Investigations and enforcement of privacy compliance obligations 33

8.1 The role of the Privacy Commissioner 33 8.2 Powers of the Privacy Commissioner 33 8.3 Investigations by the Privacy Commissioner 33 8.4 Dealing with notices from the Privacy Commissioner, subpoenas or legal warrants 35 8.5 Voluntary conciliation 37 8.6 Compulsory conferences 37 8.7 Penalties for failure to cooperate with an investigation/conference 38 8.8 Determinations by the Privacy Commissioner 38 8.9 Enforcement of determinations 39 8.10 Other adverse consequences 39

30517976v3 page 1

Privacy Compliance Manual

1. Introduction

1.1 Overview

This Privacy Compliance Manual is for internal use only and is part of a wider set of policies

and manuals which apply to the business operations of Murdoch Childrens Research Institute

and its related body corporates (MCRI). MCRI includes Victorian Clinical Genetics Services

(VCGS). As an officer, employee, contractor, agent, honorary, research associate or student

of, or assisting, MCRI (together MCRI Personnel), you are responsible for ensuring

compliance with MCRI’s polices and manuals including this Privacy Compliance Manual. This

Privacy Compliance Manual should not be provided to any third party without the written

consent of the MCRI General Compliance Officer.

If you have any questions in relation to your responsibilities in regards to privacy matters,

please contact the MCRI General Compliance Officer.

The MCRI General Compliance Officer is:

Neil Harker

Murdoch Childrens Research Institute

Royal Children's Hospital

Flemington Road

Parkville VIC 3052

Email: [email protected]

P: +613 8341 6340

F: +613 9348 1391

1.2 Purpose of this Privacy Compliance Manual

This Privacy Compliance Manual aims to give you a general understanding of:

(a) MCRI Personnel (including contractors, research associates and students)

compliance obligations under Privacy Act 1988 (Cth) (Privacy Act) and the Health

Records Act 2001 (Vic) (Health Records Act);

(b) alert you to conduct which may contravene MCRI’s privacy obligations;

(c) identify conduct and situations which increase the risk of a breach of MCRI’s privacy

obligations;

(d) assist you with identifying circumstances where legal advice is necessary; and

(e) provide general guidance for day-to-day business dealings.

This Privacy Compliance Manual is not intended to be a substitute for legal advice as to

whether MCRI’s conduct will or will not contravene the Privacy Act. If there is any uncertainty

as to whether any conduct complies with the Privacy Act, legal advice should be obtained.

30517976v3 page 2

1.3 Scope of this Privacy Compliance Manual

This Privacy Compliance Manual covers the following seven key areas:

(a) privacy compliance framework (see section 2 of this Privacy Compliance Manual);

(b) open and transparent management of personal information (see section 3 of this

Privacy Compliance Manual);

(c) collection of personal information (see section 4 of this Privacy Compliance Manual);

(d) dealing with personal information (see section 5 of this Privacy Compliance Manual);

(e) integrity, quality and security of personal information (see section 6 of this Privacy

Compliance Manual);

(f) managing enquires, requests, complaints and incidents (see section 7 of this Privacy

Compliance Manual); and

(g) investigations and enforcement of privacy compliance obligations (see section 8 of

this Privacy Compliance Manual).

1.4 Dealing with Contractors and Agents

The Privacy Act and Health Records Act may not automatically apply to contractors, agents,

honoraries, research assistants or students and their performance of acts for, or on behalf of,

MCRI but their actions can, on occasion, be construed as actions of MCRI. It is imperative

that all contractors, agents, honoraries, research assistants and students of, or assisting,

MCRI be contractually required to comply with the Privacy Act and Health Records Act (to the

extent required by MCRI) and MCRI’s Privacy Policy.

1.5 Consequences of a contravention

As of 12 March 2014, if a contravention of the Privacy Act is found, MCRI may be fined up to

$1,700,000. In addition, individuals (including MCRI Personnel) can also be held personally

liable for providing false or misleading statements or documents. Any MCRI Personnel found

to have knowingly contravened the Privacy Act by providing false or misleading statements or

documents, will not be indemnified by MCRI against a fine or the legal costs concerned with

defending such proceedings.

The Health Records Act may also impose a penalty of up to $442,830 (amount accurate for

2014/2015 financial year) on MCRI for the failure to comply with a compliance notice. MCRI

Personnel may also be personally fined where they do not cooperate with the Victorian Health

Services Commissioner, wilfully obstruct, hinder or resists the Victorian Health Services

Commissioner in performing its duties or providing false or misleading statements or

documents. Any fines or legal costs arising from such proceedings will not be indemnified by

MCRI.

If an individual suffers loss or damage as a result of a contravention of the Privacy Act or

Health Records Act, MCRI may be sued for compensation for that loss or damage. MCRI’s

legal costs will often be borne by MCRI. MCRI may also be required to pay an individual’s

legal costs. Legal costs for any investigation or subsequent legal proceedings can be

significant.

30517976v3 page 3

A contravention of the Privacy Act or Health Records Act can also have other adverse

consequences for MCRI, such as adverse publicity, substantial damage to MCRI’s reputation

and goodwill, disruption to MCRI’s business, reduced morale, increased time demands and

stress on individuals involved in investigations and any subsequent legal proceedings.

1.6 Updating the Privacy Compliance Manual

This Privacy Compliance Manual will be updated in response to changes in the law or

changes to MCRI’s systems or procedures. Updates to this Privacy Compliance Manual will

be published on MCRI’s intranet and available from the MCRI General Compliance Officer.

Any suggestions as to how this Privacy Compliance Manual or MCRI’s systems or procedures

can be improved, should be sent to the MCRI General Compliance Officer.

30517976v3 page 4

2. Privacy Compliance Framework

2.1 Privacy legislation

The Privacy Act regulates the minimum standards for dealing with personal information

required of organisations covered by the legislation.

MCRI is a covered organisation and is required to comply with the Australian Privacy

Principles (APPs). The APPs are a set of 13 principles regulating MCRI’s collection, use,

disclosure and handling of personal information from 12 March 2014 onwards.

Prior to 12 March 2014, MCRI was required to comply with the National Privacy Principles

(NPPs), a narrower set of principles regulating the collection, use, disclosure and handling of

personal information. When the APPs were put in place by changes to the Privacy Act, other

changes were also made, including increased powers of the Privacy Commissioner and new

penalties. This Privacy Compliance Manual incorporates these changes.

MCRI must also comply with the Victorian Health Records Act which sets out a set of 11

principles regulating MCRI’s collection, use, disclosure and handling of health information in

Victoria. These principles are known as the Health Privacy Principles (HPPs). The HPPs

contain similar obligations to the APPs, although the HPPs generally impose a lower standard

of obligation as compared to the APPs, as the HPPs were initially enacted to complement the

NPPs. However, in some circumstances the HPPs provide slightly different or more specific

obligations. This Privacy Compliance Manual notes those circumstances in the relevant

sections.

NPPs, APPs and HPPs

The NPPs, APPs and HPPs are all discussed throughout this Privacy Compliance Manual.

Unless otherwise stated in this Privacy Compliance Manual, to the extent that one set of

principles requires a higher standard of MCRI (pursuant to the HPPs, APPs or otherwise

under the Privacy Act or Health Records Act), this Privacy Compliance Manual has adopted

the higher standard for compliance.

2.2 What is “personal information”?

“Personal information” means information or an opinion about an identified individual, or an

individual whose identity can be reasonably be ascertained, whether the information or

opinion is true or not and whether the information or opinion is recorded in a material form or

not.

Personal information relates only to individuals (that is, natural persons) and not companies

or other organisations. However, personal information may relate to individuals working for

companies or organisations.

Personal information includes basic personal details such as a person’s:

(a) name;

(b) date of birth;

30517976v3 page 5

(c) address (including email);

(d) social media page; and

(e) telephone number.

Please note that, whilst a single piece of information may not necessarily identify an

individual, such information will still constitute personal information if the identity of the

individual can be reasonably ascertained from that information. (For example, an e-mail

address might be such that the identity of the person can be reasonably ascertained from it.)

The examples below are intended as an illustration only. They are not intended to be a

substitute for legal advice as to whether conduct will or will not contravene the Privacy

Act.

Example 1

Facts: An empty vial has a patient’s name on it.

Question: Does the vial contain personal information?

Answer: Yes. The information labelled on the vial relates to an identifiable person and as

such constitutes personal information.

Example 2

Facts: A research assistant of MCRI plots on a map of Melbourne the number of patients in

each suburb with a particular illness from each suburb in Melbourne.

Question: Does the map contain personal information?

Answer: Ordinarily, this information will not be personal information as it does not identify an

individual. However, if the individual’s identity can be reasonably ascertained when the map

is coupled with other generally accessible information, the map can constitute personal

information.

2.3 What is “sensitive information”?

“Sensitive information” is a special subset of personal information and includes information

about an individual’s:

(a) ethnicity;

(b) political opinions or memberships;

(c) religious or philosophical beliefs;

(d) membership of a professional trade association or trade union;

(e) gender or sexual orientation and practices;

30517976v3 page 6

(f) criminal record; and

(g) health information.

Greater obligations apply, under the Privacy Act, to the collection, use and disclosure of

sensitive information.

2.4 What is “health information”?

“Health information” is a subset of sensitive information and includes:

(a) information or an opinion about:

(1) the health or disability (at any time) of an individual; or

(2) an individual's expressed wishes about the future provision of health services

to him or her or the donation, or intended donation, of his or her body parts,

organs or body substances; or

(3) a health service provided, or to be provided, to an individual; and

(b) other personal information that is collected:

(1) in the course of providing a health service; or

(2) in connection with the donation, or intended donation, by the individual of his

or her body parts, organs or body substances; or

(3) that is genetic information that could be predictive of an individual’s health.

Health information will include:

(a) notes of an individual’s symptoms, diagnosis or treatment (including medical

certificates);

(b) test results;

(c) prescriptions and pharmaceutical purchases;

(d) dental records;

(e) an individual’s healthcare identifier collected to provide a health services; and

(f) other personal information (such as information about the individual’s gender, date of

birth, sexuality), collected to provide a health service to the individual.

2.5 What is a “Health Service”

“Health Service” means one of the following services or activities:

(a) an activity performed in relation to an individual that is intended or claimed (expressly

or otherwise) by the individual performing it:

30517976v3 page 7

(1) to assess, record, maintain or improve the individual’s health; or

(2) to diagnose the individual’s illness or disability; or

(3) to treat an individual’s illness or disability, or suspected illness or disability,

including dispersing or prescribing drug or medicinal preparation;

(b) a disability service, palliative care service or aged care service;

(c) the dispensing on prescription of a drug or medicinal preparation by a registered

pharmacist; or

(d) a service, or a class of service, provided in conjunction with an activity or service

referred to in the above paragraphs.

The example below is intended as an illustration only. It is not intended to be a


Act.

Example 3

Facts: A patient’s record details information about a patient’s medical condition and their

insurance details.

Question: Is the information in the patient’s record health information?

Answer: All information in the patient’s records will constitute health information if it is

collected by MCRI in the course of providing health services to the individual (including the

individual’s insurance details). As such this information will be subject to greater compliance

obligations.

2.6 What is a “Health service provider”

“Health service provider” means an organisation that provides a health service (as defined

above) in Victoria. VCGS is classified as a health service provider, as it provides diagnostic

services.

2.7 Employee records

Records of MCRI’s employees are generally exempt from the coverage of the Privacy Act. To

fall within the exemption, the record must be directly related to the employment relationship.

Such records may include:

(a) the engagement, training, disciplining, resignation or termination of employment of an

employee;

(b) the terms and conditions of employment of an employee;

(c) the employee's performance or conduct, hours of employment, salary or wages,

personal and emergency contact details;

30517976v3 page 8

(d) the employee's membership of a professional or trade association or trade union

membership;

(e) the employee's recreation, long service, sick, maternity, paternity or other leave; and

(f) the employee's taxation, banking or superannuation affairs.

Please take note that this exemption applies only to MCRI’s employees and does not cover:

(a) records collected during interviews from a prospective employee who does not

become an employee;

(b) records held about an employee outside the scope of the employment relationship; or

(c) records about contractors, subcontractors, honoraries, research collaborators or

students,

and as such those records may constitute personal information where the identity of the

person is reasonably apparent.

However, there is no exemption for employee “health information” under the Health Records

Act. Therefore, records such as a medical certificate provided by an employee as part of a

sick leave application should be dealt with by MCRI and VCGS in compliance with the privacy

obligations set out in this Privacy Compliance Manual.

In any event, even if certain records of MCRI’s employees are exempted from the Privacy Act,

employee records should be dealt with in the strictest confidence. Please contact Human

Resources if in doubt.



Act.

Example 4

Facts: A contractor to MCRI provides MCRI with a list of the names of each of their

employees that are likely to be on MCRI’s premises for the purpose of performing services to

MCRI.

Question: Is the contractor’s employees’ information exempt employee records under the

Privacy Act for MCRI?

Answer: No. Information held by MCRI about a contractor’s employees will not be an exempt

record.

30517976v3 page 9

3. Open and transparent management of personal information

3.1 General overview

MCRI is required to ensure that we manage personal information in an open and transparent

way and that our management of personal information is set out in the MCRI Privacy Policy.

The MCRI Privacy Policy contains (and is required to contain) information about:

(a) the kinds of personal information MCRI collects and holds;

(b) how MCRI collects and holds personal information;

(c) the purposes for which MCRI collects, holds, uses and discloses personal

information;

(d) how an individual may access personal information held by MCRI about the individual

and seek the correction of such information;

(e) how an individual may lodge a complaint about a breach of the Privacy Act, and how

MCRI will deal with such a complaint; and

(f) whether MCRI is likely to disclose personal information to overseas recipients and, if

so, the countries in which such recipients are likely to be located.

3.2 MCRI Privacy Policy

The MCRI Privacy Policy is available on our intranet, from the MCRI General Compliance

Officer, and on the MCRI website. All MCRI Personnel should familiarise themselves with the

MCRI Privacy Policy. A separate Website Privacy Policy is also available on our website for

our web users only.

30517976v3 page 10

4. Collection of personal information

4.1 Collection of solicited personal information

MCRI is only permitted to collect personal information that is reasonably necessary for the

performance of MCRI’s business activities. The term “collection” simply means the inclusion

of information in a record or publication (whether public or private). Additional conditions apply

to the collection of sensitive information (see section 4.2 of this Privacy Compliance Manual).

MCRI should use all reasonable endeavours to collect personal information about an

individual from that individual, unless it is impractical to do so. Collection of personal

information directly from individuals must be conducted in a manner that is fair, lawful and not

unreasonably intrusive.

If personal information is collected by MCRI, MCRI must take reasonable steps to ensure that

the individual is aware of the MCRI Privacy Policy including, but not limited to:

(a) how an individual may access their own personal information;

(b) how an individual may seek the correction of such information;

(c) how an individual may lodge a complaint about a breach of the Privacy Act; and

(d) how MCRI will deal with such a complaint.

The above notification requirement also applies where personal information is collected from

a third party and the individual has not been made aware of MCRI’s collection and the MCRI

Privacy Policy.

The MCRI General Compliance Officer is responsible for notifying third parties. If the MCRI

General Compliance Officer has any concerns as to the content of the notice or the process of

notification, legal advice should be obtained.

Capacity and Consent

Please take note that:

(a) the individual must have the capacity to consent to the collection; and

(b) consent must be given voluntarily and must be informed, specific and current.

Section 4.4 deals with specific situations where an individual may not be able to give

consent.

4.2 Collection of solicited sensitive information

In addition to the general requirements for collecting personal information, sensitive

information must only be collected where the person has given consent and the sensitive

information is reasonably necessary for MCRI’s business activities, unless:

(a) the collection is authorised by or under an Australian law (including the Privacy Act) or

a court/tribunal order; or

30517976v3 page 11

(b) the collection is reasonably necessary to establish or defend a legal or equitable

claim, or for a confidential alternative dispute resolution process; or

(c) the collection is believed to be necessary to lessen or prevent a serious threat to the

life, health or safety of any individual, or to public health or safety and it is

unreasonable or impracticable to obtain the individual’s consent to the use; or

(d) the collection is believed to be, necessary and the appropriate action to take in

response to an actual or suspected unlawful activity or misconduct of a serious

nature; or

(e) the use or disclosure is reasonably necessary for enforcement related activities of an

enforcement body such as:

(1) prevention, detection, investigation and prosecuting of crimes;

(2) conducting surveillance activities, intelligence gathering activities or

monitoring activities;

(3) the preparation for, or conduct of, proceedings before any court or tribunal, or

the implementation of court/tribunal orders.

Not-for-profits collections

MCRI may also collect sensitive information if the information:

(a) is collected by MCRI for the performance of activities consistent with its not-for-profit

status;

(b) solely relates to the members of MCRI or to persons who have regular contact with

MCRI’s activities (eg. donors); and

(c) at or before the time of collecting the information, MCRI has advised the person that

their information will not be disclosed to third parties without their consent and does

not do so.

The Privacy Act and Health Records Act also provide a limited exception where the

collection, use or disclosure of health information is necessary for public health or

public safety research, the health information cannot be de-identified, and it is

impracticable to obtain consent from the individual. In those circumstances consent

may not be required.

4.3 Dealing with unsolicited personal information

If MCRI receives personal information without requesting it, the MCRI General Compliance

Officer or, if he or she is not available, the Chief Operating Officer/Company Secretary should

be immediately informed.

The MCRI General Compliance Officer or the Chief Operating Officer/Company Secretary as

notified, must review the personal information and determine whether or not the personal

information received is desired by MCRI to be retained and/or used.

30517976v3 page 12

If the personal information is desired to be retained and/or used, MCRI should only retain

such personal information (where received in an unsolicited manner) if:

(a) the personal information could have been solicited from the individual directly; and

(b) MCRI have, unless it is unreasonable or impractical to do so, notified the individual of

our collection and provided the individual with, or directed the individual to, the MCRI

Privacy Policy. Legal advice should be obtained if it is deemed unreasonable or

impractical to notify the individual of the collection.

Otherwise, if the personal information is not desired to be retained or used by MCRI or the

personal information could not have been solicited by us directly, then MCRI must, as soon as

practicable, destroy the information (if it is lawful and reasonable to do so) or ensure that the

information is de-identified.



Act.

Example 5

Facts: A MCRI Personnel receives 100 unsolicited medical records of individuals.

Question: Can MCRI collect and retain this personal information?

Answer: No. The personal information should be destroyed (that is, irretrievably deleted

from operational systems) since there is no suggestion that the personal information could

not be solicited from the individuals directly and the personal information is sensitive

information.

4.4 Dealing with children, young people and incapacity to give consent

An individual may be unable to give consent for a number of reasons including because they:

(a) have limited decision making capacity due to a cognitive impairment, such as

dementia;

(b) are experiencing temporary incapacity, perhaps due to a physical or psychotic

condition or illness;

(c) are a young child; or

(d) are in an emergency situation, unconscious or in distress.

If consent is required, and an individual lacks capacity, you will need to consider whether

there is another person who can act on the individual's behalf. There may be a range of

options available, including:

(a) a guardian;

30517976v3 page 13

(b) a person with an enduring power of attorney that can be used in relation to the

individual's health;

(c) a person who has a statutory right or power to act on someone's behalf by virtue of

legislation; or

(d) a person who has been nominated in writing by the individual prior to becoming

incapacitated.

A lack of capacity or consent must not prevent the individual from missing out on necessary

healthcare. Any lack of consent should be recorded and any information collected from the

individual should be treated carefully to ensure their privacy rights are not undermined.

30517976v3 page 14

5. Dealing with personal information

5.1 General use and disclosure

If we hold personal information about an individual that was collected for a particular purpose

(primary purpose), such personal information must not be used or disclosed for another

purpose (secondary purpose) unless one of the following conditions are met:

(a) the individual has consented to the use or disclosure of the information;

(b) an individual would reasonably expect us to use or disclose the information for the

secondary purpose (and if the personal information is also sensitive information the

secondary purpose must be directly related to the primary purpose);

(c) the use or disclosure is, believed by us to be, necessary to lessen or prevent a

serious threat to the life, health or safety of any individual, or to public health or safety

and it is unreasonable or impracticable to obtain the individual’s consent to the use or

disclosure;

(d) the use or disclosure is authorised by, or under, an Australian law (including the

Privacy Act) or a court/tribunal order and a written record is kept of such use and

disclosure by the MCRI General Compliance Officer; or

(e) the use or disclosure is reasonably necessary to establish or defend a legal or

equitable claim, or for a confidential alternative dispute resolution process;

(f) the use or disclosure is, believed by us to be, necessary and the appropriate action to

take in response to an actual or suspected unlawful activity or misconduct of a serious

nature; or

(g) the use or disclosure is reasonably necessary for enforcement related activities of an

enforcement body such as:

(1) the prevention, detection, investigation and prosecuting of crimes;

(2) the conduct of surveillance activities, intelligence gathering activities or

monitoring activities; or

(3) the preparation for, or conduct of, proceedings before any court or tribunal, or

the implementation of court/tribunal orders,

and a written record is kept of such use and disclosure by the MCRI General

Compliance Officer.

The above principle does not apply to:

(a) health information except where a permitted health situation exists (see section 5.2 of

this Privacy Compliance Manual);

(b) direct marketing activities (see section 5.5 of this Privacy Compliance Manual); or

(1) adoption and use of government related identifiers (see section 5.6 of this

Privacy Compliance Manual); and

30517976v3 page 15

(c) it is preferred that written consent be obtained from the individual, where possible, to

ensure that MCRI’s right to use and disclose their personal information is clear and

unequivocal.

For all collections of information, consent to use and disclose the information should be

obtained, at the time of collection, from the individual by ensuring that the individual signs an

appropriate and ethically approved consent form.

5.2 Use and disclosure of health information

In addition to the general obligations relating to personal information, health information may

only be used for a secondary purpose if:

(a) it is for research, compilation or analysis of statistics, or relevant to public health or

public safety; and

(b) it is impracticable for the organisation to obtain the individual’s consent to the use or

disclosure; and

(c) the use or disclosure is conducted in accordance with any guidelines approved by the

Privacy Commissioner; and

(d) in the case of disclosure, we reasonably believe that the recipient of the health

information will not disclose the health information, or personal information derived

from that health information.

Use and disclosure for research

Where MCRI collects health information, otherwise than directly from the individual

with their consent, for research then MCRI must take reasonable steps to de-identify

the information if it is practical to do so.

The Guidelines indicate that removing an individual’s name may of itself not be

sufficient, but that a review of the adverse consequences of the disclosure

(including, any risk of embarrassment, humiliation or loss of dignity) must be taken

into account together with the practicality of de-identifying the information.

Modes of de-identifying data should be discussed with the approving HREC. Some useful resources on de-identifying data and personal information can also be found in the Guidelines (starting at B.85 on page 19) and in Privacy Business Resource 4 — De-identification of Data and Information available at: http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-4-de-identification-of-data-and-information. As a general rule of thumb, whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.

30517976v3 page 16

5.3 Disclosure to related body corporates

MCRI is permitted to share and transfer personal information (other than sensitive

information) with its related body corporates.

MCRI’s related body corporates include:

(a) VCGS.

MCRI’s related body corporates are required to comply with the Privacy Act in relation to the

shared personal information. Further, MCRI is required to comply with the Privacy Act in

respect of personal information it receives from its related body corporates.

5.4 Cross-border disclosures

(a) General overview

In addition to general obligations relating to disclosure, MCRI may only transfer

personal information overseas where it has taken steps, reasonable in the

circumstances, to ensure the overseas recipient does not breach the Privacy Act or

the Health Records Act or it has satisfied one of the following exceptions:

(1) MCRI reasonably believes that the recipient is bound by a law or binding

scheme which protects privacy in a manner which is substantially equivalent

to the protection under the Privacy Act and the Health Records Act; or

(2) the individual has been specifically informed in the manner required by the

Privacy Act (including that APP8.1 will not apply) and consents to the transfer

and disclosure; or

(3) the transfer is required by Australian law or authorised by court/tribunal order

(a transfer required or authorised by overseas jurisdiction is not exempted); or

(4) other permitted general situations apply (including circumstances such as

involving threats to life, health or safety of an individual, public health,

unlawful activities or missing persons).

MCRI is required to ensure that it has taken reasonable steps to ensure the individual

from which it has collected personal information is aware of any overseas disclosure

at, or as soon as practicable after, the collection.

Generally, MCRI will notify individuals by obtaining their consent to cross-border

disclosures as part of the MCRI Privacy Policy. The MCRI General Privacy Policy (at

section 13) currently details countries to which recipients of any cross-border

disclosures are likely to be located.

All MCRI Personnel are required to:

(1) review the MCRI General Privacy Policy when dealing with overseas entities

and ensure that the country in which the entity resides or carries out its

business is detailed at section 13 of the MCRI General Privacy Policy; and

(2) promptly notify the MCRI General Compliance Officer:

30517976v3 page 17

(A) if MCRI are dealing with an overseas entity which resides, or carries

out business, in a country not listed in MCRI’s General Privacy Policy;

or

(B) if you are unsure as to whether an individual has been properly

notified about the cross-border disclosure.

Disclosure to cloud service providers

The Australian Information Commissioner has released Guidelines to the APPs

dated March 2015 (Guidelines). The Guidelines indicate that where the cloud

service provider is storing and managing the personal information, is contractually

restricted from using or disclosing the personal information (otherwise than providing

the information back to MCRI) and is obligated to require the same of any sub-

contractors, that will constitute a ‘use’ rather than a ‘disclosure’ under the Privacy

Act.

Take note that, even if disclosure to a cloud service provider is not deemed to be a

disclosure to an overseas entity for the purpose of the Privacy Act, all other privacy

principles relating to use of the personal information will still apply.

(b) Liability for overseas recipient

Under the APPs, if MCRI transfers and discloses personal information overseas,

MCRI must take reasonable steps to ensure that the recipient does not breach the

APPs and MCRI will be deemed to be liable for any breach by the recipient of the

APPs, unless:

(1) any of the exceptions specified in section 5.4(a) of this Privacy Compliance

Manual apply; or

(2) the overseas recipient has an Australian link.

A person or an organisation has an Australian link:

(1) if the person has Australian citizenship or permanent residence;

(2) if the organisation is formed, created, or incorporated in Australia; or

(3) if the organisation was not formed, created or incorporated in Australia, it

carries on business in Australia and the relevant personal information was

collected or at any time held in Australia.

This requirement will be of particular significance for MCRI’s dealing with information

technology service providers (including, in particular, software-as-a-service or cloud

computing providers) who may host relevant data overseas.

(c) Compliance with foreign laws

30517976v3 page 18

MCRI will not be in held in breach of the Privacy Act or the Health Records Act if its

overseas recipients are required to disclose personal information in accordance with a

foreign law or court/tribunal order.

5.5 Use for direct marketing


Personal information may only be used for direct marketing activities in circumstances

allowed under the APPs as detailed in this section 5.5 of the Privacy Compliance

Manual. Additional restrictions apply to the use of sensitive information for direct

marketing activities. Direct marketing activities may include promoting additional

goods and services to individuals who have provided their personal information to

MCRI.

(b) Use of personal information (other than sensitive information) for direct

marketing - prior to 12 March 2014

If the personal information of an individual was collected by MCRI for the primary

purpose of direct marketing, no further consent to use the personal information is

required.

Personal information collected by MCRI for a primary purpose other than direct

marketing can only be used for the secondary purpose of direct marketing if the

individual has consented to the use of their personal information for that purpose or,

otherwise, where:

(1) it is impracticable for MCRI to seek the individual’s consent before that

particular use; and

(2) MCRI does not charge an individual for giving effect to a request by the

individual not to receive direct marketing communications; and

(3) the individual has not made a request to the organisation not to receive direct

marketing communications; and

(4) in each direct marketing communication with the individual, the organisation

draws to the individual’s attention or prominently displays a notice that he or

she may express a wish not to receive any further direct marketing

communications; and

(5) each written direct marketing communication must set out MCRI’s business

address and telephone number, or if in the form of an electronic

communication, an email address at which MCRI can be contacted

electronically.

(c) Use of personal information (other than sensitive information) for direct

marketing - post 12 March 2014

Under the APPs, whether personal information (other than sensitive information) may

be used for direct marketing activities will depend upon MCRI satisfying one of the

below situations:

30517976v3 page 19

(1) MCRI has collected the personal information from the individual (who would

reasonably have expected the use or disclosure for direct marketing), MCRI

may use or disclose personal information for direct marketing if, and only if, all

of the following conditions also apply:

(A) MCRI’s has provided a simple means by which the individual may

easily opt-out of receiving future marketing correspondence; and

(B) the individual has not elected to opt-out; or

(2) MCRI has collected the personal information from the individual (who would

not reasonably have expected the use or disclosure for direct marketing),

MCRI may use or disclose personal information for direct marketing if, and

only if, all of the following conditions also apply:

(A) either consent has been obtained from the individual to use the

personal information for direct marketing or it was impracticable to

obtain that consent; and

(B) MCRI’s has provided a simple means by which the individual may

easily opt-out of receiving future marketing correspondence and in

each correspondence has drawn the individual’s attention to the opt-

out process (such statement should be prominent); and

(C) the individual has not elected to opt-out.

(3) MCRI has collected the personal information from a third party, MCRI may

use or disclose personal information for direct marketing if, and only if, all of

the following conditions also apply:

(A) either consent has been obtained from the individual to use the

personal information for direct marketing or it was impracticable to

obtain that consent; and

(B) MCRI’s has provided a simple means by which the individual may

easily opt-out of receiving future marketing correspondence and in

each correspondence has drawn the individual’s attention to the opt-

out process (such statement should be prominent); and

(C) the individual has not elected to opt-out.

(d) Use of sensitive information for direct marketing

MCRI may only use or disclose sensitive information for the purpose of direct

marketing the individual has consented to the use or disclosure of the information.

(e) Use of personal information provided under a Commonwealth contract for

direct marketing

Under the APPs, MCRI is permitted to use or disclose personal information for direct

marketing activities if:

(1) MCRI is subject to a contract with a Commonwealth government agency; and

30517976v3 page 20

(2) MCRI has collected the personal information in the performance of its

obligations (whether directly or indirectly) under that contract; and

(3) the use or disclosure is necessary to meet (whether directly or indirectly)

MCRI’s obligations under the contract.

(f) Opt-out from direct marketing

An individual may, at any time, elect to opt-out from:

(1) receiving direct marketing correspondence from MCRI (or any party engaged

by MCRI that carries out its direct marketing activities);

(2) receiving direct marketing correspondence from any third party to which

MCRI has disclosed their personal information to; or

(3) MCRI otherwise using its personal information for direct marketing activities.

If an individual elects to opt-out from direct marketing, MCRI must give effect to the

request promptly.

(g) Disclosure of source

Under the APPs, if MCRI has received personal information from a third party and

uses it for direct marketing activities, MCRI must, at an individual’s request, disclose

the source of that information. Any such request should be transferred or otherwise

directed to the MCRI General Compliance Officer.

In order for MCRI to comply with its obligations under the Privacy Act, the source of

any information from third parties used for direct marketing activities should be

recorded and such records maintained whilst the information is used (and for a

reasonable period thereafter to deal with any requests).

The MCRI General Compliance Officer must attend to all requests promptly and notify

the individual of the source within a reasonable period of time unless it is

impracticable or unreasonable to do so (in which case, legal advice should be

obtained).

(h) Interaction with other legislation

Under the APPs, the obligations relating to direct marketing in APP 7 will not apply to

the extent that any of the following legislation applies:

(1) the Do Not Call Register Act 2006 (Cth);

(2) the Spam Act 2003 (Cth); and

(3) any other Act of the Commonwealth, or a Norfolk Island enactment,

prescribed under the regulations to the Privacy Act.

30517976v3 page 21

5.6 Adoption, use or disclosure of government related identifiers


A government related identifier is a specific reference attributed or assigned by a

government agency to identify an individual. It will usually be a number or a series of

numbers, letters or symbols, such as a driver’s licence number or Medicare number.

MCRI must not adopt a government related identifier as its own identifier to identify an

individual unless it is required or authorised by, or under, an Australian law (including

the Privacy Act and Health Records Act) or a court/tribunal order. ABNs are explicitly

excluded from this obligation and may be so used.

The Privacy Act and Health Records Act permit the use and disclosure of government

related identifiers in any of the following circumstances:

(1) the use or disclosure is reasonably necessary for MCRI to fulfil obligations to

any governmental, semi-governmental, administrative, fiscal, statutory,

judicial or quasi-judicial body, department, commission, authority, tribunal,

agency or entity;

(2) the use or disclosure is authorised by or under an Australian law (including

the Privacy Act) or a court/tribunal order and a written record is kept of such

use and disclosure by the MCRI General Compliance Officer;

(3) the use or disclosure is, believed by us to be, necessary to lessen or prevent

a serious threat to the life, health or safety of any individual, or to public

health or safety and it is unreasonable or impracticable to obtain the

individual’s consent to the use or disclosure;

(4) the use or disclosure is, believed by us to be, necessary and the appropriate

action to take in response to an actual or suspected unlawful activity or

misconduct of a serious nature (provided that the disclosure would not be a

breach of confidence if disclosed by a health service provider);

(5) the use or disclosure is reasonably necessary to establish or defend a legal or

equitable claim, or for a confidential alternative dispute resolution process;

(6) the use or disclosure is reasonably necessary for enforcement related

activities of an enforcement body such as:

(A) prevention, detection, investigation and prosecution of crimes;

(B) conducting surveillance activities, intelligence gathering activities or

monitoring activities; or

(C) the preparation for, or conduct of, proceedings before any court or

tribunal, or the implementation of court/tribunal orders,

provided that the disclosure would not be a breach of confidence if disclosed

by a health service provider and a written record is kept of such use and

disclosure by the MCRI General Compliance Officer; or

30517976v3 page 22

(7) the use or disclosure is reasonably necessary for MCRI to verify the identity

of the individual for its activities or functions.

(b) Verification of identity

MCRI may require copies of identification documents (such as a driver’s licence or

passport) to check or verify an individual’s identity.

However, the identification documents collected by MCRI must only be used for the

purpose of verification and copies of the document (or a record of the driver’s licence

number or passport number) should not be retained by MCRI.

(c) Tax file numbers

Tax file numbers may only be requested, collected, used or disclosed by MCRI from

its employees or other third parties in accordance with the requirements under

taxation law, personal assistance law or superannuation law. Tax file numbers should

not generally be requested, collected, used or disclosed otherwise.

5.7 Adoption, use or disclosure of identifiers


The HPPs require MCRI to only assign identifiers to an individual as is reasonably

necessary to enable it to carry out any of its functions efficiently. An identifier (as

opposed to a government related identifier) is a specific reference that is assigned (or

otherwise adopted, used or disclosed) to an individual in conjunction with or in relation

to the individual's health information for the purpose of uniquely identifying that

individual. This requirement applies even if the identifier is only assigned once, and is

not subsequently used with or in relation to individual's health information again.

30517976v3 page 23

6. Integrity, quality and security of personal and health information

6.1 Quality of personal information and health information

MCRI must take reasonable steps to ensure that any personal information it collects, uses, or

discloses is accurate, complete and up-to-date. The accuracy, completeness and currency of

the information should be established at the time of collection, and reviewed when the

information is used or re-used, and when it is disclosed to another organisation. In relation to

health information, MCRI must periodically review this information to ensure it is accurate,

complete and up-to-date.

MCRI Personnel are not required to monitor dormant personal information. However, if

personal information has been collected and is no longer required, MCRI Personnel should

review section 6.2 of this Privacy Compliance Manual in respect to the storage and retention

of personal information.

In the event that information held by MCRI appears to be inaccurate, out of date, incomplete,

irrelevant or misleading, the issue should be referred to the MCRI General Compliance Officer

for investigation.

6.2 Storage and retention of personal information and health information

Personal information that is no longer required should be destroyed in accordance with

MCRI’s record retention policy. Any destruction of personal information (whether in hardcopy

or electronic form) must be undertaken in a secure manner. Hardcopies of personal

information should be either shredded or disposed of through a confidential waste disposal

service.

However, any health information held by a health service provider (such as VCGS) should not

be destroyed unless:

(a) the deletion is permitted, authorised or required by the regulations or any other law; or

(b) the deletion is not contrary to the regulations or any other law and occurs:

(1) if the health information was collected from an individual who was a child,

when the individual attains 25 years of age; or

(2) in any other case, more than 7 years after the date on which last health

service was provided to an individual,

whichever is later, provided that there is a written record of such deletion.

Legal advice should be obtained in the event that MCRI intends to delete health information

held by a health service provider.

6.3 Security of personal information

MCRI must take reasonable steps to protect personal information from:

(a) misuse, interference and loss; and

30517976v3 page 24

(b) unauthorised access, modification and disclosure;

What constitutes reasonable steps will depend upon the sensitivity of the personal information

being stored (including the potential detriment to the individual resulting from improper access

or use), the time and costs of implementing security systems relative to these risks, the

resources of MCRI and whether the security measure is in itself privacy invasive (for example,

an individual may be asked to supply more information than is necessary to identify

themselves). Higher levels of security may be required for sensitive information. If you have

any questions in relation to security responsibilities, please contact the MCRI General

Compliance Officer.

MCRI Personnel should ensure that personal information (including sensitive information and

health information) is kept in a secure location either in their office or saved electronically to

MCRI’s network. MCRI Personnel should access records of personal information only if they

have a legitimate need to access those records. MCRI Personnel must use their own

individual logons with passwords to access any records on the MCRI’s network. MCRI

Personnel who do not comply with these requirements shall face disciplinary action.

Data containing personal information should not be downloaded from the MCRI’s network to

portable devices unless required as part of a business process expressly approved by

management of MCRI (such as off-site data backup or archival purposes). Any data

containing personal information which is downloaded to a portable device should be

appropriately secured physically and the data should be encrypted. MCRI Personnel should

review section 6.2 of this Privacy Compliance Manual in respect to obligations relating to

storage and retention.

Legal advice should be obtained in the event that there is an inadvertent disclosure of

personal information to a third party or an authorised access by a third party to personal

information. Further, a request for access to personal information by a party external to MCRI

must be managed in accordance with section 7 of this Privacy Compliance Manual.

6.4 Privacy Audits

Privacy audits may be carried out by the MCRI General Compliance Officer, by completing

the Audit Report Form in Schedule 1. MCRI Personnel may also use the Audit Report Form

to check that they have considered all privacy obligations for a certain project. Privacy audits

should address the following at least:

(a) personal data and information collected, stored and distributed;

(b) primary / secondary information used and distributed;

(c) reasons of secondary collection of information;

(d) access and Security of information;

(e) sharing of information with anyone; and

(f) whether that information is current and necessary.

Any follow up action should be managed by the MCRI General Compliance Officer.

30517976v3 page 25

7. Managing enquires, requests, complaints and incidents

7.1 General Overview

(a) All requests for a copy of the MCRI Privacy Policy should be managed in accordance

with section 7.2 of this Privacy Compliance Manual.

(b) All requests:

(1) for access to personal information – should be managed in accordance with

section 7.3 of this Privacy Compliance Manual; and

(2) for correction of personal information – should be managed in accordance

with section 7.4 of this Privacy Compliance Manual.

(c) All request to destroy, delete, or remove (in whole or in part) any personal information

should be managed in accordance with section 7.6 of this Privacy Compliance

Manual.

(d) Any formal complaints or perceived breaches of privacy obligations should be

managed in accordance with section 7.6 of this Privacy Compliance Manual.

(e) Any notices from the Privacy Commissioner or any subpoenas or legal warrants

should be immediately referred to the MCRI General Compliance Officer or, if he or

she is not available, the Chief Operating Officer/Company Secretary and managed in

accordance with section 7.6 and 8 of this Privacy Compliance Manual (as applicable).

(f) Any other requests or issues concerning personal information should be referred to

the MCRI General Compliance Officer or, if he or she is not available, the Chief

Operating Officer/Company Secretary.

All enquires, request, complaints and incidents should be managed promptly and all

complaints and incidents must be taken seriously.

7.2 Dealing with requests for a copy of the MCRI Privacy Policy

If a copy of the MCRI Privacy Policy is requested by an individual, the individual must be

directed to the MCRI Privacy Policy freely available on our website. If the individual does not

have internet access, a hard copy of the MCRI Privacy Policy may be obtained from the MCRI

General Compliance Officer and made available to the individual. The MCRI Privacy Policy

must always be provided free of charge.

7.3 Dealing with requests for access to personal information

If the request is made in writing, the MCRI Personnel receiving a request for access to

personal information should refer the request directly to the MCRI General Compliance

Officer. If a request is made by telephone, the MCRI Personnel taking the call should:

(a) request that the individual provide written verification of their identity in accordance

with section 7.8 of this Privacy Compliance Manual to the MCRI General Compliance

Officer;

30517976v3 page 26

(b) take full details from the individual of their request;

(c) take the individual’s contact details;

(d) confirm with the individual that the MCRI General Compliance Officer will contact the

individual in respect of their request; and

(e) promptly notify the MCRI General Compliance Officer of all actions taken by the MCRI

Personnel, any contact details provided by the individual and the date that the request

was made.

The MCRI General Compliance Officer shall act on a standard request for access to personal

information as follows:

(a) the MCRI General Compliance Officer should provide written acknowledgement to the

individual of the request and confirm any applicable fees (if any) as soon as possible;

(b) the MCRI General Compliance Officer should provide an individual with access to

their own personal information within 14 days of the request for a straight forward

matter or within 30 days of the request for a more complicated matter, subject to the

following:

(1) the verification of the individual’s identity against information held by MCRI

(see section 7.8 of this Privacy Compliance Manual);

(2) where it is unlawful to provide the personal information;

(3) denying access is required or authorised by law or a court/tribunal order;

(4) where disclosure could pose a serious and imminent threat to the life or

health of that or any individual;

(5) where disclosure would have an unreasonable impact upon the privacy of

other individuals;

(6) where disclosure would reveal the intentions of MCRI so as to prejudice any

negotiations with the individual;

(7) where disclosure would disclose evaluative information generated in

connection with a commercially sensitive decision-making process;

(8) where disclosure would prejudice an investigation or taking action against

fraud, serious misconduct or other unlawful activity;

(9) where disclosure would prejudice prevention, detection, investigation,

prosecution and enforcement activities of, or legal proceedings by, an

enforcement body;

(10) where an enforcement body performing a lawful security function requests

denying access on the basis of national security; or

(11) where the request is frivolous or vexatious.

30517976v3 page 27

The MCRI General Compliance Officer should not provide access to personal

information where it relates to existing or anticipated legal proceedings, without first

obtaining legal advice as to whether such information would be discoverable in such

proceedings.

Access charges

MCRI may charge an individual a fee for granting access to the individual’s personal

information for:

(a) MCRI Personnel costs involved with collating information;

(b) reproduction costs; and

(c) costs involved in having MCRI Personnel explain the personal information to an

individual,

provided that such fees are not excessive, and, in the case if health information, are not

more than the fees prescribed in the Health Records Act and are clearly explained before

access is given. Further, any such fee must not relate to the lodgement of the request for

access by the individual (including any explanation of how access is given), costs involved

with MCRI Personnel checking whether or not MCRI holds any personal information of the

individual, any legal costs associated with reviewing a request or the correction of personal

information.

The MCRI General Compliance Officer may propose a reasonable fee having regard to:

(a) how the personal information is stored (electronic, paper based);

(b) where the personal information is stored (onsite, offsite)

(c) number of records required to be reproduced;

(d) costs incurred by MCRI for providing access;

(e) whether costs incurred by MCRI for providing access are reasonable given the

task required to be performed;

(f) capacity of the individual to pay (pensioner, student); and

(g) form in which the individual requests access.

Legal advice should be obtained to ensure that any proposed fee complies with the above

requirements.

Any fee for access to personal information shall be advised by the MCRI Compliance

Officer. The MCRI General Compliance Officer may at its sole election waive any approved

fee.

Please take note that, where electronic or hardcopy records are provided to an individual, only

copies of documents should be provided, unless official records are required by law or

court/tribunal order. If the provision of official records is required, release of such records

30517976v3 page 28

must be authorised by the MCRI General Compliance Officer, with a copy of all such

documents to be retained by MCRI.

If access to personal information is refused, the MCRI General Compliance Officer must notify

the individual, promptly, detailing:

(a) the reasons for the refusal (including any relevant obligation under the Privacy Act);

(b) the process for the individual to make a formal complaint with MCRI or to the Privacy

Commissioner about the refusal; and

(c) any other matter prescribed by the regulations.

Legal advice should be obtained in relation to any refusal to provide access to personal

information.

7.4 Dealing with request to make health information available to another health service

provider

Under the HPPs, a health service provider (such as VCGS) is required to provide a copy or a

written summary of an individual’s health information to another health service provider as

soon as practicable, if

(a) the individual requests VCGS to make available their health information to that health

service provider; or

(b) the individual has authorised the other health service provider to make a request for

such information on their behalf.

If these circumstances are satisfied, MCRI Personnel must follow the same principles outlined

at section 7.3 above for dealing with requests for access from individuals.

Example 1

Facts: A general practitioner contacts VCGS seeking the medical and diagnostic records of

a mutual patient. The general practitioner provides the patient’s written consent for VCGS to

provide the records to the general practitioner.

Question: Can and should VCGS provide the general practitioner with this information?

Answer: Yes, VCGS is required to provide the information as soon as practicable, as the

individual has given their consent. If VCGS intends to charge a fee to the general practitioner

or the individual, it should consult with the MCRI General Compliance Officer and obtain

legal advice before doing so, to ensure the fee complies with the Health Records Act and

Privacy Act.

7.5 Correction of personal information

If a request to correct personal information is made in writing, the MCRI Personnel receiving

the request should refer the request directly to the MCRI General Compliance Officer. If a

request is made by telephone, the MCRI Personnel taking the call should:

30517976v3 page 29



Officer;




individual in respect of their request; and

(e) promptly notify the MCRI General Compliance Officer of all actions taken by the MCRI


was made.

Upon receipt of a request to correct personal information, the MCRI General Compliance

Officer should promptly:

(a) provide written acknowledgement to the individual of the request;

(b) verify the individual’s identity against information held by MCRI (see section 7.8 of this

Privacy Compliance Manual);

(c) process any request for correction of the individual’s personal information within a

reasonable period;

(d) if the personal information has been disclosed to third parties, notify the individual that

it will take reasonable steps to update its details with any related party; and

(e) take all other such steps (if any) as are reasonable in the circumstances to correct as

reasonably required, having regard to the purpose for which it is held.

Legal advice should be obtained in relation to any refusal to correct personal information.

If a MCRI Personnel otherwise becomes aware that any personal information held is

inaccurate, out-of-date, incomplete, irrelevant or misleading, the MCRI Personnel must notify

the MCRI General Compliance Officer and the MCRI General Compliance Officer should take

reasonable steps to correct any such personal information, having regard to the purpose for

which the information is held.

If MCRI corrects personal information about an individual and MCRI has disclosed such

information to a third party, MCRI must, at the individual’s request, take such steps (if any) as

are reasonable in the circumstances to notify the third party of the change unless it is

impracticable or unlawful to do so.

MCRI must not charge for the correction of any personal information.

7.6 Dealing with requests to destroy, delete or remove personal information and other

complaints generally

Please take note that any notices from the Privacy Commissioner or any subpoenas or legal

warrants should be immediately referred to the MCRI General Compliance Officer or, if he or

30517976v3 page 30

she is not available, the Chief Operating Officer/Company Secretary and dealt with in

accordance with section 8 of the Privacy Compliance Manual.

If a request to destroy, delete or remove personal information or a complaint is made in

writing by an individual, the MCRI Personnel receiving the request should refer the request

directly to the MCRI General Compliance Officer. If a request is made by telephone, the MCRI

Personnel taking the call should:



Officer;




individual in respect of their request;

(e) complete items 1, 2, 3, 4 and 5 (to the extent possible) of the Privacy

Complaint/Incident Form in Schedule 2 and send the completed copy to the MCRI

General Compliance Officer; and

(f) promptly notify the MCRI General Compliance Officer of all actions taken by the MCRI


was made.

Upon receipt of a request to destroy, delete or remove personal information or a complaint,

the MCRI General Compliance Officer should promptly:

(a) consider the request or complaint;

(b) complete the Privacy Complaint/Incident Form in Schedule 2 detailing all relevant

actions to be taken by MCRI in response to the request / complaint as soon as

possible;

(c) obtain legal advice as to any action to be taken;

(d) make a recommendation to the Chief Operating Officer/Company Secretary of any

actions recommended by the MCRI General Compliance Officer to be taken including:

(1) a written response to the complainant (including, to request further

information or to refuse any request to remove or delete personal

information);

(2) an apology to the complainant;

(3) deleting / destroying personal information of the complainant;

(4) an offer of compensation to the complainant;

(5) reviewing of MCRI policies, practices or systems; or

30517976v3 page 31

(6) training (or further training) for MCRI Personnel;

(e) obtain approval from the Chief Operating Officer/Company Secretary before taking

any recommended action; and

(f) notify the complainant of MCRI’s response to the complaint (including any actions

taken by MCRI in response to the complaint).

7.7 Anonymity

We must give individuals the option of not identifying themselves, or of using a pseudonym,

when dealing with us, unless it is unlawful or impracticable to deal with the individual who has

not identified themselves or who has used a pseudonym. An individual would be able to

remain anonymous or use a pseudonym:

(a) for one-off enquires to the MCRI, which do not require MCRI to access personal

information;

(b) where a person requests information to be provided and that information can be

provided without accessing personal information (for example, a request for a copy of

the MCRI Privacy Policy); or

(c) where general market surveys are conducted.

7.8 Verification of identity

In order to verify the identity of an individual, the MCRI Personnel can ask the individual for

any of the following information:

(a) full name;

(b) date of birth;

(c) e-mail address;

(d) current address; and

(e) current phone number.

However, MCRI Personnel should not require an individual to supply more information than is

necessary to identify themselves.

The information provided by the individual should be compared against information held by

MCRI. For telephone enquiries, where possible, a question about some other information held

by MCRI about the individual should also be used to confirm the identity of the individual.

If the identity of the person cannot be confirmed, a copy of identification documents (such as

a copy of a driver’s licence) may need to be requested and the matter should be referred to

the MCRI General Compliance Officer.

30517976v3 page 32

7.9 Privileged documents or confidential documents

Generally, communications between MCRI and its legal advisers for the dominant purpose of

obtaining legal advice and/or preparation for or use in pending or contemplated litigation are

subject to legal professional privilege. No access to such communications should be given to

any third party (including any individual to whom those communications relate) unless the

Chief Operating Officer/Company Secretary has given prior written approval of the disclosure

and legal advice from MCRI’s lawyers has been obtained.

30517976v3 page 33

8. Investigations and enforcement of privacy compliance obligations

8.1 The role of the Privacy Commissioner

The main function and role of the Australian Privacy Commissioner (Privacy Commissioner)

is to ensure the proper handling of personal information in accordance with the Privacy Act.

This role includes day-to-day administration of privacy enquiries and complaints and

investigation of potential contraventions of the Privacy Act. The Privacy Commissioner may

also take civil enforcement action against a party in contravention of the Privacy Act.

The Privacy Commissioner has wide powers of investigation to obtain information, documents

and other evidence where it believes an act or conduct may constitute a contravention of the

Privacy Act and in particular the APPs (and, for conduct prior to March 2014, the NPPs).

Investigations by the Privacy Commissioner may arise as a result of a complaint by an

individual or at the Privacy Commissioner’s own initiative. The Privacy Commissioner’s

powers also include the ability to interview witnesses.

The Privacy Commissioner also has responsibility for providing guidance through education

papers, publications of guidelines on the rights and responsibilities under the Privacy Act to

assist organisations to comply with their obligations.

8.2 Powers of the Privacy Commissioner

The Privacy Commissioner has the power to:

(a) require the production of information and documents;

(b) require any MCRI Personnel to attend in person before the Privacy Commissioner for

the purpose of an investigation and be examined under oath or affirmation; and

(c) authorise an officer of the Privacy Commissioner (Authorised Representative) to

enter MCRI premises to inspect documents and make copies of them or to take

extracts.

8.3 Investigations by the Privacy Commissioner


Where an individual is concerned that any act or practice of an organisation may be

an interference with the privacy of that individual, he or she may choose to make a

complaint to the Privacy Commissioner. The Privacy Commissioner will not generally

investigate complaints where the individual has not, in the first instance, made a

complainant directly to the organisation and allowed the organisation at least 30 days

within which to respond. The Privacy Commission make directly investigate a

complaint where it is considered inappropriate for the individual to make a complaint

directly to the organisation.

The Privacy Commissioner may decide not to investigate, or to defer investigation of,

a complaint where:

(1) an act or practice is not an interference with the privacy of an in individual;

30517976v3 page 34

(2) the complaint was made more than 12 months after the individual became

aware of the act or practice;

(3) the complaint is frivolous, vexatious, misconceived or lacking in substance;

(4) the subject matter has been, or is being, dealt with adequately under other

laws;

(5) other laws provide a more appropriate remedy for the act or practice

complained of; or

(6) the individual has complained directly to the organisation and the organisation

has dealt, or is dealing, adequately with the complaint or the organisation has

not yet had an adequate opportunity to deal with the complaint.

Where the Privacy Commissioner decides not to investigate, or not to investigate

further, the Privacy Commissioner must as soon as reasonably practicable inform the

complainant and MCRI of this decision and the reasons for this decision.

The Privacy Commission may also make investigations without a formal complaint.

(b) Process of investigation

The Privacy Commissioner may make preliminary enquiries with MCRI or otherwise,

to determine whether the Privacy Commissioner has the power to investigate the

complaint or whether the Privacy Commissioner will, in his/her discretion, investigate

the matter.

If the Privacy Commissioner elects to commence an investigation, it will formally notify

MCRI of the investigation. The notification will include:

(1) the matter being investigated;

(2) a copy of any complaint;

(3) the relevant provisions of the Privacy Act; and

(4) the date MCRI’s response is due.

Notices will usually be addressed to the company rather than individual MCRI

Personnel. If MCRI receives a notice from the Privacy Commissioner, the MCRI

General Compliance Officer or, if he or she is not available, Chief Operating

Officer/Company Secretary should be immediately informed. The CEO of MCRI

should also be notified.

MCRI will usually have a limited period from receipt of notification to respond to the

Privacy Commissioner. MCRI will generally prepare a response in consultation with its

lawyers.

The Privacy Commissioner may make a determination on the information obtained

through its investigation and any complainant. If the determination is unfavourable, a

review of the determination may be sought within strict timeframes. As such, any

30517976v3 page 35

determination by MCRI to the Privacy Commissioner should be carefully considered

with MCRI’s lawyers.

8.4 Dealing with notices from the Privacy Commissioner, subpoenas or legal warrants


Notice will usually be addressed to the company rather than individual MCRI

Personnel. Any notices from the Privacy Commissioner or any subpoenas or legal

warrants should be should be immediately referred to the MCRI General Compliance

Officer or, if he or she is not available, the Chief Operating Officer/Company

Secretary.

The MCRI General Compliance Officer must, upon receipt of any notice from the

Privacy Commissioner, subpoena or legal warrant for production of documents:

(1) notify and obtain legal advice from MCRI’s lawyers;

(2) investigate all relevant documentation required to be produced pursuant to

the notice/subpoena/warrant;

(3) provide a copy of such documents to the Chief Operating Officer/Company

Secretary and to MCRI’s lawyers for their review;

(4) together with the the Chief Operating Officer/Company Secretary and to

MCRI’s lawyers, identify any privileged or confidential documents; and

(5) monitor, strictly, timeframes required for compliance.

Neither the MCRI General Compliance Officer nor any MCRI Personnel should

respond to any notice or hand over any documents or other records, without the prior

written approval of the MCRI’s lawyers.

Generally, communications between MCRI and its legal advisers for the dominant

purpose of obtaining legal advice and/or preparation for or use in pending or

contemplated litigation are subject to legal professional privilege. No access to such

communications should be given to any third party (including in response to any

subpoena or legal warrant) unless with the prior written approval of MCRI’s lawyers.

(b) Access to premises

All MCRI Personnel should immediately inform the MCRI General Compliance Officer

or, if he or she is not available, the Chief Operating Officer/Company Secretary, if any

representative of the Privacy Commissioner, the OIAC or any other regulator seeks to

enter MCRI premises. The CEO of MCRI should also be informed. The MCRI General

Compliance Officer or, if he or she is not available, the senior executive of MCRI

notified of the Authorised Representative's arrival, will have responsibility for all

dealings and discussions with the Authorised Representative.

MCRI Personnel must make reasonable access to facilities and documents available

to the Authorised Representative relevant to the complaint. MCRI should not, without

seeking legal advice, provide personal information about any other individual to the

Authorised Representative.

30517976v3 page 36

Please note that you will not be unduly obstructing or hindering of an Authorised

Representative if you advise him or her that you are unsure as to your obligations and

need to take advice. Accordingly, MCRI Personnel may speak with the MCRI General

Compliance Officer or MCRI’s lawyers to seek advice as to what to do in the

circumstances.

(c) Procedure for dealing with an Authorised Representative

MCRI Personnel should comply with any directions given by the MCRI General

Compliance Officer or MCRI senior executive responsible for dealings with the

Authorised Representative and extend the Authorised Representative the courtesy of

a working area in which to view documents and make copies or extracts as required.

Personal notes, internal memoranda, papers, files, board minutes, diaries and all

other relevant material may be requested by an Authorised Representative.

MCRI Personnel may be asked to provide access to office drawers, cabinets or safes.

Unless otherwise directed by the MCRI General Compliance Officer, that access

should be given.

If you are the MCRI General Compliance Officer or MCRI senior executive dealing

with the Authorised Representative, you should:

(1) arrange that the Authorised Representative's authority is photocopied and

retained;

(2) instruct other MCRI Personnel not to deal with the Authorised Representative

unless instructed to do so by you;

(3) take a note of every document and file shown to the Authorised

Representative;

(4) make a full written record of everything that is said both by you and the

Authorised Representative. You may request another person to be present to

make that record if necessary; and

(5) accept a written request from the Authorised Representative for specific

documents which have not been located in the course of the visit.

MCRI Personnel are not required to give verbal explanations during the course of a

visit by an Authorised Representative and should not:

(1) volunteer information or comment unnecessarily; or

(2) sign any statement or record prepared by the Authorised Representative

without first obtaining legal advice.

However, please take note that MCRI Personnel may be required by the Privacy

Commissioner to appear and provide a statement at a later date.

30517976v3 page 37

(d) Keeping records

The MCRI General Compliance Officer should maintain records of all dealings with

the Privacy Commissioner or any Authorised Representative in an accessible format

including:

(1) any request received by the Privacy Commissioner or an Authorised

Representative;

(2) any response (including documentation) provided by MCRI to the Privacy

Commissioner or an Authorised Representative; and

(3) a detailed record of any visit of any Authorised Representative. If the MCRI

General Compliance Officer is not in attendance at the time the Authorised

Representative attended MCRI’s premises, the senior MCRI Personnel

dealing with the Authorised Representative should prepare a detailed record

and promptly provide the report to the MCRI General Compliance Officer.

8.5 Voluntary conciliation

The Privacy Commissioner has the discretion to attempt to effect a settlement of the matters

that gave rise to the investigation by way of conciliation if the Privacy Commissioner considers

it appropriate to do so.

Conciliations are formal, structured discussions between the parties before a conciliator of the

Office of Australian Information Commission (OAIC), who acts as an independent third party

to help identify and discuss issues. Conciliations can occur at any stage of an investigation

and can remain confidential. While the Privacy Commissioner may encourage the parties to

undertake conciliation, each party has a choice whether to participate in conciliation. Further,

the conciliator cannot compel the parties to reach agreement. Legal advice should be

obtained if MCRI is considering conciliation.

If the parties elect to attend conciliation and cannot agree a resolution, the matter will be

referred back to the Privacy Commissioner for review and determination.

8.6 Compulsory conferences

The Privacy Commissioner has the power to direct MCRI, the complainant or any other

person whom the Privacy Commissioner believes could be of assistance to the investigation,

to attend a compulsory conference before the Privacy Commissioner. If MCRI is required to

attend a compulsory conference, an appropriate officer of MCRI with reasonable knowledge

of the affairs of MCRI and the subject matter should be in attendance. Legal advice should be

obtained if any direction for conciliation is made.

Compulsory conferences are conducted in private or otherwise at the discretion of the Privacy

Commissioner. The Privacy Commissioner may require a person attending a conference to

produce a document at the conference.

30517976v3 page 38

8.7 Penalties for failure to cooperate with an investigation/conference

Please take note that:

(a) MCRI refusing or failing, without reasonable excuse, to attend before the Privacy

Commissioner or to be sworn or make an affirmation when so required, may result in

a fine;

(b) any MCRI Personnel refusing or failing, without reasonable excuse, to attend before

the Privacy Commissioner or to be sworn or make an affirmation when so required,

may result in a fine or imprisonment (or both);

(c) any such MCRI Personnel furnishing information or making a statement to the Privacy

Commissioner, knowingly, that it is false or misleading in a material particular, may

result in a fine or imprisonment (or both);

(d) MCRI refusing or failing, without reasonable excuse, to give information or to answer

a question or produce a document or record when so required, may result in a fine;

and

(e) MCRI Personnel can be personally fined for providing false or misleading statements

or documents.

8.8 Determinations by the Privacy Commissioner

Following investigations, the Privacy Commissioner may:

(a) make a determination dismissing the complaint; or

(b) find the complaint substantiated and, where relevant, make one or more of the

following additional declarations:

(1) the act or practice is an interference with the privacy of one or more

individuals;

(2) the act or practice must not repeat or continue;

(3) that specified steps must be taken within a specified period to ensure that the

act or practice is not repeated or continued;

(4) that any specified act or course of conduct to redress any loss or damage

suffered by the complainant (including injury to the complainant’s feelings or

humiliation felt by the complainant), as is reasonable, must be performed

such as:

(A) change to practices or procedures;

(B) written apology to the complainant; or

(C) an acknowledgement of the act or practice;

30517976v3 page 39

(5) compensation for the loss or damage suffered by the complainant and/or

reimbursement for expenses reasonably incurred in connection with making

the complaint and the investigation of the complaint, in the amount specified;

(6) that a correction, deletion or addition to a record be made; or

(7) that it would be inappropriate for any further action to be taken in the matter.

8.9 Enforcement of determinations

The complainant or the Privacy Commissioner can commence proceedings in the Federal

Court or the Federal Circuit Court of Australia for an order to enforce a determination made by

the Privacy Commissioner.

The Court will make a decision as to whether MCRI engaged in conduct that constitutes an

interference with the privacy of the complainant in contravention of the Privacy Act. The Court

may receive as evidence in the proceedings a copy of the Privacy Commissioner’s written

reasons for the determination, a copy of any document that was before the Privacy

Commissioner or a copy of any record of any appearance before the Privacy Commissioner.

If the Court is satisfied that the conduct constitutes an interference with the privacy of the

complainant in contravention of the Privacy Act, the Court may make such orders as it thinks

fit, including:

(a) a declaration of rights;

(b) fines or penalties (including a fine of up to $1,700,000 for serious and repeated

breaches);

(c) an order granting an injunction;

(d) an order for corrective advertising;

(e) an order of compensation; or

(f) an order for the payment of legal costs.

The Courts are not restricted to the determination made by the Privacy Commissioner. As

such, the decision and any the orders made by the Court may differ from those in the original

determination by the Privacy Commissioner.

8.10 Other adverse consequences

In addition to any remedies available under the Privacy Act, a contravention of the Privacy Act

can also have adverse consequences for MCRI such as adverse publicity, substantial

damage to MCRI’s reputation and goodwill, disruption to MCRI’s business, reduced morale,

increased time demands and stress on individuals involved in investigations and any

subsequent legal proceedings.

8.11 The Victorian Health Services Commissioner

The Victorian Health Services Commissioner has the power to serve a compliance notice on

MCRI to take specified action within a period of time, if he or she finds that:

30517976v3 page 40

(a) MCRI has contravened the Health Records Act; and

(b) the contravention is of a serious or flagrant nature, or there has been 5 separate

occasions of such contravention in the previous 2 years.

The failure to comply with a compliance notice is an offence punishable by a penalty of up to

$442,830 (this amount is accurate for 2014/2015 financial year).

There are also penalties under the Health Records Act where there is a failure to cooperate

with an investigation/conference of the Victorian Health Services Commissioner.

30517976v3 page 1

Schedule 1 – Audit Report Form

No Requirement Comments Result

1. a Appropriate inquiries to identify the personal

information collected and retained and

whether or not that information is of a sensitive

nature.

2. b An appropriate inquiry to identify how personal

information is collected.

3. c Appropriate inquiries to identify why personal

information is collected and what is done with

that information.

4. d Appropriate inquiries to identify where and how

personal information is stored.

5. e An appropriate inquiry to identify how personal

information is secured.

6. f Appropriate inquiries to identify who has

access to personal information.

7. g Appropriate inquiries to identify whether

personal information is disclosed and/or

disseminated and to whom it is disclosed

and/or disseminated.

8. h Appropriate inquiries to identify whether the

intended use of collecting personal information

is communicated to those supplying that

information.

9. i Appropriate inquiries to identify whether the

information collected is up-to-date and whether

it is relevant and necessary for that information

to be held.

10. k Appropriate inquiries to identify the

management of nonconformities

11. l Appropriate inquiries to identify training needs

30517976v3 page 2

have been fulfilled and recorded

LEGEND NI = Need Improvement NA = Not Applicable Ad = Adequate UN = Unacceptable NV = Not Verified

Signed by MCRI General Compliance Officer:

Signed:

Date:

30517976v3 page 3

Schedule 2 - Privacy Complaint/Incident Form

Privacy Complaint/Incident Form

1. MCRI Personnel reporting [insert name, title]

2. Date and time of

complaint/incident

[insert date and time]

3. Nature of complaint/incident Tick all relevant issues:

collection of personal information by MCRI

use personal information by MCRI

disclosure of personal information by MCRI

use by third party of personal information disclosed by MCRI

storage or retention of personal information by MCRI

security of personal information

refusal by MCRI to allow access to personal information

accuracy or relevance of personal information held by MCRI

investigation by Privacy Commissioner1

not clear

other (give details):

4. Detailed description of

complaint/incident

[insert detail conduct and any relevant record or process]

_____________________________________________________

5. Details of complainant/individuals

potentially affected by the incident

[insert name and contact details if known]

6. Is further information from

complainant or otherwise required

to assess complaint/incident

Tick as applicable:

no

yes (give details):

30517976v3 page 4

7. Identity of the complainant/

affected individuals confirmed

Tick as applicable:

yes

no (give details):

8. Preliminary Assessment Tick as applicable:

insufficient information to review complaint/incident further

action required to be taken by MCRI as detailed in item 9 and if

taken:

complaint likely to be resolved or no likelihood of further

incidents

complaint unlikely to be resolved or likelihood of further

incidents (give details) Note 1:

_______________________________________________________

no action required to be taken by MCRI (other than a response)

and upon notification:

complaint likely to be resolved or no likelihood of further

incidents

complaint unlikely to be resolved and likelihood of further

incidents (give details) Note 1:

9. Action taken by MCRI Tick all relevant actions taken:

response to complainant, on _____________________________

notification of incident to individual affected, on ______________

notification of complaint/incident to third party, on ____________

apology to complainant/individual affected Note 1, on ___________

access granted to personal information, on _________________

correction of personal information, on _____________________

de-identification of personal information, on _________________

deletion/destruction of personal information Note 1, on __________

compensation paid to complainant Note 1, on _________________

review of MCRI’s policies, practices or systems Note 1

change in MCRI’s policies, practices or systems Note 1

training (or further training) for MCRI Personnel Note 1

legal advice obtained

response to Privacy Commissioner Note 1, on _______________

no action (other than a response) Note 1

30517976v3 page 5

other action (give details):

10. Response to the complainant/

notification to affected individuals

[insert date and detail of response/notification]

11. Other Information [insert any additional information as has the complaint been notified

date, to whom contact made]

12. Date complaint/incident referred to

MCRI General Compliance Officer

[insert date]

13. Date complaint/incident referred to

CEO

[insert date if applicable]

Note 1 – MCRI General Compliance Officer must notify CEO of complaint/incident and action taken. We recommend also

obtaining legal advice in respect of the complaint/incident.

Signed by reporting MCRI Personnel:

Signed:

Date:

Signed by MCRI General Compliance

Officer:

Signed:

Date:

30517976v3 page 1

Annexure A– National Privacy Principles (applied up to 12 March 2014)

National Privacy Principle 1—Collection

1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

(a) the identity of the organisation and how to contact it; and

(b) the fact that he or she is able to gain access to the information; and

(c) the purposes for which the information is collected; and

(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

(e) any law that requires the particular information to be collected; and

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

National Privacy Principle 2—Use and disclosure

2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose ) other than the primary purpose of collection unless:

(a) both of the following apply:

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

(i) it is impracticable for the organisation to seek the individual's consent before that particular use; and

(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and

(iv) in each direct marketing communication with the individual, the organisation draws to the individual's attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and individual to the organisation not to receive direct marketing communications; and

(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation's business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

(i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

(iii) in the case of disclosure--the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

30517976v3 page 2

(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

(i) a serious and imminent threat to an individual's life, health or safety; or

(ii) a serious threat to public health or public safety; or

(ea) if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

(i) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and

(iii) in the case of disclosure--the recipient of the genetic information is a genetic relative of the individual; or

(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(g) the use or disclosure is required or authorised by or under law; or

(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1: It is not intended to deter organisations from lawfully co-operating with

agencies performing law enforcement functions in the performance of their

functions.

Note 2: Subclause 2.1 does not override any existing legal obligations not to

disclose personal information. Nothing in subclause 2.1 requires an

organisation to disclose personal information; an organisation is always

entitled not to disclose personal information in the absence of a legal

obligation to disclose it.

Note 3: An organisation is also subject to the requirements of National Privacy

Principle 9 if it transfers personal information to a person in a foreign country.

2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation's primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

(a) the individual:

(i) is physically or legally incapable of giving consent to the disclosure; or

(ii) physically cannot communicate consent to the disclosure; and

(b) a natural person (the carer ) providing the health service for the organisation is satisfied that either:

(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or

(ii) the disclosure is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish:

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

(a) a parent of the individual; or

(b) a child or sibling of the individual and at least 18 years old; or

(c) a spouse or de facto partner of the individual; or

(d) a relative of the individual, at least 18 years old and a member of the individual's household; or

(e) a guardian of the individual; or

30517976v3 page 3

(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or

(g) a person who has an intimate personal relationship with the individual; or

(h) a person nominated by the individual to be contacted in case of emergency.

2.6 In subclause 2.5:

"child" : without limiting who is a child of an individual for the purposes of this clause, each of the following is the child of an individual:

(a) an adopted child, stepchild, exnuptial child or foster child of the individual; and

(b) someone who is a child of the individual within the meaning of the Family Law Act 1975 .

de facto partner has the meaning given by the Acts Interpretation Act 1901 .

"parent" : without limiting who is a parent of an individual for the purposes of this clause, someone is the parent of an individual if the individual is his or her child because of the definition of child in this subclause.

"relative" of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

"sibling" of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.

"stepchild" : without limiting who is a stepchild of an individual for the purposes of this clause, someone is the stepchild of an individual if he or she would be the individual's stepchild except that the individual is not legally married to the individual's de facto partner.

2.7 For the purposes of the definition of relative in subclause 2.6, relationships to an individual may also be traced to or through another individual who is:

(a) a de facto partner of the first individual; or

(b) the child of the first individual because of the definition of child in that subclause.

2.8 For the purposes of the definition of sibling in subclause 2.6, an individual is also a sibling of another individual if a relationship referred to in that definition can be traced through a parent of either or both of them.

National Privacy Principle 3—Data quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

National Privacy Principle 4—Data security

4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

National Privacy Principle 5—Openness

5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

National Privacy Principle 6—Access and Correction

6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

(a) in the case of personal information other than health information--providing access would pose a serious and imminent threat to the life or health of any individual; or

(b) in the case of health information--providing access would pose a serious threat to the life or health of any individual; or

(c) providing access would have an unreasonable impact upon the privacy of other individuals; or

(d) the request for access is frivolous or vexatious; or

(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(g) providing access would be unlawful; or

(h) denying access is required or authorised by or under law; or

(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or

(j) providing access would be likely to prejudice:

30517976v3 page 4

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or

(iii) the protection of the public revenue; or

(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

by or on behalf of an enforcement body; or

(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to

give an individual an explanation for a commercially sensitive decision in

circumstances where subclause 6.2 does not apply.

6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

6.4 If an organisation charges for providing access to personal information, those charges:

(a) must not be excessive; and

(b) must not apply to lodging a request for access.

6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.

6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.

6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.

National Privacy Principle 7—Identifiers

7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

(a) an agency; or

(b) an agent of an agency acting in its capacity as agent; or

(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before those matters are

prescribed: see subsection 100(2).

7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or

(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note: There are prerequisites that must be satisfied before the matters

mentioned in paragraph (c) are prescribed: see subsections 100(2) and (3).

7.3 In this clause:

"identifier" includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation's operations. However, an individual's name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier .

National Privacy Principle 8— Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

National Privacy Principle 9— Transborder data flows

An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the

30517976v3 page 5

information that are substantially similar to the National Privacy Principles; or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e) all of the following apply:

(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual to that transfer;

(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or

(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

National Privacy Principle 10— Sensitive information

10.1 An organisation must not collect sensitive information about an individual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(d) if the information is collected in the course of the activities of a non-profit organisation--the following conditions are satisfied:

(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual's consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected:

(i) as required or authorised by or under law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and

(c) it is impracticable for the organisation to seek the individual's consent to the collection; and

(d) the information is collected:

(i) as required by law (other than this Act); or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.

10.5 In this clause:

"non-profit organisation" means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.

The information provided in this document was current

as at 6 December 2013, it is not a substitute for legal

advice.

30517976v3 page 1

Annexure B - Australian Privacy Principles (applied from 12 March 2014 onwards)

Part 1—Consideration of personal information privacy

Australian Privacy Principle 1—open and transparent management of personal information

1.1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.

Compliance with the Australian Privacy Principles etc.

1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:

(a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and

(b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.

APP Privacy Statement

1.3 An APP entity must have a clearly expressed and up to date policy (the APP Privacy Statement) about the management of personal information by the entity.

1.4 Without limiting subclause 1.3, the APP Privacy Statement of the APP entity must contain the following information:

(a) the kinds of personal information that the entity collects and holds;

(b) how the entity collects and holds personal information;

(c) the purposes for which the entity collects, holds, uses and discloses personal information;

(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

(e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(f) whether the entity is likely to disclose personal information to overseas recipients;

(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients

are likely to be located if it is practicable to specify those countries in the policy.

Availability of APP Privacy Statement etc.

1.5 An APP entity must take such steps as are reasonable in the circumstances to make its APP Privacy Statement available:

(a) free of charge; and

(b) in such form as is appropriate.

Note: An APP entity will usually make its APP Privacy Statement available

on the entity’s website.

1.6 If a person or body requests a copy of the APP Privacy Statement of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.

Australian Privacy Principle 2—anonymity and pseudonymity

2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.

2.2 Subclause 2.1 does not apply if, in relation to that matter:

(a) the APP entity is required or authorised by or under an Australian law, or a court/ tribunal order, to deal with individuals who have identified themselves; or

(b) it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym.

Part 2—Collection of personal information

Australian Privacy Principle 3—collection of solicited personal information

Personal information other than sensitive information

3.1 If an APP entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

3.2 If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.

Sensitive information

30517976v3 page 2

3.3 An APP entity must not collect sensitive information about an individual unless:

(a) the individual consents to the collection of the information and:

(i) if the entity is an agency—the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or

(ii) if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or

(b) subclause 3.4 applies in relation to the information.

3.4 This subclause applies in relation to sensitive information about an individual if:

(a) the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(b) a permitted general situation exists in relation to the collection of the information by the APP entity; or

(c) the APP entity is an organisation and a permitted health situation exists in relation to the collection of the information by the entity; or

(d) the APP entity is an enforcement body and the entity reasonably believes that:

(i) if the entity is the Immigration Department—the collection of the information is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the entity; or

(ii) otherwise—the collection of the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or

(e) the APP entity is a non-profit organisation and both of the following apply:

(i) the information relates to the activities of the organisation;

(ii) the information relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.

Note: For permitted general situation, see section 16A. For permitted health

situation, see section 16B.

Means of collection

3.5 An APP entity must collect personal information only by lawful and fair means.

3.6 An APP entity must collect personal information about an individual only from the individual unless:

(a) if the entity is an agency:

(i) the individual consents to the collection of the information from someone other than the individual; or

(ii) the entity is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or

(b) it is unreasonable or impracticable to do so.

Solicited personal information

3.7 This principle applies to the collection of personal information that is solicited by an APP entity.

Australian Privacy Principle 4—dealing with unsolicited personal information

4.1 If:

(a) an APP entity receives personal information; and

(b) the entity did not solicit the information;

the entity must, within a reasonable period after receiving the information, determine whether or not the entity could have collected the information under Australian Privacy Principle 3 if the entity had solicited the information.

4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.

4.3 If:

(a) the APP entity determines that the entity could not have collected the personal information; and

(b) the information is not contained in a Commonwealth record;

the entity must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if the entity had collected the information under Australian Privacy Principle 3.

Australian Privacy Principle 5—notification of the collection of personal information

5.1 At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:

(a) to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or

(b) to otherwise ensure that the individual is aware of any such matters.

30517976v3 page 3

5.2 The matters for the purposes of subclause 5.1 are as follows:

(a) the identity and contact details of the APP entity;

(b) if:

(i) the APP entity collects the personal information from someone other than the individual; or

(ii) the individual may not be aware that the APP entity has collected the personal information;

the fact that the entity so collects, or has collected, the information and the circumstances of that collection;

(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order— the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/ tribunal order, that requires or authorises the collection);

(d) the purposes for which the APP entity collects the personal information;

(e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity;

(f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity;

(g) that the APP Privacy Statement of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information;

(h) that the APP Privacy Statement of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

(i) whether the APP entity is likely to disclose the personal information to overseas recipients;

(j) if the APP entity is likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

Part 3—Dealing with personal information

Australian Privacy Principle 6—use or disclosure of personal information Use or disclosure

6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:

(a) the individual has consented to the use or disclosure of the information; or

(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.

Note: Australian Privacy Principle 8 sets out requirements for the disclosure

of personal information to a person who is not in Australia or an external

Territory.

6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:

(a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:

(i) if the information is sensitive information—directly related to the primary purpose; or

(ii) if the information is not sensitive information—related to the primary purpose; or

(b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(c) a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or

(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or

(e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

Note: For permitted general situation, see section 16A. For permitted health

situation, see section 16B.

6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if:

(a) the agency is not an enforcement body; and

(b) the information is biometric information or biometric templates; and

(c) the recipient of the information is an enforcement body; and

(d) the disclosure is conducted in accordance with the guidelines made by the Commissioner for the purposes of this paragraph.

6.4 If:

30517976v3 page 4

(a) the APP entity is an organisation; and

(b) subsection 16B(2) applied in relation to the collection of the personal information by the entity;

the entity must take such steps as are reasonable in the circumstances to ensure that the information is de-identified before the entity discloses it in accordance with subclause 6.1 or 6.2.

Written note of use or disclosure

6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure.

Related bodies corporate

6.6 If:

(a) an APP entity is a body corporate; and

(b) the entity collects personal information from a related body corporate;

this principle applies as if the entity’s primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.

Exceptions

6.7 This principle does not apply to the use or disclosure by an organisation of:

(a) personal information for the purpose of direct marketing; or

(b) government related identifiers.

Australian Privacy Principle 7—direct marketing Direct marketing

7.1 If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.

Note: An act or practice of an agency may be treated as an act or practice of

an organisation, see section 7A.

Exceptions—personal information other than sensitive information

7.2 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

(a) the organisation collected the information from the individual; and

(b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and

(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and

(d) the individual has not made such a request to the

organisation.

7.3 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

(a) the organisation collected the information from:

(i) the individual and the individual would not reasonably expect the organisation to use or disclose the information for that purpose; or

(ii) someone other than the individual; and

(b) either:

(i) the individual has consented to the use or disclosure of the information for that purpose; or

(ii) it is impracticable to obtain that consent; and

(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and

(d) in each direct marketing communication with the individual:

(i) the organisation includes a prominent statement that the individual may make such a request; or

(ii) the organisation otherwise draws the individual’s attention to the fact that the individual may make such a request; and

(e) the individual has not made such a request to the organisation.

Exception—sensitive information

7.4 Despite subclause 7.1, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.

Exception—contracted service providers

7.5 Despite subclause 7.1, an organisation may use or disclose personal information for the purpose of direct marketing if:

(a) the organisation is a contracted service provider for a Commonwealth contract; and

(b) the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and

(c) the use or disclosure is necessary to meet (directly or indirectly) such an obligation.

Individual may request not to receive direct marketing communications etc.

30517976v3 page 5

7.6 If an organisation (the first organisation) uses or discloses personal information about an individual:

(a) for the purpose of direct marketing by the first organisation; or

(b) for the purpose of facilitating direct marketing by other organisations;

the individual may:

(c) if paragraph (a) applies—request not to receive direct marketing communications from the first organisation; and

(d) if paragraph (b) applies—request the organisation not to use or disclose the information for the purpose referred to in that paragraph; and

(e) request the first organisation to provide its source of the information.

7.7 If an individual makes a request under subclause 7.6, the first organisation must not charge the individual for the making of, or to give effect to, the request and:

(a) if the request is of a kind referred to in paragraph 7.6(c)

or (d)—the first organisation must give effect to the request

within a reasonable period after the request is made; and

(b) if the request is of a kind referred to in paragraph 7.6(e)—the organisation must, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so.

Interaction with other legislation

7.8 This principle does not apply to the extent that any of the following apply:

(a) the Do Not Call Register Act 2006;

(b) the Spam Act 2003;

(c) any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the regulations.

Australian Privacy Principle 8—cross-border disclosure of personal information

8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):

(a) who is not in Australia or an external Territory; and

(b) who is not the entity or the individual;

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

Note: In certain circumstances, an act done, or a practice engaged in, by the

overseas recipient is taken, under section 16C, to have been done, or

engaged in, by the APP entity and to be a breach of the Australian Privacy

Principles.

8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:

(a) the entity reasonably believes that:

(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or

(b) both of the following apply:

(i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;

(ii) after being so informed, the individual consents to the disclosure; or

(c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or

(e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or

(f) the entity is an agency and both of the following apply:

(i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;

(ii) the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

Note: For permitted general situation, see section 16A.

Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers

Adoption of government related identifiers

9.1 An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless:

30517976v3 page 6

(a) the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order; or

(b) subclause 9.3 applies in relation to the adoption.

Note: An act or practice of an agency may be treated as an act or practice of

an organisation, see section 7A.

Use or disclosure of government related identifiers

9.2 An organisation must not use or disclose a government related identifier of an individual unless:

(a) the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or

(b) the use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or

(c) the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or

(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or

(e) the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(f) subclause 9.3 applies in relation to the use or disclosure.

Note 1: An act or practice of an agency may be treated as an act or practice

of an organisation, see section 7A.

Note 2: For permitted general situation, see section 16A.

Regulations about adoption, use or disclosure

9.3 This subclause applies in relation to the adoption, use or disclosure by an organisation of a government related identifier of an individual if:

(a) the identifier is prescribed by the regulations; and

(b) the organisation is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and

(c) the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.

Note: There are prerequisites that must be satisfied before the matters

mentioned in this subclause are prescribed, see subsections 100(2) and (3).

Part 4—Integrity of personal information

Australian Privacy Principle 10—quality of personal information

10.1 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up to date and complete.

10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.

Australian Privacy Principle 11—security of personal information

11.1 If an APP entity holds personal information, the entity

must take such steps as are reasonable in the circumstances

to protect the information:

(a) from misuse, interference and loss; and

(b) from unauthorised access, modification or disclosure.

11.2 If:

(a) an APP entity holds personal information about an individual; and

(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and

(c) the information is not contained in a Commonwealth record; and

(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

Part 5—Access to, and correction of, personal information

Australian Privacy Principle 12—access to personal information

Access

12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

Exception to access—agency

12.2 If:

(a) the APP entity is an agency; and

(b) the entity is required or authorised to refuse to give the individual access to the personal information by or under:

(i) the Freedom of Information Act; or

30517976v3 page 7

(ii) any other Act of the Commonwealth, or a Norfolk Island enactment, that provides for access by persons to documents;

then, despite subclause 12.1, the entity is not required to give access to the extent that the entity is required or authorised to refuse to give access.

Exception to access—organisation

12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:

(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or

(b) giving access would have an unreasonable impact on the privacy of other individuals; or

(c) the request for access is frivolous or vexatious; or

(d) the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or

(e) giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(f) giving access would be unlawful; or

(g) denying access is required or authorised by or under an Australian law or a court/ tribunal order; or

(h) both of the following apply:

(i) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in;

(ii) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or

(i) giving access would be likely to prejudice one or more

enforcement related activities conducted by, or on behalf

of, an enforcement body; or

(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

Dealing with requests for access

12.4 The APP entity must:

(a) respond to the request for access to the personal information:

(i) if the entity is an agency—within 30 days after the request is made; or

(ii) if the entity is an organisation—within a reasonable period after the request is made; and

(b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.

Other means of access

12.5 If the APP entity refuses:

(a) to give access to the personal information because of subclause 12.2 or 12.3; or

(b) to give access in the manner requested by the individual;

the entity must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual.

12.6 Without limiting subclause 12.5, access may be given through the use of a mutually agreed intermediary.

Access charges

12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.

12.8 If:

(a) the APP entity is an organisation; and

(b) the entity charges the individual for giving access to the personal information;

the charge must not be excessive and must not apply to the making of the request.

Refusal to give access

12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:

(a) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and

(b) the mechanisms available to complain about the refusal; and


12.10 If the APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.

Australian Privacy Principle 13—correction of personal information

Correction

30517976v3 page 8

13.1 If:

(a) an APP entity holds personal information about an individual; and

(b) either:

(i) the entity is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or

(ii) the individual requests the entity to correct the information;

the entity must take such steps (if any) as are reasonable in

the circumstances to correct that information to ensure that,

having regard to the purpose for which it is held, the

information is accurate, up to date, complete, relevant and not

misleading.

Notification of correction to third parties

13.2 If:

(a) the APP entity corrects personal information about an individual that the entity previously disclosed to another APP entity; and

(b) the individual requests the entity to notify the other APP entity of the correction;

the entity must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.

Refusal to correct information

13.3 If the APP entity refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out:

(a) the reasons for the refusal except to the extent that it would be unreasonable to do so; and

(b) the mechanisms available to complain about the refusal; and


Request to associate a statement

13.4 If:

(a) the APP entity refuses to correct the personal information as requested by the individual; and

(b) the individual requests the entity to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;

the entity must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.

Dealing with requests

13.5 If a request is made under subclause 13.1 or 13.4, the APP entity:

(a) must respond to the request:

(i) if the entity is an agency—within 30 days after the request is made; or

(ii) if the entity is an organisation—within a reasonable period after the request is made; and

(b) must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).

–

The information provided in this document is current as at 29 April 2015, it is not a substitute for legal advice.

30517976v3 page 2

Annexure C –Health Privacy Principles (applied from 1 July 2002 onwards)

Health Privacy Principle 1—Collection

When health information may be collected

1.1 An organisation must not collect health information about an individual unless the information is necessary for one or more of its functions or activities and at least one of the following applies--

(a) the individual has consented;

(b) the collection is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law);

(c) the information is necessary to provide a health service to the individual and the individual is incapable of giving consent within the meaning of section 85(3) and--

(i) it is not reasonably practicable to obtain the consent of an authorised

representative of the individual within the meaning of section 85; or

(ii) the individual does not have such an authorised representative;

(d) the information is disclosed to the organisation in accordance with HPP 2.2(a), (f), (i) or (l) or HPP 2.5;

(e) if the collection is necessary for research, or the compilation or analysis of statistics, in the public interest--

(i) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and

(ii) it is impracticable for the organisation to seek the individual's consent to the collection; and

(iii) the information is collected in accordance with guidelines issued or approved by the Health Services Commissioner under section 22 for the purposes of this subparagraph;

(f) the collection is necessary to prevent or lessen--

(i) a serious and imminent threat to the life, health, safety or welfare of any individual; or

(ii) a serious threat to public health, public safety or public welfare--

and the information is collected in accordance with guidelines, if any, issued or approved by the Health

Services Commissioner under section 22 for the purposes of this paragraph;

(g) the collection is by or on behalf of a law enforcement agency and the organisation reasonably believes that the collection is necessary for a law enforcement function;

(h) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;

(i) the collection is in the prescribed circumstances.

How health information is to be collected

1.2 An organisation must collect health information only by lawful and fair means and not in an unreasonably intrusive way.

1.3 If it is reasonable and practicable to do so, an organisation must collect health information about an individual only from that individual.

1.4 At or before the time (or, if that is not practicable, as soon as practicable thereafter) an organisation collects health information about an individual from the individual, the organisation must take steps that are reasonable in the circumstances to ensure that the individual is generally aware of--

(a) the identity of the organisation and how to contact it; and

(b) the fact that he or she is able to gain access to the information; and

(c) the purposes for which the information is collected; and

(d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and

(e) any law that requires the particular information to be collected; and

(f) the main consequences (if any) for the individual if all or part of the information is not provided.

1.5 If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence.

30517976v3 page 2

1.6 An organisation is not required to notify the individual of the identity of persons, or classes of persons, to whom health information may be disclosed in accordance with HPP 2.2(f).

Information given in confidence

1.7 If personal information is given in confidence to a health service provider about an individual by a person other than--

(a) the individual; or

(b) a health service provider in the course of, or otherwise in relation to, the provision of health services to the individual--

with a request that the information not be communicated to the individual to whom it relates, the provider must--

(c) confirm with the person that the information is to remain confidential; and

(d) if the information remains confidential--

(i) record the information only if it is relevant to the provision of health services to, or the care of, the individual; and

(ii) take reasonable steps to ensure that the information is accurate and not misleading; and

(e) take reasonable steps

Health Privacy Principle 2—Use and Disclosure

2.1 An organisation may use or disclose health information about an individual for the primary purpose for which the information was collected in accordance with HPP 1.1.

2.2 An organisation must not use or disclose health information about an individual for a purpose (the "secondary purpose") other than the primary purpose for which the information was collected unless at least one of the following paragraphs applies:

(a) both of the following apply--

(i) the secondary purpose is directly related to the primary purpose; and

(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or


(c) the use or disclosure is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law); or

(d) all of the following apply--

(i) the organisation is a health service provider providing a health service to the individual; and

(ii) the use or disclosure for the secondary purpose is reasonably necessary for the provision of the health service; and

(iii) the individual is incapable of giving consent within the meaning of section 85(3)and--

(A) it is not reasonably practicable to obtain the consent of an authorised representative of the individual within the meaning of section 85; or

(B) the individual does not have such an authorised representative; or

(e) all of the following apply--

(i) the organisation is a health service provider providing a health service to the individual; and

(ii) the use is for the purpose of the provision of further health services to the individual by the organisation; and

(iii) the organisation reasonably believes that the use is necessary to ensure that the further health services are provided safely and effectively; and

(iv) the information is used in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph; or

(f) the use or disclosure is for the purpose of—

(i) funding, management, planning, monitoring, improvement or evaluation of health services; or

(ii) training provided by a health service provider to employees or persons working with the organisation--

and--

(iii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the individual's consent to the use or disclosure; or

(iv) reasonable steps are taken to de-identify the information--

and--

(v) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication; and

(vi) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this sub-paragraph; or

30517976v3 page 3

(g) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest--

(i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and

(ii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and

(iii) the use or disclosure is in accordance with guidelines issued or approved by the Health Services Commissioner under section 22 for the purposes of this subparagraph; and

(iv) in the case of disclosure—

(A) the organisation reasonably believes that the recipient of the health information will not disclose the health information; and

(B) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained; or

(h) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent--

(i) a serious and imminent threat to an individual's life, health, safety or welfare; or

(ii) a serious threat to public health, public safety or public welfare--

and the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph; or

(i) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities and, if the organisation is a registered health service provider, the use or disclosure would not be a breach of confidence; or

(j) the organisation reasonably believes that the use or disclosure is reasonably necessary for a law enforcement function by or on behalf of a law enforcement agency and, if the organisation is a registered health service provider, the use or disclosure would not be a breach of confidence; or

(k) the use or disclosure is necessary for the establishment, exercise or defence of a legal or equitable claim; or

(l) the use or disclosure is in the prescribed circumstances.

Note: Nothing in HPP 2 requires an organisation to disclose health

information about an individual. An organisation is always entitled not to

disclose health information in the absence of a legal obligation to

disclose it.

2.3 If an organisation discloses health information under paragraph (i) or (j) of HPP 2.2, it must make a written note of the disclosure.

2.4 Despite HPP 2.2, a health service provider may disclose health information about an individual to an immediate family member of the individual if—

(a) either--

(i) the disclosure is necessary to provide appropriate health services to or care of the individual; or

(ii) the disclosure is made for compassionate reasons; and

(b) the disclosure is limited to the extent reasonable and necessary for the purposes mentioned in paragraph (a); and

(c) the individual is incapable of giving consent to the disclosure within the meaning of section 85(3); and

(d) the disclosure is not contrary to any wish--

(i) expressed by the individual before the individual became incapable of giving consent and not changed or withdrawn by the individual before then; and

(ii) of which the organisation is aware or could be made aware by taking reasonable steps; and

(e) in the case of an immediate family member who is under the age of 18 years, considering the circumstances of the disclosure, the immediate family member has sufficient maturity to receive the information.

2.5 Despite HPP 2.2, an organisation may use or disclose health information about an individual

where—

(a) it is known or suspected that the individual is dead; or

(b) it is known or suspected that the individual is missing; or

(c) the individual has been involved in an accident or other misadventure and is incapable of consenting to the use or disclosure--

and the use or disclosure is to the extent reasonably necessary--

(d) to identify the individual; or

(e) to ascertain the identity and location of an immediate family member or other relative of the individual for the purpose of--

(i) enabling a member of the police force, a coroner or other prescribed organisation to contact the immediate family member or other relative for compassionate reasons; or

30517976v3 page 4

(ii) to assist in the identification of the individual--

and, in the circumstances referred to in paragraph (b) or (c)--

(f) the use or disclosure is not contrary to any wish--

(i) expressed by the individual before he or she went missing or became incapable of consenting and not withdrawn by the individual; and

(ii) of which the organisation is aware or could have become aware by taking reasonable steps; and

(g) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph.

Health Privacy Principle 3—Data Quality

3.1 An organisation must take steps that are reasonable in the circumstances to make sure that, having regard to the purpose for which the information is to be used, the health information it collects, uses, holds or discloses is accurate, complete, up to date and relevant to its functions or activities.

Health Privacy Principle 4—Data Security and Data Retention

4.1 An organisation must take reasonable steps to protect the health information it holds from misuse and loss and from unauthorised access, modification or disclosure.

4.2 A health service provider must not delete health information relating to an individual, even if it is later found or claimed to be inaccurate, unless--

(a) the deletion is permitted, authorised or required by the regulations or any other law; or

(b) the deletion is not contrary to the regulations or any other law and occurs--

(i) in the case of health information collected while the individual was a child, after the individual attains the age of 25 years; or

(ii) in any case, more than 7 years after the last occasion on which a health service was provided to the individual by the provider--

whichever is the later.

4.3 A health service provider who deletes health information in accordance with HPP 4.2 must make a written note of the name of the individual to whom the health information related, the period covered by it and the date on which it was deleted.

4.4 A health service provider who transfers health information to another individual or organisation and does not continue to hold a record of that information must make a written note of

the name and address of the individual or organisation to whom it was transferred.

4.5 An organisation other than a health service provider must take reasonable steps to destroy or permanently de-identify health information if it is no longer needed for the purpose for which it was collected or any other purpose authorised by this Act, the regulations made under this Act or any other law.

Health Privacy Principle 5—Openness

5.1 An organisation must set out in a document--

(a) clearly expressed policies on its management of health information; and

(b) the steps that an individual must take in order to obtain access to their health information.

The organisation must make the document available to anyone who asks for it.

5.2 On request by an individual, an organisation must take reasonable steps--

(a) to let the individual know--

(i) whether the organisation holds health information relating to the individual; and

(ii) the steps that the individual should take if the individual wishes to obtain access to the information; and

(b) if the organisation holds health information relating to the individual, to let the individual know in general terms--

(i) the nature of the information; and

(ii) the purposes for which the information is used; and

(iii) how the organisation collects, holds, uses and discloses the information. .

Health Privacy Principle 6—Access and Correction

Access

6.1 If an organisation holds health information about an individual, it must provide the individual with access to the information on request by the individual in accordance with Part 5, unless--

(a) providing access would pose a serious threat to the life or health of any person under section 26 and refusing access is in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph; or

(b) providing access would have an unreasonable impact on the privacy of other individuals and refusing access is in accordance with guidelines, if any, issued or approved by

30517976v3 page 5

the Health Services Commissioner under section 22 for the purposes of this paragraph; or

(c) the information relates to existing legal proceedings between the organisation and the individual and the information would not be accessible by the process of discovery in those proceedings or is subject to legal professional privilege; or

(d) providing access would reveal the intentions of the organisation in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the organisation unreasonably to disadvantage; or

(e) the information is subject to confidentiality under section 27; or

(f) providing access would be unlawful; or

(g) denying access is required or authorised by or under law; or

(h) providing access would be likely to prejudice an investigation of possible unlawful activity; or

(i) providing access would be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency; or

(j) a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia; or

(k) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or

(l) the individual has been provided with access to the health information in accordance with Part 5 and is making an unreasonable, repeated request for access to the same information in the same way.

6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than access to the information.

Note: An organisation breaches HPP 6.1 if it relies on HPP 6.2 to give an

individual an explanation for a commercially sensitive decision in

circumstances where HPP 6.2 does not apply.

6.3 If access is refused on the ground that it would pose a serious threat to the life or health of the individual, the procedure in Division 3 of Part 5 applies.

6.4 Without limiting sections 26 and 27, nothing in this Principle compels an organisation to refuse to provide an individual with access to his or her health information.

Correction

6.5 If an organisation holds health information about an individual and the individual is able to establish that the information is inaccurate, incomplete, misleading or not up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date but must not delete the information otherwise than in accordance with HPP 4.2.

6.6 If--

(a) the organisation is not willing to correct the health information in accordance with a request by the individual; and

(b) no decision or recommendation to the effect that the information should be corrected wholly or partly in accordance with the request, is pending or has been made under this Act or any other law; and

(c) the individual gives to the organisation a written statement concerning the requested correction--

the organisation must take reasonable steps to associate the statement with the information.

6.7 If the organisation accepts the need to correct the health information but—

(a) the organisation considers it likely that leaving incorrect information, even if corrected, could cause harm to the individual or result in inappropriate health services or care being provided; or

(b) the form in which the health information is held makes correction impossible; or

(c) the corrections required are sufficiently complex or numerous for a real possibility of confusion or error to arise in relation to interpreting or reading the record if it were to be so corrected—

the organisation must place the incorrect information on a record which is not generally available to anyone involved in providing health services to the individual, and to which access is restricted, and take reasonable steps to ensure that only the corrected information is generally available to anyone who may provide health services to the individual.

6.8 If an organisation corrects health information about an individual, it must--

(a) if practicable, record with the correction the name of the person who made the correction and the date on which the correction is made; and

(b) take reasonable steps to notify any health service providers to whom the organisation disclosed the health information before its correction and who may reasonably be expected to rely on that information in the future.

30517976v3 page 6

6.9 If an individual requests an organisation to correct health information about the individual, the organisation must take reasonable steps to notify the individual of a decision on the request as soon as practicable but in any case not later than 30 days after the request is received by the organisation.

Written Reasons

6.10 An organisation must provide written reasons for refusal of access or a refusal to correct health information.

Health Privacy Principle 7—Identifiers

7.1 An organisation may only assign identifiers to individuals if the assignment of identifiers is reasonably necessary to enable the organisation to carry out any of its functions efficiently.

7.2 Subject to HPP 7.4, a private sector organisation may only adopt as its own identifier of an individual an identifier of an individual that has been assigned by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if--

(a) the individual has consented to the adoption of the same identifier; or

(b) the use or disclosure of the identifier is required or authorised by or under law.

7.3 Subject to HPP 7.4, a private sector organisation may only use or disclose an identifier assigned to an individual by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if--

(a) the use or disclosure is required for the purpose for which it was assigned or for a secondary purpose referred to in one or more of paragraphs (c) to (l) of HPP 2.2; or


(c) the disclosure is to the public sector organisation which assigned the identifier to enable the public sector organisation to identify the individual for its own purposes.

7.4 If the use or disclosure of an identifier assigned to an individual by a public sector organisation is necessary for a private sector organisation to fulfil its obligations to, or requirements of, the public sector organisation, a private sector organisation may either--

(a) adopt as its own identifier of an individual an identifier of the individual that has been assigned by the public sector organisation; or

(b) use or disclose an identifier of the individual that has been assigned by the public sector organisation

Health Privacy Principle 8—Anonymity

8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation. .

Health Privacy Principle 9—Transborder Data Flows

9.1 An organisation may transfer health information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if--

(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles; or

(b) the individual consents to the transfer; or

(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or

(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e) all of the following apply--

(i) the transfer is for the benefit of the individual;

(ii) it is impracticable to obtain the consent of the individual to that transfer;

(iii) if it were practicable to obtain that consent, the individual would be likely to give it; or

(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles; or

(g) the transfer is authorised or required by any other law.

Health Privacy Principle 10—Transfer or closure of the practice of a health service provider

10.1 This Principle applies if the practice or business of a health service provider ("the provider") is to be--

(a) sold or otherwise transferred and the provider will not be providing health services in the new practice or business; or

(b) closed down.

10.2 The provider or, if the provider is deceased, the legal representatives of the provider, must--

30517976v3 page 7

(a) publish a notice in a newspaper circulating in the locality of the practice or business stating--

(i) that the practice or business has been, or is about to be, sold, transferred or closed down, as the case may be; and

(ii) the manner in which the provider proposes to deal with the health information held by the practice or business about individuals who have received health services from the provider, including whether the provider proposes to retain the information or make it available for transfer to those individuals or their health service providers; and

(b) take any other steps to notify individuals who have received a health service from the provider in accordance with guidelines issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph.

10.3 Not earlier than 21 days after giving notice in accordance with HPP 10.2, the person giving the notice must, in relation to health information about an individual held by, or on behalf of, the practice or business, elect to retain that information or transfer it to--

(a) the health service provider, if any, who takes over the practice or business; or

(b) the individual or a health service provider nominated by him or her.

10.4 A person who elects to retain health information must continue to hold it or transfer it to a competent organisation for safe storage in Victoria, until the time, if any, when the health information is destroyed in accordance with HPP 4.

10.5 Subject to HPP 10.2, a person must comply with the requirements of this Principle as soon as practicable.

10.6 Despite any other provision of the Health Privacy Principles, a person who transfers health information in accordance with this Principle does not, by so doing, contravene the Health Privacy Principles.

10.7 If—

(a) an individual, in response to a notice published under HPP 10.2, requests that health information be transferred to him or her or to a health service provider nominated by him or her; and

(b) the person who published the notice elects to retain the health information the request must be taken to be--

(c) in the case of a request that the health information be transferred to him or her, a request for access to that health information in accordance with Part 5 or HPP 6; and

(d) in the case of a request that the health information be transferred to a health service provider nominated by him or her, a request for the transfer of that health information in accordance with HPP 11--

and it must be dealt with in accordance with this Act.

10.8 This Principle operates subject to any other law, including the Public Records Act 1973.

10.9 For the purposes of HPP 10.1(a), a business or practice of a provider is transferred if--

(a) it is amalgamated with another organisation; and

(b) the successor organisation which is the result of the amalgamation is a private sector organisation.

Health Privacy Principle 11 —Making information available to another health service provider

11.1 If an individual--

(a) requests a health service provider to make health information relating to the individual held by the provider available to another health service provider; or

(b) authorises another health service provider to request a health service provider to make health information relating to the individual held by that provider available to the requesting health service provider--

a health service provider to whom the request is made and who holds health information about the individual must, on payment of a fee not exceeding the prescribed maximum fee and subject to the regulations, provide a copy or written summary of that health information to that other health service provider.

11.2 A health service provider must comply with the requirements of this Principle as soon as practicable.

11.3 Nothing in Part 5 or HPP 6 limits the operation of this Principle.

11.4 For the purposes of HPP 10.7, this Principle applies to a legal representative of a deceased health service provider in the same way that it applies to a health service provider.

.

The information provided in this document is current as at 29 April 2015, it is not a substitute for legal advice.

Documents

Issue Date: 29 April 2015€¦ · consent of the MCRI General Compliance Officer. If you have any questions in relation to your responsibilities in regards to privacy matters, please