Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Privacy Compliance Manual
Issue Date: 29 April 2015
Piper Alderman
Lawyers
Melbourne office
Level 24, 385 Bourke Street
Melbourne Vic 3000
Australia
t +61 3 8665 5555
f +61 3 8665 5500
www.piperalderman.com.au
Melbourne . Sydney . Brisbane . Adelaide
© Piper Alderman
Contents page
30517976v3 page i
1. Introduction 1
1.1 Overview 1 1.2 Purpose of this Privacy Compliance Manual 1 1.3 Scope of this Privacy Compliance Manual 2 1.4 Dealing with Contractors and Agents 2 1.5 Consequences of a contravention 2 1.6 Updating the Privacy Compliance Manual 3
2. Privacy Compliance Framework 4
2.1 Privacy legislation 4 2.2 What is “personal information”? 4 2.3 What is “sensitive information”? 5 2.4 What is “health information”? 6 2.5 What is a “Health Service” 6 2.6 Employee records 7
3. Open and transparent management of personal information 9
3.1 General overview 9 3.2 MCRI Privacy Policy 9
4. Collection of personal information 10
4.1 Collection of solicited personal information 10 4.2 Collection of solicited sensitive information 10 4.3 Dealing with unsolicited personal information 11 4.4 Dealing with children, young people and incapacity to give consent 12
5. Dealing with personal information 14
5.1 General use and disclosure 14 5.2 Use and disclosure of health information 15 5.3 Disclosure to related body corporates 16 5.4 Cross-border disclosures 16 5.5 Use for direct marketing 18 5.6 Adoption, use or disclosure of government related identifiers 21
6. Integrity, quality and security of personal information 23
6.1 Quality of personal information 23 6.2 Storage and retention of personal information 23 6.3 Security of personal information 23 6.4 Privacy Audits 24
7. Managing enquires, requests, complaints and incidents 25
7.1 General Overview 25 7.2 Dealing with requests for a copy of the MCRI Privacy Policy 25 7.3 Dealing with requests for access to personal information 25 7.4 Correction of personal information 28 7.5 Dealing with requests to destroy, delete or remove personal information and other
complaints generally 29 7.6 Anonymity 31 7.7 Verification of identity 31 7.8 Privileged documents or confidential documents 32
Contents page
30517976v3 page ii
8. Investigations and enforcement of privacy compliance obligations 33
8.1 The role of the Privacy Commissioner 33 8.2 Powers of the Privacy Commissioner 33 8.3 Investigations by the Privacy Commissioner 33 8.4 Dealing with notices from the Privacy Commissioner, subpoenas or legal warrants 35 8.5 Voluntary conciliation 37 8.6 Compulsory conferences 37 8.7 Penalties for failure to cooperate with an investigation/conference 38 8.8 Determinations by the Privacy Commissioner 38 8.9 Enforcement of determinations 39 8.10 Other adverse consequences 39
30517976v3 page 1
Privacy Compliance Manual
1. Introduction
1.1 Overview
This Privacy Compliance Manual is for internal use only and is part of a wider set of policies
and manuals which apply to the business operations of Murdoch Childrens Research Institute
and its related body corporates (MCRI). MCRI includes Victorian Clinical Genetics Services
(VCGS). As an officer, employee, contractor, agent, honorary, research associate or student
of, or assisting, MCRI (together MCRI Personnel), you are responsible for ensuring
compliance with MCRI’s polices and manuals including this Privacy Compliance Manual. This
Privacy Compliance Manual should not be provided to any third party without the written
consent of the MCRI General Compliance Officer.
If you have any questions in relation to your responsibilities in regards to privacy matters,
please contact the MCRI General Compliance Officer.
The MCRI General Compliance Officer is:
Neil Harker
Murdoch Childrens Research Institute
Royal Children's Hospital
Flemington Road
Parkville VIC 3052
Email: [email protected]
P: +613 8341 6340
F: +613 9348 1391
1.2 Purpose of this Privacy Compliance Manual
This Privacy Compliance Manual aims to give you a general understanding of:
(a) MCRI Personnel (including contractors, research associates and students)
compliance obligations under Privacy Act 1988 (Cth) (Privacy Act) and the Health
Records Act 2001 (Vic) (Health Records Act);
(b) alert you to conduct which may contravene MCRI’s privacy obligations;
(c) identify conduct and situations which increase the risk of a breach of MCRI’s privacy
obligations;
(d) assist you with identifying circumstances where legal advice is necessary; and
(e) provide general guidance for day-to-day business dealings.
This Privacy Compliance Manual is not intended to be a substitute for legal advice as to
whether MCRI’s conduct will or will not contravene the Privacy Act. If there is any uncertainty
as to whether any conduct complies with the Privacy Act, legal advice should be obtained.
30517976v3 page 2
1.3 Scope of this Privacy Compliance Manual
This Privacy Compliance Manual covers the following seven key areas:
(a) privacy compliance framework (see section 2 of this Privacy Compliance Manual);
(b) open and transparent management of personal information (see section 3 of this
Privacy Compliance Manual);
(c) collection of personal information (see section 4 of this Privacy Compliance Manual);
(d) dealing with personal information (see section 5 of this Privacy Compliance Manual);
(e) integrity, quality and security of personal information (see section 6 of this Privacy
Compliance Manual);
(f) managing enquires, requests, complaints and incidents (see section 7 of this Privacy
Compliance Manual); and
(g) investigations and enforcement of privacy compliance obligations (see section 8 of
this Privacy Compliance Manual).
1.4 Dealing with Contractors and Agents
The Privacy Act and Health Records Act may not automatically apply to contractors, agents,
honoraries, research assistants or students and their performance of acts for, or on behalf of,
MCRI but their actions can, on occasion, be construed as actions of MCRI. It is imperative
that all contractors, agents, honoraries, research assistants and students of, or assisting,
MCRI be contractually required to comply with the Privacy Act and Health Records Act (to the
extent required by MCRI) and MCRI’s Privacy Policy.
1.5 Consequences of a contravention
As of 12 March 2014, if a contravention of the Privacy Act is found, MCRI may be fined up to
$1,700,000. In addition, individuals (including MCRI Personnel) can also be held personally
liable for providing false or misleading statements or documents. Any MCRI Personnel found
to have knowingly contravened the Privacy Act by providing false or misleading statements or
documents, will not be indemnified by MCRI against a fine or the legal costs concerned with
defending such proceedings.
The Health Records Act may also impose a penalty of up to $442,830 (amount accurate for
2014/2015 financial year) on MCRI for the failure to comply with a compliance notice. MCRI
Personnel may also be personally fined where they do not cooperate with the Victorian Health
Services Commissioner, wilfully obstruct, hinder or resists the Victorian Health Services
Commissioner in performing its duties or providing false or misleading statements or
documents. Any fines or legal costs arising from such proceedings will not be indemnified by
MCRI.
If an individual suffers loss or damage as a result of a contravention of the Privacy Act or
Health Records Act, MCRI may be sued for compensation for that loss or damage. MCRI’s
legal costs will often be borne by MCRI. MCRI may also be required to pay an individual’s
legal costs. Legal costs for any investigation or subsequent legal proceedings can be
significant.
30517976v3 page 3
A contravention of the Privacy Act or Health Records Act can also have other adverse
consequences for MCRI, such as adverse publicity, substantial damage to MCRI’s reputation
and goodwill, disruption to MCRI’s business, reduced morale, increased time demands and
stress on individuals involved in investigations and any subsequent legal proceedings.
1.6 Updating the Privacy Compliance Manual
This Privacy Compliance Manual will be updated in response to changes in the law or
changes to MCRI’s systems or procedures. Updates to this Privacy Compliance Manual will
be published on MCRI’s intranet and available from the MCRI General Compliance Officer.
Any suggestions as to how this Privacy Compliance Manual or MCRI’s systems or procedures
can be improved, should be sent to the MCRI General Compliance Officer.
30517976v3 page 4
2. Privacy Compliance Framework
2.1 Privacy legislation
The Privacy Act regulates the minimum standards for dealing with personal information
required of organisations covered by the legislation.
MCRI is a covered organisation and is required to comply with the Australian Privacy
Principles (APPs). The APPs are a set of 13 principles regulating MCRI’s collection, use,
disclosure and handling of personal information from 12 March 2014 onwards.
Prior to 12 March 2014, MCRI was required to comply with the National Privacy Principles
(NPPs), a narrower set of principles regulating the collection, use, disclosure and handling of
personal information. When the APPs were put in place by changes to the Privacy Act, other
changes were also made, including increased powers of the Privacy Commissioner and new
penalties. This Privacy Compliance Manual incorporates these changes.
MCRI must also comply with the Victorian Health Records Act which sets out a set of 11
principles regulating MCRI’s collection, use, disclosure and handling of health information in
Victoria. These principles are known as the Health Privacy Principles (HPPs). The HPPs
contain similar obligations to the APPs, although the HPPs generally impose a lower standard
of obligation as compared to the APPs, as the HPPs were initially enacted to complement the
NPPs. However, in some circumstances the HPPs provide slightly different or more specific
obligations. This Privacy Compliance Manual notes those circumstances in the relevant
sections.
NPPs, APPs and HPPs
The NPPs, APPs and HPPs are all discussed throughout this Privacy Compliance Manual.
Unless otherwise stated in this Privacy Compliance Manual, to the extent that one set of
principles requires a higher standard of MCRI (pursuant to the HPPs, APPs or otherwise
under the Privacy Act or Health Records Act), this Privacy Compliance Manual has adopted
the higher standard for compliance.
2.2 What is “personal information”?
“Personal information” means information or an opinion about an identified individual, or an
individual whose identity can be reasonably be ascertained, whether the information or
opinion is true or not and whether the information or opinion is recorded in a material form or
not.
Personal information relates only to individuals (that is, natural persons) and not companies
or other organisations. However, personal information may relate to individuals working for
companies or organisations.
Personal information includes basic personal details such as a person’s:
(a) name;
(b) date of birth;
30517976v3 page 5
(c) address (including email);
(d) social media page; and
(e) telephone number.
Please note that, whilst a single piece of information may not necessarily identify an
individual, such information will still constitute personal information if the identity of the
individual can be reasonably ascertained from that information. (For example, an e-mail
address might be such that the identity of the person can be reasonably ascertained from it.)
The examples below are intended as an illustration only. They are not intended to be a
substitute for legal advice as to whether conduct will or will not contravene the Privacy
Act.
Example 1
Facts: An empty vial has a patient’s name on it.
Question: Does the vial contain personal information?
Answer: Yes. The information labelled on the vial relates to an identifiable person and as
such constitutes personal information.
Example 2
Facts: A research assistant of MCRI plots on a map of Melbourne the number of patients in
each suburb with a particular illness from each suburb in Melbourne.
Question: Does the map contain personal information?
Answer: Ordinarily, this information will not be personal information as it does not identify an
individual. However, if the individual’s identity can be reasonably ascertained when the map
is coupled with other generally accessible information, the map can constitute personal
information.
2.3 What is “sensitive information”?
“Sensitive information” is a special subset of personal information and includes information
about an individual’s:
(a) ethnicity;
(b) political opinions or memberships;
(c) religious or philosophical beliefs;
(d) membership of a professional trade association or trade union;
(e) gender or sexual orientation and practices;
30517976v3 page 6
(f) criminal record; and
(g) health information.
Greater obligations apply, under the Privacy Act, to the collection, use and disclosure of
sensitive information.
2.4 What is “health information”?
“Health information” is a subset of sensitive information and includes:
(a) information or an opinion about:
(1) the health or disability (at any time) of an individual; or
(2) an individual's expressed wishes about the future provision of health services
to him or her or the donation, or intended donation, of his or her body parts,
organs or body substances; or
(3) a health service provided, or to be provided, to an individual; and
(b) other personal information that is collected:
(1) in the course of providing a health service; or
(2) in connection with the donation, or intended donation, by the individual of his
or her body parts, organs or body substances; or
(3) that is genetic information that could be predictive of an individual’s health.
Health information will include:
(a) notes of an individual’s symptoms, diagnosis or treatment (including medical
certificates);
(b) test results;
(c) prescriptions and pharmaceutical purchases;
(d) dental records;
(e) an individual’s healthcare identifier collected to provide a health services; and
(f) other personal information (such as information about the individual’s gender, date of
birth, sexuality), collected to provide a health service to the individual.
2.5 What is a “Health Service”
“Health Service” means one of the following services or activities:
(a) an activity performed in relation to an individual that is intended or claimed (expressly
or otherwise) by the individual performing it:
30517976v3 page 7
(1) to assess, record, maintain or improve the individual’s health; or
(2) to diagnose the individual’s illness or disability; or
(3) to treat an individual’s illness or disability, or suspected illness or disability,
including dispersing or prescribing drug or medicinal preparation;
(b) a disability service, palliative care service or aged care service;
(c) the dispensing on prescription of a drug or medicinal preparation by a registered
pharmacist; or
(d) a service, or a class of service, provided in conjunction with an activity or service
referred to in the above paragraphs.
The example below is intended as an illustration only. It is not intended to be a
substitute for legal advice as to whether conduct will or will not contravene the Privacy
Act.
Example 3
Facts: A patient’s record details information about a patient’s medical condition and their
insurance details.
Question: Is the information in the patient’s record health information?
Answer: All information in the patient’s records will constitute health information if it is
collected by MCRI in the course of providing health services to the individual (including the
individual’s insurance details). As such this information will be subject to greater compliance
obligations.
2.6 What is a “Health service provider”
“Health service provider” means an organisation that provides a health service (as defined
above) in Victoria. VCGS is classified as a health service provider, as it provides diagnostic
services.
2.7 Employee records
Records of MCRI’s employees are generally exempt from the coverage of the Privacy Act. To
fall within the exemption, the record must be directly related to the employment relationship.
Such records may include:
(a) the engagement, training, disciplining, resignation or termination of employment of an
employee;
(b) the terms and conditions of employment of an employee;
(c) the employee's performance or conduct, hours of employment, salary or wages,
personal and emergency contact details;
30517976v3 page 8
(d) the employee's membership of a professional or trade association or trade union
membership;
(e) the employee's recreation, long service, sick, maternity, paternity or other leave; and
(f) the employee's taxation, banking or superannuation affairs.
Please take note that this exemption applies only to MCRI’s employees and does not cover:
(a) records collected during interviews from a prospective employee who does not
become an employee;
(b) records held about an employee outside the scope of the employment relationship; or
(c) records about contractors, subcontractors, honoraries, research collaborators or
students,
and as such those records may constitute personal information where the identity of the
person is reasonably apparent.
However, there is no exemption for employee “health information” under the Health Records
Act. Therefore, records such as a medical certificate provided by an employee as part of a
sick leave application should be dealt with by MCRI and VCGS in compliance with the privacy
obligations set out in this Privacy Compliance Manual.
In any event, even if certain records of MCRI’s employees are exempted from the Privacy Act,
employee records should be dealt with in the strictest confidence. Please contact Human
Resources if in doubt.
The example below is intended as an illustration only. It is not intended to be a
substitute for legal advice as to whether conduct will or will not contravene the Privacy
Act.
Example 4
Facts: A contractor to MCRI provides MCRI with a list of the names of each of their
employees that are likely to be on MCRI’s premises for the purpose of performing services to
MCRI.
Question: Is the contractor’s employees’ information exempt employee records under the
Privacy Act for MCRI?
Answer: No. Information held by MCRI about a contractor’s employees will not be an exempt
record.
30517976v3 page 9
3. Open and transparent management of personal information
3.1 General overview
MCRI is required to ensure that we manage personal information in an open and transparent
way and that our management of personal information is set out in the MCRI Privacy Policy.
The MCRI Privacy Policy contains (and is required to contain) information about:
(a) the kinds of personal information MCRI collects and holds;
(b) how MCRI collects and holds personal information;
(c) the purposes for which MCRI collects, holds, uses and discloses personal
information;
(d) how an individual may access personal information held by MCRI about the individual
and seek the correction of such information;
(e) how an individual may lodge a complaint about a breach of the Privacy Act, and how
MCRI will deal with such a complaint; and
(f) whether MCRI is likely to disclose personal information to overseas recipients and, if
so, the countries in which such recipients are likely to be located.
3.2 MCRI Privacy Policy
The MCRI Privacy Policy is available on our intranet, from the MCRI General Compliance
Officer, and on the MCRI website. All MCRI Personnel should familiarise themselves with the
MCRI Privacy Policy. A separate Website Privacy Policy is also available on our website for
our web users only.
30517976v3 page 10
4. Collection of personal information
4.1 Collection of solicited personal information
MCRI is only permitted to collect personal information that is reasonably necessary for the
performance of MCRI’s business activities. The term “collection” simply means the inclusion
of information in a record or publication (whether public or private). Additional conditions apply
to the collection of sensitive information (see section 4.2 of this Privacy Compliance Manual).
MCRI should use all reasonable endeavours to collect personal information about an
individual from that individual, unless it is impractical to do so. Collection of personal
information directly from individuals must be conducted in a manner that is fair, lawful and not
unreasonably intrusive.
If personal information is collected by MCRI, MCRI must take reasonable steps to ensure that
the individual is aware of the MCRI Privacy Policy including, but not limited to:
(a) how an individual may access their own personal information;
(b) how an individual may seek the correction of such information;
(c) how an individual may lodge a complaint about a breach of the Privacy Act; and
(d) how MCRI will deal with such a complaint.
The above notification requirement also applies where personal information is collected from
a third party and the individual has not been made aware of MCRI’s collection and the MCRI
Privacy Policy.
The MCRI General Compliance Officer is responsible for notifying third parties. If the MCRI
General Compliance Officer has any concerns as to the content of the notice or the process of
notification, legal advice should be obtained.
Capacity and Consent
Please take note that:
(a) the individual must have the capacity to consent to the collection; and
(b) consent must be given voluntarily and must be informed, specific and current.
Section 4.4 deals with specific situations where an individual may not be able to give
consent.
4.2 Collection of solicited sensitive information
In addition to the general requirements for collecting personal information, sensitive
information must only be collected where the person has given consent and the sensitive
information is reasonably necessary for MCRI’s business activities, unless:
(a) the collection is authorised by or under an Australian law (including the Privacy Act) or
a court/tribunal order; or
30517976v3 page 11
(b) the collection is reasonably necessary to establish or defend a legal or equitable
claim, or for a confidential alternative dispute resolution process; or
(c) the collection is believed to be necessary to lessen or prevent a serious threat to the
life, health or safety of any individual, or to public health or safety and it is
unreasonable or impracticable to obtain the individual’s consent to the use; or
(d) the collection is believed to be, necessary and the appropriate action to take in
response to an actual or suspected unlawful activity or misconduct of a serious
nature; or
(e) the use or disclosure is reasonably necessary for enforcement related activities of an
enforcement body such as:
(1) prevention, detection, investigation and prosecuting of crimes;
(2) conducting surveillance activities, intelligence gathering activities or
monitoring activities;
(3) the preparation for, or conduct of, proceedings before any court or tribunal, or
the implementation of court/tribunal orders.
Not-for-profits collections
MCRI may also collect sensitive information if the information:
(a) is collected by MCRI for the performance of activities consistent with its not-for-profit
status;
(b) solely relates to the members of MCRI or to persons who have regular contact with
MCRI’s activities (eg. donors); and
(c) at or before the time of collecting the information, MCRI has advised the person that
their information will not be disclosed to third parties without their consent and does
not do so.
The Privacy Act and Health Records Act also provide a limited exception where the
collection, use or disclosure of health information is necessary for public health or
public safety research, the health information cannot be de-identified, and it is
impracticable to obtain consent from the individual. In those circumstances consent
may not be required.
4.3 Dealing with unsolicited personal information
If MCRI receives personal information without requesting it, the MCRI General Compliance
Officer or, if he or she is not available, the Chief Operating Officer/Company Secretary should
be immediately informed.
The MCRI General Compliance Officer or the Chief Operating Officer/Company Secretary as
notified, must review the personal information and determine whether or not the personal
information received is desired by MCRI to be retained and/or used.
30517976v3 page 12
If the personal information is desired to be retained and/or used, MCRI should only retain
such personal information (where received in an unsolicited manner) if:
(a) the personal information could have been solicited from the individual directly; and
(b) MCRI have, unless it is unreasonable or impractical to do so, notified the individual of
our collection and provided the individual with, or directed the individual to, the MCRI
Privacy Policy. Legal advice should be obtained if it is deemed unreasonable or
impractical to notify the individual of the collection.
Otherwise, if the personal information is not desired to be retained or used by MCRI or the
personal information could not have been solicited by us directly, then MCRI must, as soon as
practicable, destroy the information (if it is lawful and reasonable to do so) or ensure that the
information is de-identified.
The example below is intended as an illustration only. It is not intended to be a
substitute for legal advice as to whether conduct will or will not contravene the Privacy
Act.
Example 5
Facts: A MCRI Personnel receives 100 unsolicited medical records of individuals.
Question: Can MCRI collect and retain this personal information?
Answer: No. The personal information should be destroyed (that is, irretrievably deleted
from operational systems) since there is no suggestion that the personal information could
not be solicited from the individuals directly and the personal information is sensitive
information.
4.4 Dealing with children, young people and incapacity to give consent
An individual may be unable to give consent for a number of reasons including because they:
(a) have limited decision making capacity due to a cognitive impairment, such as
dementia;
(b) are experiencing temporary incapacity, perhaps due to a physical or psychotic
condition or illness;
(c) are a young child; or
(d) are in an emergency situation, unconscious or in distress.
If consent is required, and an individual lacks capacity, you will need to consider whether
there is another person who can act on the individual's behalf. There may be a range of
options available, including:
(a) a guardian;
30517976v3 page 13
(b) a person with an enduring power of attorney that can be used in relation to the
individual's health;
(c) a person who has a statutory right or power to act on someone's behalf by virtue of
legislation; or
(d) a person who has been nominated in writing by the individual prior to becoming
incapacitated.
A lack of capacity or consent must not prevent the individual from missing out on necessary
healthcare. Any lack of consent should be recorded and any information collected from the
individual should be treated carefully to ensure their privacy rights are not undermined.
30517976v3 page 14
5. Dealing with personal information
5.1 General use and disclosure
If we hold personal information about an individual that was collected for a particular purpose
(primary purpose), such personal information must not be used or disclosed for another
purpose (secondary purpose) unless one of the following conditions are met:
(a) the individual has consented to the use or disclosure of the information;
(b) an individual would reasonably expect us to use or disclose the information for the
secondary purpose (and if the personal information is also sensitive information the
secondary purpose must be directly related to the primary purpose);
(c) the use or disclosure is, believed by us to be, necessary to lessen or prevent a
serious threat to the life, health or safety of any individual, or to public health or safety
and it is unreasonable or impracticable to obtain the individual’s consent to the use or
disclosure;
(d) the use or disclosure is authorised by, or under, an Australian law (including the
Privacy Act) or a court/tribunal order and a written record is kept of such use and
disclosure by the MCRI General Compliance Officer; or
(e) the use or disclosure is reasonably necessary to establish or defend a legal or
equitable claim, or for a confidential alternative dispute resolution process;
(f) the use or disclosure is, believed by us to be, necessary and the appropriate action to
take in response to an actual or suspected unlawful activity or misconduct of a serious
nature; or
(g) the use or disclosure is reasonably necessary for enforcement related activities of an
enforcement body such as:
(1) the prevention, detection, investigation and prosecuting of crimes;
(2) the conduct of surveillance activities, intelligence gathering activities or
monitoring activities; or
(3) the preparation for, or conduct of, proceedings before any court or tribunal, or
the implementation of court/tribunal orders,
and a written record is kept of such use and disclosure by the MCRI General
Compliance Officer.
The above principle does not apply to:
(a) health information except where a permitted health situation exists (see section 5.2 of
this Privacy Compliance Manual);
(b) direct marketing activities (see section 5.5 of this Privacy Compliance Manual); or
(1) adoption and use of government related identifiers (see section 5.6 of this
Privacy Compliance Manual); and
30517976v3 page 15
(c) it is preferred that written consent be obtained from the individual, where possible, to
ensure that MCRI’s right to use and disclose their personal information is clear and
unequivocal.
For all collections of information, consent to use and disclose the information should be
obtained, at the time of collection, from the individual by ensuring that the individual signs an
appropriate and ethically approved consent form.
5.2 Use and disclosure of health information
In addition to the general obligations relating to personal information, health information may
only be used for a secondary purpose if:
(a) it is for research, compilation or analysis of statistics, or relevant to public health or
public safety; and
(b) it is impracticable for the organisation to obtain the individual’s consent to the use or
disclosure; and
(c) the use or disclosure is conducted in accordance with any guidelines approved by the
Privacy Commissioner; and
(d) in the case of disclosure, we reasonably believe that the recipient of the health
information will not disclose the health information, or personal information derived
from that health information.
Use and disclosure for research
Where MCRI collects health information, otherwise than directly from the individual
with their consent, for research then MCRI must take reasonable steps to de-identify
the information if it is practical to do so.
The Guidelines indicate that removing an individual’s name may of itself not be
sufficient, but that a review of the adverse consequences of the disclosure
(including, any risk of embarrassment, humiliation or loss of dignity) must be taken
into account together with the practicality of de-identifying the information.
Modes of de-identifying data should be discussed with the approving HREC. Some useful resources on de-identifying data and personal information can also be found in the Guidelines (starting at B.85 on page 19) and in Privacy Business Resource 4 — De-identification of Data and Information available at: http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-4-de-identification-of-data-and-information. As a general rule of thumb, whether a person is ‘reasonably identifiable’ is an objective test that has practical regard to the context in which the issue arises. Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances.
30517976v3 page 16
5.3 Disclosure to related body corporates
MCRI is permitted to share and transfer personal information (other than sensitive
information) with its related body corporates.
MCRI’s related body corporates include:
(a) VCGS.
MCRI’s related body corporates are required to comply with the Privacy Act in relation to the
shared personal information. Further, MCRI is required to comply with the Privacy Act in
respect of personal information it receives from its related body corporates.
5.4 Cross-border disclosures
(a) General overview
In addition to general obligations relating to disclosure, MCRI may only transfer
personal information overseas where it has taken steps, reasonable in the
circumstances, to ensure the overseas recipient does not breach the Privacy Act or
the Health Records Act or it has satisfied one of the following exceptions:
(1) MCRI reasonably believes that the recipient is bound by a law or binding
scheme which protects privacy in a manner which is substantially equivalent
to the protection under the Privacy Act and the Health Records Act; or
(2) the individual has been specifically informed in the manner required by the
Privacy Act (including that APP8.1 will not apply) and consents to the transfer
and disclosure; or
(3) the transfer is required by Australian law or authorised by court/tribunal order
(a transfer required or authorised by overseas jurisdiction is not exempted); or
(4) other permitted general situations apply (including circumstances such as
involving threats to life, health or safety of an individual, public health,
unlawful activities or missing persons).
MCRI is required to ensure that it has taken reasonable steps to ensure the individual
from which it has collected personal information is aware of any overseas disclosure
at, or as soon as practicable after, the collection.
Generally, MCRI will notify individuals by obtaining their consent to cross-border
disclosures as part of the MCRI Privacy Policy. The MCRI General Privacy Policy (at
section 13) currently details countries to which recipients of any cross-border
disclosures are likely to be located.
All MCRI Personnel are required to:
(1) review the MCRI General Privacy Policy when dealing with overseas entities
and ensure that the country in which the entity resides or carries out its
business is detailed at section 13 of the MCRI General Privacy Policy; and
(2) promptly notify the MCRI General Compliance Officer:
30517976v3 page 17
(A) if MCRI are dealing with an overseas entity which resides, or carries
out business, in a country not listed in MCRI’s General Privacy Policy;
or
(B) if you are unsure as to whether an individual has been properly
notified about the cross-border disclosure.
Disclosure to cloud service providers
The Australian Information Commissioner has released Guidelines to the APPs
dated March 2015 (Guidelines). The Guidelines indicate that where the cloud
service provider is storing and managing the personal information, is contractually
restricted from using or disclosing the personal information (otherwise than providing
the information back to MCRI) and is obligated to require the same of any sub-
contractors, that will constitute a ‘use’ rather than a ‘disclosure’ under the Privacy
Act.
Take note that, even if disclosure to a cloud service provider is not deemed to be a
disclosure to an overseas entity for the purpose of the Privacy Act, all other privacy
principles relating to use of the personal information will still apply.
(b) Liability for overseas recipient
Under the APPs, if MCRI transfers and discloses personal information overseas,
MCRI must take reasonable steps to ensure that the recipient does not breach the
APPs and MCRI will be deemed to be liable for any breach by the recipient of the
APPs, unless:
(1) any of the exceptions specified in section 5.4(a) of this Privacy Compliance
Manual apply; or
(2) the overseas recipient has an Australian link.
A person or an organisation has an Australian link:
(1) if the person has Australian citizenship or permanent residence;
(2) if the organisation is formed, created, or incorporated in Australia; or
(3) if the organisation was not formed, created or incorporated in Australia, it
carries on business in Australia and the relevant personal information was
collected or at any time held in Australia.
This requirement will be of particular significance for MCRI’s dealing with information
technology service providers (including, in particular, software-as-a-service or cloud
computing providers) who may host relevant data overseas.
(c) Compliance with foreign laws
30517976v3 page 18
MCRI will not be in held in breach of the Privacy Act or the Health Records Act if its
overseas recipients are required to disclose personal information in accordance with a
foreign law or court/tribunal order.
5.5 Use for direct marketing
(a) General overview
Personal information may only be used for direct marketing activities in circumstances
allowed under the APPs as detailed in this section 5.5 of the Privacy Compliance
Manual. Additional restrictions apply to the use of sensitive information for direct
marketing activities. Direct marketing activities may include promoting additional
goods and services to individuals who have provided their personal information to
MCRI.
(b) Use of personal information (other than sensitive information) for direct
marketing - prior to 12 March 2014
If the personal information of an individual was collected by MCRI for the primary
purpose of direct marketing, no further consent to use the personal information is
required.
Personal information collected by MCRI for a primary purpose other than direct
marketing can only be used for the secondary purpose of direct marketing if the
individual has consented to the use of their personal information for that purpose or,
otherwise, where:
(1) it is impracticable for MCRI to seek the individual’s consent before that
particular use; and
(2) MCRI does not charge an individual for giving effect to a request by the
individual not to receive direct marketing communications; and
(3) the individual has not made a request to the organisation not to receive direct
marketing communications; and
(4) in each direct marketing communication with the individual, the organisation
draws to the individual’s attention or prominently displays a notice that he or
she may express a wish not to receive any further direct marketing
communications; and
(5) each written direct marketing communication must set out MCRI’s business
address and telephone number, or if in the form of an electronic
communication, an email address at which MCRI can be contacted
electronically.
(c) Use of personal information (other than sensitive information) for direct
marketing - post 12 March 2014
Under the APPs, whether personal information (other than sensitive information) may
be used for direct marketing activities will depend upon MCRI satisfying one of the
below situations:
30517976v3 page 19
(1) MCRI has collected the personal information from the individual (who would
reasonably have expected the use or disclosure for direct marketing), MCRI
may use or disclose personal information for direct marketing if, and only if, all
of the following conditions also apply:
(A) MCRI’s has provided a simple means by which the individual may
easily opt-out of receiving future marketing correspondence; and
(B) the individual has not elected to opt-out; or
(2) MCRI has collected the personal information from the individual (who would
not reasonably have expected the use or disclosure for direct marketing),
MCRI may use or disclose personal information for direct marketing if, and
only if, all of the following conditions also apply:
(A) either consent has been obtained from the individual to use the
personal information for direct marketing or it was impracticable to
obtain that consent; and
(B) MCRI’s has provided a simple means by which the individual may
easily opt-out of receiving future marketing correspondence and in
each correspondence has drawn the individual’s attention to the opt-
out process (such statement should be prominent); and
(C) the individual has not elected to opt-out.
(3) MCRI has collected the personal information from a third party, MCRI may
use or disclose personal information for direct marketing if, and only if, all of
the following conditions also apply:
(A) either consent has been obtained from the individual to use the
personal information for direct marketing or it was impracticable to
obtain that consent; and
(B) MCRI’s has provided a simple means by which the individual may
easily opt-out of receiving future marketing correspondence and in
each correspondence has drawn the individual’s attention to the opt-
out process (such statement should be prominent); and
(C) the individual has not elected to opt-out.
(d) Use of sensitive information for direct marketing
MCRI may only use or disclose sensitive information for the purpose of direct
marketing the individual has consented to the use or disclosure of the information.
(e) Use of personal information provided under a Commonwealth contract for
direct marketing
Under the APPs, MCRI is permitted to use or disclose personal information for direct
marketing activities if:
(1) MCRI is subject to a contract with a Commonwealth government agency; and
30517976v3 page 20
(2) MCRI has collected the personal information in the performance of its
obligations (whether directly or indirectly) under that contract; and
(3) the use or disclosure is necessary to meet (whether directly or indirectly)
MCRI’s obligations under the contract.
(f) Opt-out from direct marketing
An individual may, at any time, elect to opt-out from:
(1) receiving direct marketing correspondence from MCRI (or any party engaged
by MCRI that carries out its direct marketing activities);
(2) receiving direct marketing correspondence from any third party to which
MCRI has disclosed their personal information to; or
(3) MCRI otherwise using its personal information for direct marketing activities.
If an individual elects to opt-out from direct marketing, MCRI must give effect to the
request promptly.
(g) Disclosure of source
Under the APPs, if MCRI has received personal information from a third party and
uses it for direct marketing activities, MCRI must, at an individual’s request, disclose
the source of that information. Any such request should be transferred or otherwise
directed to the MCRI General Compliance Officer.
In order for MCRI to comply with its obligations under the Privacy Act, the source of
any information from third parties used for direct marketing activities should be
recorded and such records maintained whilst the information is used (and for a
reasonable period thereafter to deal with any requests).
The MCRI General Compliance Officer must attend to all requests promptly and notify
the individual of the source within a reasonable period of time unless it is
impracticable or unreasonable to do so (in which case, legal advice should be
obtained).
(h) Interaction with other legislation
Under the APPs, the obligations relating to direct marketing in APP 7 will not apply to
the extent that any of the following legislation applies:
(1) the Do Not Call Register Act 2006 (Cth);
(2) the Spam Act 2003 (Cth); and
(3) any other Act of the Commonwealth, or a Norfolk Island enactment,
prescribed under the regulations to the Privacy Act.
30517976v3 page 21
5.6 Adoption, use or disclosure of government related identifiers
(a) General overview
A government related identifier is a specific reference attributed or assigned by a
government agency to identify an individual. It will usually be a number or a series of
numbers, letters or symbols, such as a driver’s licence number or Medicare number.
MCRI must not adopt a government related identifier as its own identifier to identify an
individual unless it is required or authorised by, or under, an Australian law (including
the Privacy Act and Health Records Act) or a court/tribunal order. ABNs are explicitly
excluded from this obligation and may be so used.
The Privacy Act and Health Records Act permit the use and disclosure of government
related identifiers in any of the following circumstances:
(1) the use or disclosure is reasonably necessary for MCRI to fulfil obligations to
any governmental, semi-governmental, administrative, fiscal, statutory,
judicial or quasi-judicial body, department, commission, authority, tribunal,
agency or entity;
(2) the use or disclosure is authorised by or under an Australian law (including
the Privacy Act) or a court/tribunal order and a written record is kept of such
use and disclosure by the MCRI General Compliance Officer;
(3) the use or disclosure is, believed by us to be, necessary to lessen or prevent
a serious threat to the life, health or safety of any individual, or to public
health or safety and it is unreasonable or impracticable to obtain the
individual’s consent to the use or disclosure;
(4) the use or disclosure is, believed by us to be, necessary and the appropriate
action to take in response to an actual or suspected unlawful activity or
misconduct of a serious nature (provided that the disclosure would not be a
breach of confidence if disclosed by a health service provider);
(5) the use or disclosure is reasonably necessary to establish or defend a legal or
equitable claim, or for a confidential alternative dispute resolution process;
(6) the use or disclosure is reasonably necessary for enforcement related
activities of an enforcement body such as:
(A) prevention, detection, investigation and prosecution of crimes;
(B) conducting surveillance activities, intelligence gathering activities or
monitoring activities; or
(C) the preparation for, or conduct of, proceedings before any court or
tribunal, or the implementation of court/tribunal orders,
provided that the disclosure would not be a breach of confidence if disclosed
by a health service provider and a written record is kept of such use and
disclosure by the MCRI General Compliance Officer; or
30517976v3 page 22
(7) the use or disclosure is reasonably necessary for MCRI to verify the identity
of the individual for its activities or functions.
(b) Verification of identity
MCRI may require copies of identification documents (such as a driver’s licence or
passport) to check or verify an individual’s identity.
However, the identification documents collected by MCRI must only be used for the
purpose of verification and copies of the document (or a record of the driver’s licence
number or passport number) should not be retained by MCRI.
(c) Tax file numbers
Tax file numbers may only be requested, collected, used or disclosed by MCRI from
its employees or other third parties in accordance with the requirements under
taxation law, personal assistance law or superannuation law. Tax file numbers should
not generally be requested, collected, used or disclosed otherwise.
5.7 Adoption, use or disclosure of identifiers
(a) General overview
The HPPs require MCRI to only assign identifiers to an individual as is reasonably
necessary to enable it to carry out any of its functions efficiently. An identifier (as
opposed to a government related identifier) is a specific reference that is assigned (or
otherwise adopted, used or disclosed) to an individual in conjunction with or in relation
to the individual's health information for the purpose of uniquely identifying that
individual. This requirement applies even if the identifier is only assigned once, and is
not subsequently used with or in relation to individual's health information again.
30517976v3 page 23
6. Integrity, quality and security of personal and health information
6.1 Quality of personal information and health information
MCRI must take reasonable steps to ensure that any personal information it collects, uses, or
discloses is accurate, complete and up-to-date. The accuracy, completeness and currency of
the information should be established at the time of collection, and reviewed when the
information is used or re-used, and when it is disclosed to another organisation. In relation to
health information, MCRI must periodically review this information to ensure it is accurate,
complete and up-to-date.
MCRI Personnel are not required to monitor dormant personal information. However, if
personal information has been collected and is no longer required, MCRI Personnel should
review section 6.2 of this Privacy Compliance Manual in respect to the storage and retention
of personal information.
In the event that information held by MCRI appears to be inaccurate, out of date, incomplete,
irrelevant or misleading, the issue should be referred to the MCRI General Compliance Officer
for investigation.
6.2 Storage and retention of personal information and health information
Personal information that is no longer required should be destroyed in accordance with
MCRI’s record retention policy. Any destruction of personal information (whether in hardcopy
or electronic form) must be undertaken in a secure manner. Hardcopies of personal
information should be either shredded or disposed of through a confidential waste disposal
service.
However, any health information held by a health service provider (such as VCGS) should not
be destroyed unless:
(a) the deletion is permitted, authorised or required by the regulations or any other law; or
(b) the deletion is not contrary to the regulations or any other law and occurs:
(1) if the health information was collected from an individual who was a child,
when the individual attains 25 years of age; or
(2) in any other case, more than 7 years after the date on which last health
service was provided to an individual,
whichever is later, provided that there is a written record of such deletion.
Legal advice should be obtained in the event that MCRI intends to delete health information
held by a health service provider.
6.3 Security of personal information
MCRI must take reasonable steps to protect personal information from:
(a) misuse, interference and loss; and
30517976v3 page 24
(b) unauthorised access, modification and disclosure;
What constitutes reasonable steps will depend upon the sensitivity of the personal information
being stored (including the potential detriment to the individual resulting from improper access
or use), the time and costs of implementing security systems relative to these risks, the
resources of MCRI and whether the security measure is in itself privacy invasive (for example,
an individual may be asked to supply more information than is necessary to identify
themselves). Higher levels of security may be required for sensitive information. If you have
any questions in relation to security responsibilities, please contact the MCRI General
Compliance Officer.
MCRI Personnel should ensure that personal information (including sensitive information and
health information) is kept in a secure location either in their office or saved electronically to
MCRI’s network. MCRI Personnel should access records of personal information only if they
have a legitimate need to access those records. MCRI Personnel must use their own
individual logons with passwords to access any records on the MCRI’s network. MCRI
Personnel who do not comply with these requirements shall face disciplinary action.
Data containing personal information should not be downloaded from the MCRI’s network to
portable devices unless required as part of a business process expressly approved by
management of MCRI (such as off-site data backup or archival purposes). Any data
containing personal information which is downloaded to a portable device should be
appropriately secured physically and the data should be encrypted. MCRI Personnel should
review section 6.2 of this Privacy Compliance Manual in respect to obligations relating to
storage and retention.
Legal advice should be obtained in the event that there is an inadvertent disclosure of
personal information to a third party or an authorised access by a third party to personal
information. Further, a request for access to personal information by a party external to MCRI
must be managed in accordance with section 7 of this Privacy Compliance Manual.
6.4 Privacy Audits
Privacy audits may be carried out by the MCRI General Compliance Officer, by completing
the Audit Report Form in Schedule 1. MCRI Personnel may also use the Audit Report Form
to check that they have considered all privacy obligations for a certain project. Privacy audits
should address the following at least:
(a) personal data and information collected, stored and distributed;
(b) primary / secondary information used and distributed;
(c) reasons of secondary collection of information;
(d) access and Security of information;
(e) sharing of information with anyone; and
(f) whether that information is current and necessary.
Any follow up action should be managed by the MCRI General Compliance Officer.
30517976v3 page 25
7. Managing enquires, requests, complaints and incidents
7.1 General Overview
(a) All requests for a copy of the MCRI Privacy Policy should be managed in accordance
with section 7.2 of this Privacy Compliance Manual.
(b) All requests:
(1) for access to personal information – should be managed in accordance with
section 7.3 of this Privacy Compliance Manual; and
(2) for correction of personal information – should be managed in accordance
with section 7.4 of this Privacy Compliance Manual.
(c) All request to destroy, delete, or remove (in whole or in part) any personal information
should be managed in accordance with section 7.6 of this Privacy Compliance
Manual.
(d) Any formal complaints or perceived breaches of privacy obligations should be
managed in accordance with section 7.6 of this Privacy Compliance Manual.
(e) Any notices from the Privacy Commissioner or any subpoenas or legal warrants
should be immediately referred to the MCRI General Compliance Officer or, if he or
she is not available, the Chief Operating Officer/Company Secretary and managed in
accordance with section 7.6 and 8 of this Privacy Compliance Manual (as applicable).
(f) Any other requests or issues concerning personal information should be referred to
the MCRI General Compliance Officer or, if he or she is not available, the Chief
Operating Officer/Company Secretary.
All enquires, request, complaints and incidents should be managed promptly and all
complaints and incidents must be taken seriously.
7.2 Dealing with requests for a copy of the MCRI Privacy Policy
If a copy of the MCRI Privacy Policy is requested by an individual, the individual must be
directed to the MCRI Privacy Policy freely available on our website. If the individual does not
have internet access, a hard copy of the MCRI Privacy Policy may be obtained from the MCRI
General Compliance Officer and made available to the individual. The MCRI Privacy Policy
must always be provided free of charge.
7.3 Dealing with requests for access to personal information
If the request is made in writing, the MCRI Personnel receiving a request for access to
personal information should refer the request directly to the MCRI General Compliance
Officer. If a request is made by telephone, the MCRI Personnel taking the call should:
(a) request that the individual provide written verification of their identity in accordance
with section 7.8 of this Privacy Compliance Manual to the MCRI General Compliance
Officer;
30517976v3 page 26
(b) take full details from the individual of their request;
(c) take the individual’s contact details;
(d) confirm with the individual that the MCRI General Compliance Officer will contact the
individual in respect of their request; and
(e) promptly notify the MCRI General Compliance Officer of all actions taken by the MCRI
Personnel, any contact details provided by the individual and the date that the request
was made.
The MCRI General Compliance Officer shall act on a standard request for access to personal
information as follows:
(a) the MCRI General Compliance Officer should provide written acknowledgement to the
individual of the request and confirm any applicable fees (if any) as soon as possible;
(b) the MCRI General Compliance Officer should provide an individual with access to
their own personal information within 14 days of the request for a straight forward
matter or within 30 days of the request for a more complicated matter, subject to the
following:
(1) the verification of the individual’s identity against information held by MCRI
(see section 7.8 of this Privacy Compliance Manual);
(2) where it is unlawful to provide the personal information;
(3) denying access is required or authorised by law or a court/tribunal order;
(4) where disclosure could pose a serious and imminent threat to the life or
health of that or any individual;
(5) where disclosure would have an unreasonable impact upon the privacy of
other individuals;
(6) where disclosure would reveal the intentions of MCRI so as to prejudice any
negotiations with the individual;
(7) where disclosure would disclose evaluative information generated in
connection with a commercially sensitive decision-making process;
(8) where disclosure would prejudice an investigation or taking action against
fraud, serious misconduct or other unlawful activity;
(9) where disclosure would prejudice prevention, detection, investigation,
prosecution and enforcement activities of, or legal proceedings by, an
enforcement body;
(10) where an enforcement body performing a lawful security function requests
denying access on the basis of national security; or
(11) where the request is frivolous or vexatious.
30517976v3 page 27
The MCRI General Compliance Officer should not provide access to personal
information where it relates to existing or anticipated legal proceedings, without first
obtaining legal advice as to whether such information would be discoverable in such
proceedings.
Access charges
MCRI may charge an individual a fee for granting access to the individual’s personal
information for:
(a) MCRI Personnel costs involved with collating information;
(b) reproduction costs; and
(c) costs involved in having MCRI Personnel explain the personal information to an
individual,
provided that such fees are not excessive, and, in the case if health information, are not
more than the fees prescribed in the Health Records Act and are clearly explained before
access is given. Further, any such fee must not relate to the lodgement of the request for
access by the individual (including any explanation of how access is given), costs involved
with MCRI Personnel checking whether or not MCRI holds any personal information of the
individual, any legal costs associated with reviewing a request or the correction of personal
information.
The MCRI General Compliance Officer may propose a reasonable fee having regard to:
(a) how the personal information is stored (electronic, paper based);
(b) where the personal information is stored (onsite, offsite)
(c) number of records required to be reproduced;
(d) costs incurred by MCRI for providing access;
(e) whether costs incurred by MCRI for providing access are reasonable given the
task required to be performed;
(f) capacity of the individual to pay (pensioner, student); and
(g) form in which the individual requests access.
Legal advice should be obtained to ensure that any proposed fee complies with the above
requirements.
Any fee for access to personal information shall be advised by the MCRI Compliance
Officer. The MCRI General Compliance Officer may at its sole election waive any approved
fee.
Please take note that, where electronic or hardcopy records are provided to an individual, only
copies of documents should be provided, unless official records are required by law or
court/tribunal order. If the provision of official records is required, release of such records
30517976v3 page 28
must be authorised by the MCRI General Compliance Officer, with a copy of all such
documents to be retained by MCRI.
If access to personal information is refused, the MCRI General Compliance Officer must notify
the individual, promptly, detailing:
(a) the reasons for the refusal (including any relevant obligation under the Privacy Act);
(b) the process for the individual to make a formal complaint with MCRI or to the Privacy
Commissioner about the refusal; and
(c) any other matter prescribed by the regulations.
Legal advice should be obtained in relation to any refusal to provide access to personal
information.
7.4 Dealing with request to make health information available to another health service
provider
Under the HPPs, a health service provider (such as VCGS) is required to provide a copy or a
written summary of an individual’s health information to another health service provider as
soon as practicable, if
(a) the individual requests VCGS to make available their health information to that health
service provider; or
(b) the individual has authorised the other health service provider to make a request for
such information on their behalf.
If these circumstances are satisfied, MCRI Personnel must follow the same principles outlined
at section 7.3 above for dealing with requests for access from individuals.
Example 1
Facts: A general practitioner contacts VCGS seeking the medical and diagnostic records of
a mutual patient. The general practitioner provides the patient’s written consent for VCGS to
provide the records to the general practitioner.
Question: Can and should VCGS provide the general practitioner with this information?
Answer: Yes, VCGS is required to provide the information as soon as practicable, as the
individual has given their consent. If VCGS intends to charge a fee to the general practitioner
or the individual, it should consult with the MCRI General Compliance Officer and obtain
legal advice before doing so, to ensure the fee complies with the Health Records Act and
Privacy Act.
7.5 Correction of personal information
If a request to correct personal information is made in writing, the MCRI Personnel receiving
the request should refer the request directly to the MCRI General Compliance Officer. If a
request is made by telephone, the MCRI Personnel taking the call should:
30517976v3 page 29
(a) request that the individual provide written verification of their identity in accordance
with section 7.8 of this Privacy Compliance Manual to the MCRI General Compliance
Officer;
(b) take full details from the individual of their request;
(c) take the individual’s contact details;
(d) confirm with the individual that the MCRI General Compliance Officer will contact the
individual in respect of their request; and
(e) promptly notify the MCRI General Compliance Officer of all actions taken by the MCRI
Personnel, any contact details provided by the individual and the date that the request
was made.
Upon receipt of a request to correct personal information, the MCRI General Compliance
Officer should promptly:
(a) provide written acknowledgement to the individual of the request;
(b) verify the individual’s identity against information held by MCRI (see section 7.8 of this
Privacy Compliance Manual);
(c) process any request for correction of the individual’s personal information within a
reasonable period;
(d) if the personal information has been disclosed to third parties, notify the individual that
it will take reasonable steps to update its details with any related party; and
(e) take all other such steps (if any) as are reasonable in the circumstances to correct as
reasonably required, having regard to the purpose for which it is held.
Legal advice should be obtained in relation to any refusal to correct personal information.
If a MCRI Personnel otherwise becomes aware that any personal information held is
inaccurate, out-of-date, incomplete, irrelevant or misleading, the MCRI Personnel must notify
the MCRI General Compliance Officer and the MCRI General Compliance Officer should take
reasonable steps to correct any such personal information, having regard to the purpose for
which the information is held.
If MCRI corrects personal information about an individual and MCRI has disclosed such
information to a third party, MCRI must, at the individual’s request, take such steps (if any) as
are reasonable in the circumstances to notify the third party of the change unless it is
impracticable or unlawful to do so.
MCRI must not charge for the correction of any personal information.
7.6 Dealing with requests to destroy, delete or remove personal information and other
complaints generally
Please take note that any notices from the Privacy Commissioner or any subpoenas or legal
warrants should be immediately referred to the MCRI General Compliance Officer or, if he or
30517976v3 page 30
she is not available, the Chief Operating Officer/Company Secretary and dealt with in
accordance with section 8 of the Privacy Compliance Manual.
If a request to destroy, delete or remove personal information or a complaint is made in
writing by an individual, the MCRI Personnel receiving the request should refer the request
directly to the MCRI General Compliance Officer. If a request is made by telephone, the MCRI
Personnel taking the call should:
(a) request that the individual provide written verification of their identity in accordance
with section 7.8 of this Privacy Compliance Manual to the MCRI General Compliance
Officer;
(b) take full details from the individual of their request;
(c) take the individual’s contact details;
(d) confirm with the individual that the MCRI General Compliance Officer will contact the
individual in respect of their request;
(e) complete items 1, 2, 3, 4 and 5 (to the extent possible) of the Privacy
Complaint/Incident Form in Schedule 2 and send the completed copy to the MCRI
General Compliance Officer; and
(f) promptly notify the MCRI General Compliance Officer of all actions taken by the MCRI
Personnel, any contact details provided by the individual and the date that the request
was made.
Upon receipt of a request to destroy, delete or remove personal information or a complaint,
the MCRI General Compliance Officer should promptly:
(a) consider the request or complaint;
(b) complete the Privacy Complaint/Incident Form in Schedule 2 detailing all relevant
actions to be taken by MCRI in response to the request / complaint as soon as
possible;
(c) obtain legal advice as to any action to be taken;
(d) make a recommendation to the Chief Operating Officer/Company Secretary of any
actions recommended by the MCRI General Compliance Officer to be taken including:
(1) a written response to the complainant (including, to request further
information or to refuse any request to remove or delete personal
information);
(2) an apology to the complainant;
(3) deleting / destroying personal information of the complainant;
(4) an offer of compensation to the complainant;
(5) reviewing of MCRI policies, practices or systems; or
30517976v3 page 31
(6) training (or further training) for MCRI Personnel;
(e) obtain approval from the Chief Operating Officer/Company Secretary before taking
any recommended action; and
(f) notify the complainant of MCRI’s response to the complaint (including any actions
taken by MCRI in response to the complaint).
7.7 Anonymity
We must give individuals the option of not identifying themselves, or of using a pseudonym,
when dealing with us, unless it is unlawful or impracticable to deal with the individual who has
not identified themselves or who has used a pseudonym. An individual would be able to
remain anonymous or use a pseudonym:
(a) for one-off enquires to the MCRI, which do not require MCRI to access personal
information;
(b) where a person requests information to be provided and that information can be
provided without accessing personal information (for example, a request for a copy of
the MCRI Privacy Policy); or
(c) where general market surveys are conducted.
7.8 Verification of identity
In order to verify the identity of an individual, the MCRI Personnel can ask the individual for
any of the following information:
(a) full name;
(b) date of birth;
(c) e-mail address;
(d) current address; and
(e) current phone number.
However, MCRI Personnel should not require an individual to supply more information than is
necessary to identify themselves.
The information provided by the individual should be compared against information held by
MCRI. For telephone enquiries, where possible, a question about some other information held
by MCRI about the individual should also be used to confirm the identity of the individual.
If the identity of the person cannot be confirmed, a copy of identification documents (such as
a copy of a driver’s licence) may need to be requested and the matter should be referred to
the MCRI General Compliance Officer.
30517976v3 page 32
7.9 Privileged documents or confidential documents
Generally, communications between MCRI and its legal advisers for the dominant purpose of
obtaining legal advice and/or preparation for or use in pending or contemplated litigation are
subject to legal professional privilege. No access to such communications should be given to
any third party (including any individual to whom those communications relate) unless the
Chief Operating Officer/Company Secretary has given prior written approval of the disclosure
and legal advice from MCRI’s lawyers has been obtained.
30517976v3 page 33
8. Investigations and enforcement of privacy compliance obligations
8.1 The role of the Privacy Commissioner
The main function and role of the Australian Privacy Commissioner (Privacy Commissioner)
is to ensure the proper handling of personal information in accordance with the Privacy Act.
This role includes day-to-day administration of privacy enquiries and complaints and
investigation of potential contraventions of the Privacy Act. The Privacy Commissioner may
also take civil enforcement action against a party in contravention of the Privacy Act.
The Privacy Commissioner has wide powers of investigation to obtain information, documents
and other evidence where it believes an act or conduct may constitute a contravention of the
Privacy Act and in particular the APPs (and, for conduct prior to March 2014, the NPPs).
Investigations by the Privacy Commissioner may arise as a result of a complaint by an
individual or at the Privacy Commissioner’s own initiative. The Privacy Commissioner’s
powers also include the ability to interview witnesses.
The Privacy Commissioner also has responsibility for providing guidance through education
papers, publications of guidelines on the rights and responsibilities under the Privacy Act to
assist organisations to comply with their obligations.
8.2 Powers of the Privacy Commissioner
The Privacy Commissioner has the power to:
(a) require the production of information and documents;
(b) require any MCRI Personnel to attend in person before the Privacy Commissioner for
the purpose of an investigation and be examined under oath or affirmation; and
(c) authorise an officer of the Privacy Commissioner (Authorised Representative) to
enter MCRI premises to inspect documents and make copies of them or to take
extracts.
8.3 Investigations by the Privacy Commissioner
(a) General overview
Where an individual is concerned that any act or practice of an organisation may be
an interference with the privacy of that individual, he or she may choose to make a
complaint to the Privacy Commissioner. The Privacy Commissioner will not generally
investigate complaints where the individual has not, in the first instance, made a
complainant directly to the organisation and allowed the organisation at least 30 days
within which to respond. The Privacy Commission make directly investigate a
complaint where it is considered inappropriate for the individual to make a complaint
directly to the organisation.
The Privacy Commissioner may decide not to investigate, or to defer investigation of,
a complaint where:
(1) an act or practice is not an interference with the privacy of an in individual;
30517976v3 page 34
(2) the complaint was made more than 12 months after the individual became
aware of the act or practice;
(3) the complaint is frivolous, vexatious, misconceived or lacking in substance;
(4) the subject matter has been, or is being, dealt with adequately under other
laws;
(5) other laws provide a more appropriate remedy for the act or practice
complained of; or
(6) the individual has complained directly to the organisation and the organisation
has dealt, or is dealing, adequately with the complaint or the organisation has
not yet had an adequate opportunity to deal with the complaint.
Where the Privacy Commissioner decides not to investigate, or not to investigate
further, the Privacy Commissioner must as soon as reasonably practicable inform the
complainant and MCRI of this decision and the reasons for this decision.
The Privacy Commission may also make investigations without a formal complaint.
(b) Process of investigation
The Privacy Commissioner may make preliminary enquiries with MCRI or otherwise,
to determine whether the Privacy Commissioner has the power to investigate the
complaint or whether the Privacy Commissioner will, in his/her discretion, investigate
the matter.
If the Privacy Commissioner elects to commence an investigation, it will formally notify
MCRI of the investigation. The notification will include:
(1) the matter being investigated;
(2) a copy of any complaint;
(3) the relevant provisions of the Privacy Act; and
(4) the date MCRI’s response is due.
Notices will usually be addressed to the company rather than individual MCRI
Personnel. If MCRI receives a notice from the Privacy Commissioner, the MCRI
General Compliance Officer or, if he or she is not available, Chief Operating
Officer/Company Secretary should be immediately informed. The CEO of MCRI
should also be notified.
MCRI will usually have a limited period from receipt of notification to respond to the
Privacy Commissioner. MCRI will generally prepare a response in consultation with its
lawyers.
The Privacy Commissioner may make a determination on the information obtained
through its investigation and any complainant. If the determination is unfavourable, a
review of the determination may be sought within strict timeframes. As such, any
30517976v3 page 35
determination by MCRI to the Privacy Commissioner should be carefully considered
with MCRI’s lawyers.
8.4 Dealing with notices from the Privacy Commissioner, subpoenas or legal warrants
(a) General overview
Notice will usually be addressed to the company rather than individual MCRI
Personnel. Any notices from the Privacy Commissioner or any subpoenas or legal
warrants should be should be immediately referred to the MCRI General Compliance
Officer or, if he or she is not available, the Chief Operating Officer/Company
Secretary.
The MCRI General Compliance Officer must, upon receipt of any notice from the
Privacy Commissioner, subpoena or legal warrant for production of documents:
(1) notify and obtain legal advice from MCRI’s lawyers;
(2) investigate all relevant documentation required to be produced pursuant to
the notice/subpoena/warrant;
(3) provide a copy of such documents to the Chief Operating Officer/Company
Secretary and to MCRI’s lawyers for their review;
(4) together with the the Chief Operating Officer/Company Secretary and to
MCRI’s lawyers, identify any privileged or confidential documents; and
(5) monitor, strictly, timeframes required for compliance.
Neither the MCRI General Compliance Officer nor any MCRI Personnel should
respond to any notice or hand over any documents or other records, without the prior
written approval of the MCRI’s lawyers.
Generally, communications between MCRI and its legal advisers for the dominant
purpose of obtaining legal advice and/or preparation for or use in pending or
contemplated litigation are subject to legal professional privilege. No access to such
communications should be given to any third party (including in response to any
subpoena or legal warrant) unless with the prior written approval of MCRI’s lawyers.
(b) Access to premises
All MCRI Personnel should immediately inform the MCRI General Compliance Officer
or, if he or she is not available, the Chief Operating Officer/Company Secretary, if any
representative of the Privacy Commissioner, the OIAC or any other regulator seeks to
enter MCRI premises. The CEO of MCRI should also be informed. The MCRI General
Compliance Officer or, if he or she is not available, the senior executive of MCRI
notified of the Authorised Representative's arrival, will have responsibility for all
dealings and discussions with the Authorised Representative.
MCRI Personnel must make reasonable access to facilities and documents available
to the Authorised Representative relevant to the complaint. MCRI should not, without
seeking legal advice, provide personal information about any other individual to the
Authorised Representative.
30517976v3 page 36
Please note that you will not be unduly obstructing or hindering of an Authorised
Representative if you advise him or her that you are unsure as to your obligations and
need to take advice. Accordingly, MCRI Personnel may speak with the MCRI General
Compliance Officer or MCRI’s lawyers to seek advice as to what to do in the
circumstances.
(c) Procedure for dealing with an Authorised Representative
MCRI Personnel should comply with any directions given by the MCRI General
Compliance Officer or MCRI senior executive responsible for dealings with the
Authorised Representative and extend the Authorised Representative the courtesy of
a working area in which to view documents and make copies or extracts as required.
Personal notes, internal memoranda, papers, files, board minutes, diaries and all
other relevant material may be requested by an Authorised Representative.
MCRI Personnel may be asked to provide access to office drawers, cabinets or safes.
Unless otherwise directed by the MCRI General Compliance Officer, that access
should be given.
If you are the MCRI General Compliance Officer or MCRI senior executive dealing
with the Authorised Representative, you should:
(1) arrange that the Authorised Representative's authority is photocopied and
retained;
(2) instruct other MCRI Personnel not to deal with the Authorised Representative
unless instructed to do so by you;
(3) take a note of every document and file shown to the Authorised
Representative;
(4) make a full written record of everything that is said both by you and the
Authorised Representative. You may request another person to be present to
make that record if necessary; and
(5) accept a written request from the Authorised Representative for specific
documents which have not been located in the course of the visit.
MCRI Personnel are not required to give verbal explanations during the course of a
visit by an Authorised Representative and should not:
(1) volunteer information or comment unnecessarily; or
(2) sign any statement or record prepared by the Authorised Representative
without first obtaining legal advice.
However, please take note that MCRI Personnel may be required by the Privacy
Commissioner to appear and provide a statement at a later date.
30517976v3 page 37
(d) Keeping records
The MCRI General Compliance Officer should maintain records of all dealings with
the Privacy Commissioner or any Authorised Representative in an accessible format
including:
(1) any request received by the Privacy Commissioner or an Authorised
Representative;
(2) any response (including documentation) provided by MCRI to the Privacy
Commissioner or an Authorised Representative; and
(3) a detailed record of any visit of any Authorised Representative. If the MCRI
General Compliance Officer is not in attendance at the time the Authorised
Representative attended MCRI’s premises, the senior MCRI Personnel
dealing with the Authorised Representative should prepare a detailed record
and promptly provide the report to the MCRI General Compliance Officer.
8.5 Voluntary conciliation
The Privacy Commissioner has the discretion to attempt to effect a settlement of the matters
that gave rise to the investigation by way of conciliation if the Privacy Commissioner considers
it appropriate to do so.
Conciliations are formal, structured discussions between the parties before a conciliator of the
Office of Australian Information Commission (OAIC), who acts as an independent third party
to help identify and discuss issues. Conciliations can occur at any stage of an investigation
and can remain confidential. While the Privacy Commissioner may encourage the parties to
undertake conciliation, each party has a choice whether to participate in conciliation. Further,
the conciliator cannot compel the parties to reach agreement. Legal advice should be
obtained if MCRI is considering conciliation.
If the parties elect to attend conciliation and cannot agree a resolution, the matter will be
referred back to the Privacy Commissioner for review and determination.
8.6 Compulsory conferences
The Privacy Commissioner has the power to direct MCRI, the complainant or any other
person whom the Privacy Commissioner believes could be of assistance to the investigation,
to attend a compulsory conference before the Privacy Commissioner. If MCRI is required to
attend a compulsory conference, an appropriate officer of MCRI with reasonable knowledge
of the affairs of MCRI and the subject matter should be in attendance. Legal advice should be
obtained if any direction for conciliation is made.
Compulsory conferences are conducted in private or otherwise at the discretion of the Privacy
Commissioner. The Privacy Commissioner may require a person attending a conference to
produce a document at the conference.
30517976v3 page 38
8.7 Penalties for failure to cooperate with an investigation/conference
Please take note that:
(a) MCRI refusing or failing, without reasonable excuse, to attend before the Privacy
Commissioner or to be sworn or make an affirmation when so required, may result in
a fine;
(b) any MCRI Personnel refusing or failing, without reasonable excuse, to attend before
the Privacy Commissioner or to be sworn or make an affirmation when so required,
may result in a fine or imprisonment (or both);
(c) any such MCRI Personnel furnishing information or making a statement to the Privacy
Commissioner, knowingly, that it is false or misleading in a material particular, may
result in a fine or imprisonment (or both);
(d) MCRI refusing or failing, without reasonable excuse, to give information or to answer
a question or produce a document or record when so required, may result in a fine;
and
(e) MCRI Personnel can be personally fined for providing false or misleading statements
or documents.
8.8 Determinations by the Privacy Commissioner
Following investigations, the Privacy Commissioner may:
(a) make a determination dismissing the complaint; or
(b) find the complaint substantiated and, where relevant, make one or more of the
following additional declarations:
(1) the act or practice is an interference with the privacy of one or more
individuals;
(2) the act or practice must not repeat or continue;
(3) that specified steps must be taken within a specified period to ensure that the
act or practice is not repeated or continued;
(4) that any specified act or course of conduct to redress any loss or damage
suffered by the complainant (including injury to the complainant’s feelings or
humiliation felt by the complainant), as is reasonable, must be performed
such as:
(A) change to practices or procedures;
(B) written apology to the complainant; or
(C) an acknowledgement of the act or practice;
30517976v3 page 39
(5) compensation for the loss or damage suffered by the complainant and/or
reimbursement for expenses reasonably incurred in connection with making
the complaint and the investigation of the complaint, in the amount specified;
(6) that a correction, deletion or addition to a record be made; or
(7) that it would be inappropriate for any further action to be taken in the matter.
8.9 Enforcement of determinations
The complainant or the Privacy Commissioner can commence proceedings in the Federal
Court or the Federal Circuit Court of Australia for an order to enforce a determination made by
the Privacy Commissioner.
The Court will make a decision as to whether MCRI engaged in conduct that constitutes an
interference with the privacy of the complainant in contravention of the Privacy Act. The Court
may receive as evidence in the proceedings a copy of the Privacy Commissioner’s written
reasons for the determination, a copy of any document that was before the Privacy
Commissioner or a copy of any record of any appearance before the Privacy Commissioner.
If the Court is satisfied that the conduct constitutes an interference with the privacy of the
complainant in contravention of the Privacy Act, the Court may make such orders as it thinks
fit, including:
(a) a declaration of rights;
(b) fines or penalties (including a fine of up to $1,700,000 for serious and repeated
breaches);
(c) an order granting an injunction;
(d) an order for corrective advertising;
(e) an order of compensation; or
(f) an order for the payment of legal costs.
The Courts are not restricted to the determination made by the Privacy Commissioner. As
such, the decision and any the orders made by the Court may differ from those in the original
determination by the Privacy Commissioner.
8.10 Other adverse consequences
In addition to any remedies available under the Privacy Act, a contravention of the Privacy Act
can also have adverse consequences for MCRI such as adverse publicity, substantial
damage to MCRI’s reputation and goodwill, disruption to MCRI’s business, reduced morale,
increased time demands and stress on individuals involved in investigations and any
subsequent legal proceedings.
8.11 The Victorian Health Services Commissioner
The Victorian Health Services Commissioner has the power to serve a compliance notice on
MCRI to take specified action within a period of time, if he or she finds that:
30517976v3 page 40
(a) MCRI has contravened the Health Records Act; and
(b) the contravention is of a serious or flagrant nature, or there has been 5 separate
occasions of such contravention in the previous 2 years.
The failure to comply with a compliance notice is an offence punishable by a penalty of up to
$442,830 (this amount is accurate for 2014/2015 financial year).
There are also penalties under the Health Records Act where there is a failure to cooperate
with an investigation/conference of the Victorian Health Services Commissioner.
30517976v3 page 1
Schedule 1 – Audit Report Form
No Requirement Comments Result
1. a Appropriate inquiries to identify the personal
information collected and retained and
whether or not that information is of a sensitive
nature.
2. b An appropriate inquiry to identify how personal
information is collected.
3. c Appropriate inquiries to identify why personal
information is collected and what is done with
that information.
4. d Appropriate inquiries to identify where and how
personal information is stored.
5. e An appropriate inquiry to identify how personal
information is secured.
6. f Appropriate inquiries to identify who has
access to personal information.
7. g Appropriate inquiries to identify whether
personal information is disclosed and/or
disseminated and to whom it is disclosed
and/or disseminated.
8. h Appropriate inquiries to identify whether the
intended use of collecting personal information
is communicated to those supplying that
information.
9. i Appropriate inquiries to identify whether the
information collected is up-to-date and whether
it is relevant and necessary for that information
to be held.
10. k Appropriate inquiries to identify the
management of nonconformities
11. l Appropriate inquiries to identify training needs
30517976v3 page 2
have been fulfilled and recorded
LEGEND NI = Need Improvement NA = Not Applicable Ad = Adequate UN = Unacceptable NV = Not Verified
Signed by MCRI General Compliance Officer:
Signed:
Date:
30517976v3 page 3
Schedule 2 - Privacy Complaint/Incident Form
Privacy Complaint/Incident Form
1. MCRI Personnel reporting [insert name, title]
2. Date and time of
complaint/incident
[insert date and time]
3. Nature of complaint/incident Tick all relevant issues:
collection of personal information by MCRI
use personal information by MCRI
disclosure of personal information by MCRI
use by third party of personal information disclosed by MCRI
storage or retention of personal information by MCRI
security of personal information
refusal by MCRI to allow access to personal information
accuracy or relevance of personal information held by MCRI
investigation by Privacy Commissioner1
not clear
other (give details):
4. Detailed description of
complaint/incident
[insert detail conduct and any relevant record or process]
_____________________________________________________
5. Details of complainant/individuals
potentially affected by the incident
[insert name and contact details if known]
6. Is further information from
complainant or otherwise required
to assess complaint/incident
Tick as applicable:
no
yes (give details):
30517976v3 page 4
7. Identity of the complainant/
affected individuals confirmed
Tick as applicable:
yes
no (give details):
8. Preliminary Assessment Tick as applicable:
insufficient information to review complaint/incident further
action required to be taken by MCRI as detailed in item 9 and if
taken:
complaint likely to be resolved or no likelihood of further
incidents
complaint unlikely to be resolved or likelihood of further
incidents (give details) Note 1:
_______________________________________________________
no action required to be taken by MCRI (other than a response)
and upon notification:
complaint likely to be resolved or no likelihood of further
incidents
complaint unlikely to be resolved and likelihood of further
incidents (give details) Note 1:
9. Action taken by MCRI Tick all relevant actions taken:
response to complainant, on _____________________________
notification of incident to individual affected, on ______________
notification of complaint/incident to third party, on ____________
apology to complainant/individual affected Note 1, on ___________
access granted to personal information, on _________________
correction of personal information, on _____________________
de-identification of personal information, on _________________
deletion/destruction of personal information Note 1, on __________
compensation paid to complainant Note 1, on _________________
review of MCRI’s policies, practices or systems Note 1
change in MCRI’s policies, practices or systems Note 1
training (or further training) for MCRI Personnel Note 1
legal advice obtained
response to Privacy Commissioner Note 1, on _______________
no action (other than a response) Note 1
30517976v3 page 5
other action (give details):
10. Response to the complainant/
notification to affected individuals
[insert date and detail of response/notification]
11. Other Information [insert any additional information as has the complaint been notified
date, to whom contact made]
12. Date complaint/incident referred to
MCRI General Compliance Officer
[insert date]
13. Date complaint/incident referred to
CEO
[insert date if applicable]
Note 1 – MCRI General Compliance Officer must notify CEO of complaint/incident and action taken. We recommend also
obtaining legal advice in respect of the complaint/incident.
Signed by reporting MCRI Personnel:
Signed:
Date:
Signed by MCRI General Compliance
Officer:
Signed:
Date:
30517976v3 page 1
Annexure A– National Privacy Principles (applied up to 12 March 2014)
National Privacy Principle 1—Collection
1.1 An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.
1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
National Privacy Principle 2—Use and disclosure
2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose ) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for the organisation to seek the individual's consent before that particular use; and
(ii) the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and
(iii) the individual has not made a request to the organisation not to receive direct marketing communications; and
(iv) in each direct marketing communication with the individual, the organisation draws to the individual's attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and individual to the organisation not to receive direct marketing communications; and
(v) each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation's business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or
(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:
(i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and
(iii) in the case of disclosure--the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or
30517976v3 page 2
(e) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent threat to an individual's life, health or safety; or
(ii) a serious threat to public health or public safety; or
(ea) if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:
(i) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and
(iii) in the case of disclosure--the recipient of the genetic information is a genetic relative of the individual; or
(f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is required or authorised by or under law; or
(h) the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
Note 1: It is not intended to deter organisations from lawfully co-operating with
agencies performing law enforcement functions in the performance of their
functions.
Note 2: Subclause 2.1 does not override any existing legal obligations not to
disclose personal information. Nothing in subclause 2.1 requires an
organisation to disclose personal information; an organisation is always
entitled not to disclose personal information in the absence of a legal
obligation to disclose it.
Note 3: An organisation is also subject to the requirements of National Privacy
Principle 9 if it transfers personal information to a person in a foreign country.
2.2 If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.
2.3 Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation's primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.
2.4 Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:
(a) the individual:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically cannot communicate consent to the disclosure; and
(b) a natural person (the carer ) providing the health service for the organisation is satisfied that either:
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish:
(i) expressed by the individual before the individual became unable to give or communicate consent; and
(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and
(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).
2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:
(a) a parent of the individual; or
(b) a child or sibling of the individual and at least 18 years old; or
(c) a spouse or de facto partner of the individual; or
(d) a relative of the individual, at least 18 years old and a member of the individual's household; or
(e) a guardian of the individual; or
30517976v3 page 3
(f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or
(g) a person who has an intimate personal relationship with the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
2.6 In subclause 2.5:
"child" : without limiting who is a child of an individual for the purposes of this clause, each of the following is the child of an individual:
(a) an adopted child, stepchild, exnuptial child or foster child of the individual; and
(b) someone who is a child of the individual within the meaning of the Family Law Act 1975 .
de facto partner has the meaning given by the Acts Interpretation Act 1901 .
"parent" : without limiting who is a parent of an individual for the purposes of this clause, someone is the parent of an individual if the individual is his or her child because of the definition of child in this subclause.
"relative" of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.
"sibling" of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.
"stepchild" : without limiting who is a stepchild of an individual for the purposes of this clause, someone is the stepchild of an individual if he or she would be the individual's stepchild except that the individual is not legally married to the individual's de facto partner.
2.7 For the purposes of the definition of relative in subclause 2.6, relationships to an individual may also be traced to or through another individual who is:
(a) a de facto partner of the first individual; or
(b) the child of the first individual because of the definition of child in that subclause.
2.8 For the purposes of the definition of sibling in subclause 2.6, an individual is also a sibling of another individual if a relationship referred to in that definition can be traced through a parent of either or both of them.
National Privacy Principle 3—Data quality
An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
National Privacy Principle 4—Data security
4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.
National Privacy Principle 5—Openness
5.1 An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.
5.2 On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
National Privacy Principle 6—Access and Correction
6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:
(a) in the case of personal information other than health information--providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information--providing access would pose a serious threat to the life or health of any individual; or
(c) providing access would have an unreasonable impact upon the privacy of other individuals; or
(d) the request for access is frivolous or vexatious; or
(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(g) providing access would be unlawful; or
(h) denying access is required or authorised by or under law; or
(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(j) providing access would be likely to prejudice:
30517976v3 page 4
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to
give an individual an explanation for a commercially sensitive decision in
circumstances where subclause 6.2 does not apply.
6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 If an organisation charges for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
6.5 If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
6.6 If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, the organisation must take reasonable steps to do so.
6.7 An organisation must provide reasons for denial of access or a refusal to correct personal information.
National Privacy Principle 7—Identifiers
7.1 An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:
(a) an agency; or
(b) an agent of an agency acting in its capacity as agent; or
(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.
7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before those matters are
prescribed: see subsection 100(2).
7.2 An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:
(a) the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or
(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or
(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before the matters
mentioned in paragraph (c) are prescribed: see subsections 100(2) and (3).
7.3 In this clause:
"identifier" includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation's operations. However, an individual's name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier .
National Privacy Principle 8— Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
National Privacy Principle 9— Transborder data flows
An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the
30517976v3 page 5
information that are substantially similar to the National Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
(e) all of the following apply:
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
National Privacy Principle 10— Sensitive information
10.1 An organisation must not collect sensitive information about an individual unless:
(a) the individual has consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically cannot communicate consent to the collection; or
(d) if the information is collected in the course of the activities of a non-profit organisation--the following conditions are satisfied:
(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;
(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual's consent; or
(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
10.2 Despite subclause 10.1, an organisation may collect health information about an individual if:
(a) the information is necessary to provide a health service to the individual; and
(b) the information is collected:
(i) as required or authorised by or under law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
10.3 Despite subclause 10.1, an organisation may collect health information about an individual if:
(a) the collection is necessary for any of the following purposes:
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and
(c) it is impracticable for the organisation to seek the individual's consent to the collection; and
(d) the information is collected:
(i) as required by law (other than this Act); or
(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or
(iii) in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.
10.4 If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de-identify the information before the organisation discloses it.
10.5 In this clause:
"non-profit organisation" means a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.
The information provided in this document was current
as at 6 December 2013, it is not a substitute for legal
advice.
30517976v3 page 1
Annexure B - Australian Privacy Principles (applied from 12 March 2014 onwards)
Part 1—Consideration of personal information privacy
Australian Privacy Principle 1—open and transparent management of personal information
1.1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.
Compliance with the Australian Privacy Principles etc.
1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:
(a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and
(b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.
APP Privacy Statement
1.3 An APP entity must have a clearly expressed and up to date policy (the APP Privacy Statement) about the management of personal information by the entity.
1.4 Without limiting subclause 1.3, the APP Privacy Statement of the APP entity must contain the following information:
(a) the kinds of personal information that the entity collects and holds;
(b) how the entity collects and holds personal information;
(c) the purposes for which the entity collects, holds, uses and discloses personal information;
(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
(e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
(f) whether the entity is likely to disclose personal information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients
are likely to be located if it is practicable to specify those countries in the policy.
Availability of APP Privacy Statement etc.
1.5 An APP entity must take such steps as are reasonable in the circumstances to make its APP Privacy Statement available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: An APP entity will usually make its APP Privacy Statement available
on the entity’s website.
1.6 If a person or body requests a copy of the APP Privacy Statement of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Australian Privacy Principle 2—anonymity and pseudonymity
2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.
2.2 Subclause 2.1 does not apply if, in relation to that matter:
(a) the APP entity is required or authorised by or under an Australian law, or a court/ tribunal order, to deal with individuals who have identified themselves; or
(b) it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym.
Part 2—Collection of personal information
Australian Privacy Principle 3—collection of solicited personal information
Personal information other than sensitive information
3.1 If an APP entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.
3.2 If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.
Sensitive information
30517976v3 page 2
3.3 An APP entity must not collect sensitive information about an individual unless:
(a) the individual consents to the collection of the information and:
(i) if the entity is an agency—the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
(ii) if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or
(b) subclause 3.4 applies in relation to the information.
3.4 This subclause applies in relation to sensitive information about an individual if:
(a) the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(b) a permitted general situation exists in relation to the collection of the information by the APP entity; or
(c) the APP entity is an organisation and a permitted health situation exists in relation to the collection of the information by the entity; or
(d) the APP entity is an enforcement body and the entity reasonably believes that:
(i) if the entity is the Immigration Department—the collection of the information is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the entity; or
(ii) otherwise—the collection of the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
(e) the APP entity is a non-profit organisation and both of the following apply:
(i) the information relates to the activities of the organisation;
(ii) the information relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.
Note: For permitted general situation, see section 16A. For permitted health
situation, see section 16B.
Means of collection
3.5 An APP entity must collect personal information only by lawful and fair means.
3.6 An APP entity must collect personal information about an individual only from the individual unless:
(a) if the entity is an agency:
(i) the individual consents to the collection of the information from someone other than the individual; or
(ii) the entity is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or
(b) it is unreasonable or impracticable to do so.
Solicited personal information
3.7 This principle applies to the collection of personal information that is solicited by an APP entity.
Australian Privacy Principle 4—dealing with unsolicited personal information
4.1 If:
(a) an APP entity receives personal information; and
(b) the entity did not solicit the information;
the entity must, within a reasonable period after receiving the information, determine whether or not the entity could have collected the information under Australian Privacy Principle 3 if the entity had solicited the information.
4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.
4.3 If:
(a) the APP entity determines that the entity could not have collected the personal information; and
(b) the information is not contained in a Commonwealth record;
the entity must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.
4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if the entity had collected the information under Australian Privacy Principle 3.
Australian Privacy Principle 5—notification of the collection of personal information
5.1 At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:
(a) to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or
(b) to otherwise ensure that the individual is aware of any such matters.
30517976v3 page 3
5.2 The matters for the purposes of subclause 5.1 are as follows:
(a) the identity and contact details of the APP entity;
(b) if:
(i) the APP entity collects the personal information from someone other than the individual; or
(ii) the individual may not be aware that the APP entity has collected the personal information;
the fact that the entity so collects, or has collected, the information and the circumstances of that collection;
(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order— the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/ tribunal order, that requires or authorises the collection);
(d) the purposes for which the APP entity collects the personal information;
(e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity;
(f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity;
(g) that the APP Privacy Statement of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information;
(h) that the APP Privacy Statement of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
(i) whether the APP entity is likely to disclose the personal information to overseas recipients;
(j) if the APP entity is likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.
Part 3—Dealing with personal information
Australian Privacy Principle 6—use or disclosure of personal information Use or disclosure
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
(a) the individual has consented to the use or disclosure of the information; or
(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.
Note: Australian Privacy Principle 8 sets out requirements for the disclosure
of personal information to a person who is not in Australia or an external
Territory.
6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:
(a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
(i) if the information is sensitive information—directly related to the primary purpose; or
(ii) if the information is not sensitive information—related to the primary purpose; or
(b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(c) a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or
(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
(e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Note: For permitted general situation, see section 16A. For permitted health
situation, see section 16B.
6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if:
(a) the agency is not an enforcement body; and
(b) the information is biometric information or biometric templates; and
(c) the recipient of the information is an enforcement body; and
(d) the disclosure is conducted in accordance with the guidelines made by the Commissioner for the purposes of this paragraph.
6.4 If:
30517976v3 page 4
(a) the APP entity is an organisation; and
(b) subsection 16B(2) applied in relation to the collection of the personal information by the entity;
the entity must take such steps as are reasonable in the circumstances to ensure that the information is de-identified before the entity discloses it in accordance with subclause 6.1 or 6.2.
Written note of use or disclosure
6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure.
Related bodies corporate
6.6 If:
(a) an APP entity is a body corporate; and
(b) the entity collects personal information from a related body corporate;
this principle applies as if the entity’s primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.
Exceptions
6.7 This principle does not apply to the use or disclosure by an organisation of:
(a) personal information for the purpose of direct marketing; or
(b) government related identifiers.
Australian Privacy Principle 7—direct marketing Direct marketing
7.1 If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.
Note: An act or practice of an agency may be treated as an act or practice of
an organisation, see section 7A.
Exceptions—personal information other than sensitive information
7.2 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(a) the organisation collected the information from the individual; and
(b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and
(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(d) the individual has not made such a request to the
organisation.
7.3 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(a) the organisation collected the information from:
(i) the individual and the individual would not reasonably expect the organisation to use or disclose the information for that purpose; or
(ii) someone other than the individual; and
(b) either:
(i) the individual has consented to the use or disclosure of the information for that purpose; or
(ii) it is impracticable to obtain that consent; and
(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(d) in each direct marketing communication with the individual:
(i) the organisation includes a prominent statement that the individual may make such a request; or
(ii) the organisation otherwise draws the individual’s attention to the fact that the individual may make such a request; and
(e) the individual has not made such a request to the organisation.
Exception—sensitive information
7.4 Despite subclause 7.1, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.
Exception—contracted service providers
7.5 Despite subclause 7.1, an organisation may use or disclose personal information for the purpose of direct marketing if:
(a) the organisation is a contracted service provider for a Commonwealth contract; and
(b) the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
(c) the use or disclosure is necessary to meet (directly or indirectly) such an obligation.
Individual may request not to receive direct marketing communications etc.
30517976v3 page 5
7.6 If an organisation (the first organisation) uses or discloses personal information about an individual:
(a) for the purpose of direct marketing by the first organisation; or
(b) for the purpose of facilitating direct marketing by other organisations;
the individual may:
(c) if paragraph (a) applies—request not to receive direct marketing communications from the first organisation; and
(d) if paragraph (b) applies—request the organisation not to use or disclose the information for the purpose referred to in that paragraph; and
(e) request the first organisation to provide its source of the information.
7.7 If an individual makes a request under subclause 7.6, the first organisation must not charge the individual for the making of, or to give effect to, the request and:
(a) if the request is of a kind referred to in paragraph 7.6(c)
or (d)—the first organisation must give effect to the request
within a reasonable period after the request is made; and
(b) if the request is of a kind referred to in paragraph 7.6(e)—the organisation must, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so.
Interaction with other legislation
7.8 This principle does not apply to the extent that any of the following apply:
(a) the Do Not Call Register Act 2006;
(b) the Spam Act 2003;
(c) any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the regulations.
Australian Privacy Principle 8—cross-border disclosure of personal information
8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
(a) who is not in Australia or an external Territory; and
(b) who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Note: In certain circumstances, an act done, or a practice engaged in, by the
overseas recipient is taken, under section 16C, to have been done, or
engaged in, by the APP entity and to be a breach of the Australian Privacy
Principles.
8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
(a) the entity reasonably believes that:
(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
(b) both of the following apply:
(i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;
(ii) after being so informed, the individual consents to the disclosure; or
(c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or
(e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
(f) the entity is an agency and both of the following apply:
(i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;
(ii) the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.
Note: For permitted general situation, see section 16A.
Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers
Adoption of government related identifiers
9.1 An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless:
30517976v3 page 6
(a) the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order; or
(b) subclause 9.3 applies in relation to the adoption.
Note: An act or practice of an agency may be treated as an act or practice of
an organisation, see section 7A.
Use or disclosure of government related identifiers
9.2 An organisation must not use or disclose a government related identifier of an individual unless:
(a) the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or
(b) the use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or
(c) the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or
(e) the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
(f) subclause 9.3 applies in relation to the use or disclosure.
Note 1: An act or practice of an agency may be treated as an act or practice
of an organisation, see section 7A.
Note 2: For permitted general situation, see section 16A.
Regulations about adoption, use or disclosure
9.3 This subclause applies in relation to the adoption, use or disclosure by an organisation of a government related identifier of an individual if:
(a) the identifier is prescribed by the regulations; and
(b) the organisation is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and
(c) the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.
Note: There are prerequisites that must be satisfied before the matters
mentioned in this subclause are prescribed, see subsections 100(2) and (3).
Part 4—Integrity of personal information
Australian Privacy Principle 10—quality of personal information
10.1 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up to date and complete.
10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
Australian Privacy Principle 11—security of personal information
11.1 If an APP entity holds personal information, the entity
must take such steps as are reasonable in the circumstances
to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
11.2 If:
(a) an APP entity holds personal information about an individual; and
(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
(c) the information is not contained in a Commonwealth record; and
(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;
the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
Part 5—Access to, and correction of, personal information
Australian Privacy Principle 12—access to personal information
Access
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
Exception to access—agency
12.2 If:
(a) the APP entity is an agency; and
(b) the entity is required or authorised to refuse to give the individual access to the personal information by or under:
(i) the Freedom of Information Act; or
30517976v3 page 7
(ii) any other Act of the Commonwealth, or a Norfolk Island enactment, that provides for access by persons to documents;
then, despite subclause 12.1, the entity is not required to give access to the extent that the entity is required or authorised to refuse to give access.
Exception to access—organisation
12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:
(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
(c) the request for access is frivolous or vexatious; or
(d) the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or
(e) giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(f) giving access would be unlawful; or
(g) denying access is required or authorised by or under an Australian law or a court/ tribunal order; or
(h) both of the following apply:
(i) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in;
(ii) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
(i) giving access would be likely to prejudice one or more
enforcement related activities conducted by, or on behalf
of, an enforcement body; or
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.
Dealing with requests for access
12.4 The APP entity must:
(a) respond to the request for access to the personal information:
(i) if the entity is an agency—within 30 days after the request is made; or
(ii) if the entity is an organisation—within a reasonable period after the request is made; and
(b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
Other means of access
12.5 If the APP entity refuses:
(a) to give access to the personal information because of subclause 12.2 or 12.3; or
(b) to give access in the manner requested by the individual;
the entity must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual.
12.6 Without limiting subclause 12.5, access may be given through the use of a mutually agreed intermediary.
Access charges
12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.
12.8 If:
(a) the APP entity is an organisation; and
(b) the entity charges the individual for giving access to the personal information;
the charge must not be excessive and must not apply to the making of the request.
Refusal to give access
12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:
(a) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
(b) the mechanisms available to complain about the refusal; and
(c) any other matter prescribed by the regulations.
12.10 If the APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.
Australian Privacy Principle 13—correction of personal information
Correction
30517976v3 page 8
13.1 If:
(a) an APP entity holds personal information about an individual; and
(b) either:
(i) the entity is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
(ii) the individual requests the entity to correct the information;
the entity must take such steps (if any) as are reasonable in
the circumstances to correct that information to ensure that,
having regard to the purpose for which it is held, the
information is accurate, up to date, complete, relevant and not
misleading.
Notification of correction to third parties
13.2 If:
(a) the APP entity corrects personal information about an individual that the entity previously disclosed to another APP entity; and
(b) the individual requests the entity to notify the other APP entity of the correction;
the entity must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.
Refusal to correct information
13.3 If the APP entity refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out:
(a) the reasons for the refusal except to the extent that it would be unreasonable to do so; and
(b) the mechanisms available to complain about the refusal; and
(c) any other matter prescribed by the regulations.
Request to associate a statement
13.4 If:
(a) the APP entity refuses to correct the personal information as requested by the individual; and
(b) the individual requests the entity to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;
the entity must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.
Dealing with requests
13.5 If a request is made under subclause 13.1 or 13.4, the APP entity:
(a) must respond to the request:
(i) if the entity is an agency—within 30 days after the request is made; or
(ii) if the entity is an organisation—within a reasonable period after the request is made; and
(b) must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).
–
The information provided in this document is current as at 29 April 2015, it is not a substitute for legal advice.
30517976v3 page 2
Annexure C –Health Privacy Principles (applied from 1 July 2002 onwards)
Health Privacy Principle 1—Collection
When health information may be collected
1.1 An organisation must not collect health information about an individual unless the information is necessary for one or more of its functions or activities and at least one of the following applies--
(a) the individual has consented;
(b) the collection is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law);
(c) the information is necessary to provide a health service to the individual and the individual is incapable of giving consent within the meaning of section 85(3) and--
(i) it is not reasonably practicable to obtain the consent of an authorised
representative of the individual within the meaning of section 85; or
(ii) the individual does not have such an authorised representative;
(d) the information is disclosed to the organisation in accordance with HPP 2.2(a), (f), (i) or (l) or HPP 2.5;
(e) if the collection is necessary for research, or the compilation or analysis of statistics, in the public interest--
(i) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and
(ii) it is impracticable for the organisation to seek the individual's consent to the collection; and
(iii) the information is collected in accordance with guidelines issued or approved by the Health Services Commissioner under section 22 for the purposes of this subparagraph;
(f) the collection is necessary to prevent or lessen--
(i) a serious and imminent threat to the life, health, safety or welfare of any individual; or
(ii) a serious threat to public health, public safety or public welfare--
and the information is collected in accordance with guidelines, if any, issued or approved by the Health
Services Commissioner under section 22 for the purposes of this paragraph;
(g) the collection is by or on behalf of a law enforcement agency and the organisation reasonably believes that the collection is necessary for a law enforcement function;
(h) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;
(i) the collection is in the prescribed circumstances.
How health information is to be collected
1.2 An organisation must collect health information only by lawful and fair means and not in an unreasonably intrusive way.
1.3 If it is reasonable and practicable to do so, an organisation must collect health information about an individual only from that individual.
1.4 At or before the time (or, if that is not practicable, as soon as practicable thereafter) an organisation collects health information about an individual from the individual, the organisation must take steps that are reasonable in the circumstances to ensure that the individual is generally aware of--
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.5 If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence.
30517976v3 page 2
1.6 An organisation is not required to notify the individual of the identity of persons, or classes of persons, to whom health information may be disclosed in accordance with HPP 2.2(f).
Information given in confidence
1.7 If personal information is given in confidence to a health service provider about an individual by a person other than--
(a) the individual; or
(b) a health service provider in the course of, or otherwise in relation to, the provision of health services to the individual--
with a request that the information not be communicated to the individual to whom it relates, the provider must--
(c) confirm with the person that the information is to remain confidential; and
(d) if the information remains confidential--
(i) record the information only if it is relevant to the provision of health services to, or the care of, the individual; and
(ii) take reasonable steps to ensure that the information is accurate and not misleading; and
(e) take reasonable steps
Health Privacy Principle 2—Use and Disclosure
2.1 An organisation may use or disclose health information about an individual for the primary purpose for which the information was collected in accordance with HPP 1.1.
2.2 An organisation must not use or disclose health information about an individual for a purpose (the "secondary purpose") other than the primary purpose for which the information was collected unless at least one of the following paragraphs applies:
(a) both of the following apply--
(i) the secondary purpose is directly related to the primary purpose; and
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) the use or disclosure is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law); or
(d) all of the following apply--
(i) the organisation is a health service provider providing a health service to the individual; and
(ii) the use or disclosure for the secondary purpose is reasonably necessary for the provision of the health service; and
(iii) the individual is incapable of giving consent within the meaning of section 85(3)and--
(A) it is not reasonably practicable to obtain the consent of an authorised representative of the individual within the meaning of section 85; or
(B) the individual does not have such an authorised representative; or
(e) all of the following apply--
(i) the organisation is a health service provider providing a health service to the individual; and
(ii) the use is for the purpose of the provision of further health services to the individual by the organisation; and
(iii) the organisation reasonably believes that the use is necessary to ensure that the further health services are provided safely and effectively; and
(iv) the information is used in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph; or
(f) the use or disclosure is for the purpose of—
(i) funding, management, planning, monitoring, improvement or evaluation of health services; or
(ii) training provided by a health service provider to employees or persons working with the organisation--
and--
(iii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the individual's consent to the use or disclosure; or
(iv) reasonable steps are taken to de-identify the information--
and--
(v) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication; and
(vi) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this sub-paragraph; or
30517976v3 page 3
(g) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest--
(i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and
(ii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and
(iii) the use or disclosure is in accordance with guidelines issued or approved by the Health Services Commissioner under section 22 for the purposes of this subparagraph; and
(iv) in the case of disclosure—
(A) the organisation reasonably believes that the recipient of the health information will not disclose the health information; and
(B) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained; or
(h) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent--
(i) a serious and imminent threat to an individual's life, health, safety or welfare; or
(ii) a serious threat to public health, public safety or public welfare--
and the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph; or
(i) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities and, if the organisation is a registered health service provider, the use or disclosure would not be a breach of confidence; or
(j) the organisation reasonably believes that the use or disclosure is reasonably necessary for a law enforcement function by or on behalf of a law enforcement agency and, if the organisation is a registered health service provider, the use or disclosure would not be a breach of confidence; or
(k) the use or disclosure is necessary for the establishment, exercise or defence of a legal or equitable claim; or
(l) the use or disclosure is in the prescribed circumstances.
Note: Nothing in HPP 2 requires an organisation to disclose health
information about an individual. An organisation is always entitled not to
disclose health information in the absence of a legal obligation to
disclose it.
2.3 If an organisation discloses health information under paragraph (i) or (j) of HPP 2.2, it must make a written note of the disclosure.
2.4 Despite HPP 2.2, a health service provider may disclose health information about an individual to an immediate family member of the individual if—
(a) either--
(i) the disclosure is necessary to provide appropriate health services to or care of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(b) the disclosure is limited to the extent reasonable and necessary for the purposes mentioned in paragraph (a); and
(c) the individual is incapable of giving consent to the disclosure within the meaning of section 85(3); and
(d) the disclosure is not contrary to any wish--
(i) expressed by the individual before the individual became incapable of giving consent and not changed or withdrawn by the individual before then; and
(ii) of which the organisation is aware or could be made aware by taking reasonable steps; and
(e) in the case of an immediate family member who is under the age of 18 years, considering the circumstances of the disclosure, the immediate family member has sufficient maturity to receive the information.
2.5 Despite HPP 2.2, an organisation may use or disclose health information about an individual
where—
(a) it is known or suspected that the individual is dead; or
(b) it is known or suspected that the individual is missing; or
(c) the individual has been involved in an accident or other misadventure and is incapable of consenting to the use or disclosure--
and the use or disclosure is to the extent reasonably necessary--
(d) to identify the individual; or
(e) to ascertain the identity and location of an immediate family member or other relative of the individual for the purpose of--
(i) enabling a member of the police force, a coroner or other prescribed organisation to contact the immediate family member or other relative for compassionate reasons; or
30517976v3 page 4
(ii) to assist in the identification of the individual--
and, in the circumstances referred to in paragraph (b) or (c)--
(f) the use or disclosure is not contrary to any wish--
(i) expressed by the individual before he or she went missing or became incapable of consenting and not withdrawn by the individual; and
(ii) of which the organisation is aware or could have become aware by taking reasonable steps; and
(g) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph.
Health Privacy Principle 3—Data Quality
3.1 An organisation must take steps that are reasonable in the circumstances to make sure that, having regard to the purpose for which the information is to be used, the health information it collects, uses, holds or discloses is accurate, complete, up to date and relevant to its functions or activities.
Health Privacy Principle 4—Data Security and Data Retention
4.1 An organisation must take reasonable steps to protect the health information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 A health service provider must not delete health information relating to an individual, even if it is later found or claimed to be inaccurate, unless--
(a) the deletion is permitted, authorised or required by the regulations or any other law; or
(b) the deletion is not contrary to the regulations or any other law and occurs--
(i) in the case of health information collected while the individual was a child, after the individual attains the age of 25 years; or
(ii) in any case, more than 7 years after the last occasion on which a health service was provided to the individual by the provider--
whichever is the later.
4.3 A health service provider who deletes health information in accordance with HPP 4.2 must make a written note of the name of the individual to whom the health information related, the period covered by it and the date on which it was deleted.
4.4 A health service provider who transfers health information to another individual or organisation and does not continue to hold a record of that information must make a written note of
the name and address of the individual or organisation to whom it was transferred.
4.5 An organisation other than a health service provider must take reasonable steps to destroy or permanently de-identify health information if it is no longer needed for the purpose for which it was collected or any other purpose authorised by this Act, the regulations made under this Act or any other law.
Health Privacy Principle 5—Openness
5.1 An organisation must set out in a document--
(a) clearly expressed policies on its management of health information; and
(b) the steps that an individual must take in order to obtain access to their health information.
The organisation must make the document available to anyone who asks for it.
5.2 On request by an individual, an organisation must take reasonable steps--
(a) to let the individual know--
(i) whether the organisation holds health information relating to the individual; and
(ii) the steps that the individual should take if the individual wishes to obtain access to the information; and
(b) if the organisation holds health information relating to the individual, to let the individual know in general terms--
(i) the nature of the information; and
(ii) the purposes for which the information is used; and
(iii) how the organisation collects, holds, uses and discloses the information. .
Health Privacy Principle 6—Access and Correction
Access
6.1 If an organisation holds health information about an individual, it must provide the individual with access to the information on request by the individual in accordance with Part 5, unless--
(a) providing access would pose a serious threat to the life or health of any person under section 26 and refusing access is in accordance with guidelines, if any, issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph; or
(b) providing access would have an unreasonable impact on the privacy of other individuals and refusing access is in accordance with guidelines, if any, issued or approved by
30517976v3 page 5
the Health Services Commissioner under section 22 for the purposes of this paragraph; or
(c) the information relates to existing legal proceedings between the organisation and the individual and the information would not be accessible by the process of discovery in those proceedings or is subject to legal professional privilege; or
(d) providing access would reveal the intentions of the organisation in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the organisation unreasonably to disadvantage; or
(e) the information is subject to confidentiality under section 27; or
(f) providing access would be unlawful; or
(g) denying access is required or authorised by or under law; or
(h) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(i) providing access would be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency; or
(j) a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia; or
(k) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or
(l) the individual has been provided with access to the health information in accordance with Part 5 and is making an unreasonable, repeated request for access to the same information in the same way.
6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than access to the information.
Note: An organisation breaches HPP 6.1 if it relies on HPP 6.2 to give an
individual an explanation for a commercially sensitive decision in
circumstances where HPP 6.2 does not apply.
6.3 If access is refused on the ground that it would pose a serious threat to the life or health of the individual, the procedure in Division 3 of Part 5 applies.
6.4 Without limiting sections 26 and 27, nothing in this Principle compels an organisation to refuse to provide an individual with access to his or her health information.
Correction
6.5 If an organisation holds health information about an individual and the individual is able to establish that the information is inaccurate, incomplete, misleading or not up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date but must not delete the information otherwise than in accordance with HPP 4.2.
6.6 If--
(a) the organisation is not willing to correct the health information in accordance with a request by the individual; and
(b) no decision or recommendation to the effect that the information should be corrected wholly or partly in accordance with the request, is pending or has been made under this Act or any other law; and
(c) the individual gives to the organisation a written statement concerning the requested correction--
the organisation must take reasonable steps to associate the statement with the information.
6.7 If the organisation accepts the need to correct the health information but—
(a) the organisation considers it likely that leaving incorrect information, even if corrected, could cause harm to the individual or result in inappropriate health services or care being provided; or
(b) the form in which the health information is held makes correction impossible; or
(c) the corrections required are sufficiently complex or numerous for a real possibility of confusion or error to arise in relation to interpreting or reading the record if it were to be so corrected—
the organisation must place the incorrect information on a record which is not generally available to anyone involved in providing health services to the individual, and to which access is restricted, and take reasonable steps to ensure that only the corrected information is generally available to anyone who may provide health services to the individual.
6.8 If an organisation corrects health information about an individual, it must--
(a) if practicable, record with the correction the name of the person who made the correction and the date on which the correction is made; and
(b) take reasonable steps to notify any health service providers to whom the organisation disclosed the health information before its correction and who may reasonably be expected to rely on that information in the future.
30517976v3 page 6
6.9 If an individual requests an organisation to correct health information about the individual, the organisation must take reasonable steps to notify the individual of a decision on the request as soon as practicable but in any case not later than 30 days after the request is received by the organisation.
Written Reasons
6.10 An organisation must provide written reasons for refusal of access or a refusal to correct health information.
Health Privacy Principle 7—Identifiers
7.1 An organisation may only assign identifiers to individuals if the assignment of identifiers is reasonably necessary to enable the organisation to carry out any of its functions efficiently.
7.2 Subject to HPP 7.4, a private sector organisation may only adopt as its own identifier of an individual an identifier of an individual that has been assigned by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if--
(a) the individual has consented to the adoption of the same identifier; or
(b) the use or disclosure of the identifier is required or authorised by or under law.
7.3 Subject to HPP 7.4, a private sector organisation may only use or disclose an identifier assigned to an individual by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if--
(a) the use or disclosure is required for the purpose for which it was assigned or for a secondary purpose referred to in one or more of paragraphs (c) to (l) of HPP 2.2; or
(b) the individual has consented to the use or disclosure; or
(c) the disclosure is to the public sector organisation which assigned the identifier to enable the public sector organisation to identify the individual for its own purposes.
7.4 If the use or disclosure of an identifier assigned to an individual by a public sector organisation is necessary for a private sector organisation to fulfil its obligations to, or requirements of, the public sector organisation, a private sector organisation may either--
(a) adopt as its own identifier of an individual an identifier of the individual that has been assigned by the public sector organisation; or
(b) use or disclose an identifier of the individual that has been assigned by the public sector organisation
Health Privacy Principle 8—Anonymity
8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation. .
Health Privacy Principle 9—Transborder Data Flows
9.1 An organisation may transfer health information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if--
(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
(e) all of the following apply--
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain that consent, the individual would be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles; or
(g) the transfer is authorised or required by any other law.
Health Privacy Principle 10—Transfer or closure of the practice of a health service provider
10.1 This Principle applies if the practice or business of a health service provider ("the provider") is to be--
(a) sold or otherwise transferred and the provider will not be providing health services in the new practice or business; or
(b) closed down.
10.2 The provider or, if the provider is deceased, the legal representatives of the provider, must--
30517976v3 page 7
(a) publish a notice in a newspaper circulating in the locality of the practice or business stating--
(i) that the practice or business has been, or is about to be, sold, transferred or closed down, as the case may be; and
(ii) the manner in which the provider proposes to deal with the health information held by the practice or business about individuals who have received health services from the provider, including whether the provider proposes to retain the information or make it available for transfer to those individuals or their health service providers; and
(b) take any other steps to notify individuals who have received a health service from the provider in accordance with guidelines issued or approved by the Health Services Commissioner under section 22 for the purposes of this paragraph.
10.3 Not earlier than 21 days after giving notice in accordance with HPP 10.2, the person giving the notice must, in relation to health information about an individual held by, or on behalf of, the practice or business, elect to retain that information or transfer it to--
(a) the health service provider, if any, who takes over the practice or business; or
(b) the individual or a health service provider nominated by him or her.
10.4 A person who elects to retain health information must continue to hold it or transfer it to a competent organisation for safe storage in Victoria, until the time, if any, when the health information is destroyed in accordance with HPP 4.
10.5 Subject to HPP 10.2, a person must comply with the requirements of this Principle as soon as practicable.
10.6 Despite any other provision of the Health Privacy Principles, a person who transfers health information in accordance with this Principle does not, by so doing, contravene the Health Privacy Principles.
10.7 If—
(a) an individual, in response to a notice published under HPP 10.2, requests that health information be transferred to him or her or to a health service provider nominated by him or her; and
(b) the person who published the notice elects to retain the health information the request must be taken to be--
(c) in the case of a request that the health information be transferred to him or her, a request for access to that health information in accordance with Part 5 or HPP 6; and
(d) in the case of a request that the health information be transferred to a health service provider nominated by him or her, a request for the transfer of that health information in accordance with HPP 11--
and it must be dealt with in accordance with this Act.
10.8 This Principle operates subject to any other law, including the Public Records Act 1973.
10.9 For the purposes of HPP 10.1(a), a business or practice of a provider is transferred if--
(a) it is amalgamated with another organisation; and
(b) the successor organisation which is the result of the amalgamation is a private sector organisation.
Health Privacy Principle 11 —Making information available to another health service provider
11.1 If an individual--
(a) requests a health service provider to make health information relating to the individual held by the provider available to another health service provider; or
(b) authorises another health service provider to request a health service provider to make health information relating to the individual held by that provider available to the requesting health service provider--
a health service provider to whom the request is made and who holds health information about the individual must, on payment of a fee not exceeding the prescribed maximum fee and subject to the regulations, provide a copy or written summary of that health information to that other health service provider.
11.2 A health service provider must comply with the requirements of this Principle as soon as practicable.
11.3 Nothing in Part 5 or HPP 6 limits the operation of this Principle.
11.4 For the purposes of HPP 10.7, this Principle applies to a legal representative of a deceased health service provider in the same way that it applies to a health service provider.
.
The information provided in this document is current as at 29 April 2015, it is not a substitute for legal advice.