New South Wales Bills Explanatory Notes New South Wales Bills Explanatory Notes[Index] [Search] [Download] [Bill] [Help]
Health Records and Information Privacy Bill 2002
Explanatory note
This explanatory note relates to this Bill as introduced into Parliament.
Overview of Bill
The purpose of this Bill is to promote fair and responsible handling of health information by:(a) protecting the privacy of an individual’s health information that is held in the public and private sectors, and
(b) enabling individuals to gain access to their health information, and
(c) providing an accessible framework for the resolution of complaints regarding the handling of health information.
The Bill applies to both public sector agencies and private sector persons who are health service providers or who collect, hold or use health information. The Bill establishes 15 Health Privacy Principles to be observed by such public sector agencies and private sector persons. These principles relate to the following matters:
(a) the purposes of the collection of health information,
(b) the relevance, extent, accuracy, completeness and currency of health information collected,
(c) the collection of health information from the individuals concerned,
(d) making an individual from whom health information is collected aware of certain matters,
(e) the retention and security of health information,
(f) enabling an individual to ascertain certain information about health information held by an organisation,
(g) access to health information,
(h) amendment of health information,
(i) the continuing relevance, accuracy, currency and completeness of health information,
(j) the use of health information,
(k) the disclosure of health information,
(l) assigning and using identifiers for individuals,
(m) enabling individuals to enter into transactions or receive health services anonymously,
(n) the transfer of information out of New South Wales or to Commonwealth agencies,
(o) the computerised linkage of health records.The Bill also sets out some specific requirements for private sector persons who hold health information relating to the retention of health information, and access to and amendment of health information by the individual to whom the information relates.
The Bill provides for the making of health privacy codes of practice by the Minister to regulate specified matters. These health privacy codes of practice may modify the Health Privacy Principles and the other specific requirements for private sector persons.
The Bill provides for the making of complaints about the handling of health information by public sector agencies or private sector persons to the Privacy Commissioner and ultimately to the Administrative Decisions Tribunal, although there are different procedures for complaints against public sector agencies and private sector persons.
Outline of provisions
Part 1 Preliminary
Clause 1 sets out the name (also called the short title) of the proposed Act.Clause 2 provides for the commencement of the proposed Act on a day or days to be appointed by proclamation.
Clause 3 sets out the purpose and objects of the proposed Act.
Clause 4 contains definitions of terms used in the proposed Act. In particular, it defines organisation, private sector person and public sector agency. Organisation means a public sector agency or a private sector person, and includes individuals. Some organisations are health service providers (defined to mean an organisation that provides a health service, but not to include an organisation exempted by the regulations, or an organisation that merely arranges for a health service to be provided by another organisation).
Clause 5 defines personal information, and clause 6 defines health information.
Clause 7 deals with the circumstances where individuals are incapable of doing an act authorised, permitted or required under the proposed Act, such as making a request for access to health information or consenting to disclosure of health information. The clause provides that an authorised representative may do such an act on behalf of the individual, and that an authorised representative may not do such an act on behalf of an individual if the individual is capable of doing that act.
The term authorised representative is defined in clause 8. Clause 9 sets out when an organisation “holds” information for the purposes of the proposed Act, and clause 10 provides that an organisation does not “collect” information for the purposes of the proposed Act if the receipt of the information is unsolicited.
Part 2 General operation of Act
Clause 11 requires organisations to which the proposed Act applies to comply with the Health Privacy Principles and with any health privacy code of practice or a provision of Part 4 that is applicable to the organisation.The 15 Health Privacy Principles (HPPs) are set out in Schedule 1 to the proposed Act. They deal with matters such as collection and retention of health information, access to and amendment of health information, and inclusion of health information in a computerised health records linkage system.
Part 4 of the proposed Act sets out some additional provisions specifically for private sector persons. These specific provisions assist the operation of the Health Privacy Principles relating to retention, access and amendment of health information by:
(a) setting out detailed requirements for retention, disposal and transfer of health information by private sector persons who are health service providers, and
(b) setting out procedures to be followed by private sector persons and individuals seeking access to or amendment of health information held by private sector persons.
Health privacy codes of practice are codes made under Part 5 of the proposed Act by the Minister administering the proposed Act. The Health Privacy Principles and the specific provisions in Part 4 may be modified in their application to organisations by health privacy codes of practice made by the Minister. Health privacy codes of practice may also regulate the collection, retention, use, disclosure, transfer and linkage of, and procedures for dealing with, health information held by organisations.Clause 12 provides that the Act binds the Crown.
Clauses 13–17 provide exemptions for certain persons, authorities and activities from certain provisions of the proposed Act or the HPPs. The exemptions relate to the following matters:
(a) courts and tribunals in the exercise of their judicial functions (clause 13),
(b) individuals conducting their personal, family or household affairs (clause 14),
(c) the news activities of news media (clause 15),
(d) the collection, use and disclosure of health information within group practices, (a group practice being a group of individuals who provide a health service at shared premises, maintain a shared reception and maintain combined or joint records) (clause 16),
(e) the functions of the Independent Commission Against Corruption, the Police Service, the Police Integrity Commission, the Inspector of the Police Integrity Commission, the staff of the Inspector of the Police Integrity Commission and the New South Wales Crime Commission (clause 17).Other exemptions are set out in the Health Privacy Principles in Schedule 1.
Clause 18 prevents an exemption under the proposed Act from authorising an organisation to any thing that it is otherwise prohibited from doing.
Clause 19 sets out how the Health Privacy Principles apply to health information collected before the commencement of Schedule 1 (the Schedule containing the HPPs).
Part 3 Provisions for public sector agencies
The Part deals with the application of the proposed Act to public sector agencies.Clause 21 establishes a complaints procedure for complaints about the contravention of a Health Privacy Principle or a health privacy code of conduct by public sector agencies. Complaints are dealt with in the same way that a complaint under the Privacy and Personal Information Protection Act 1998 is dealt with. The complainant can make a complaint to the Privacy Commissioner under that Act, who can investigate and report on the complaint, or the complainant can apply to the public sector agency for an internal review under that Act, followed by review by the Administrative Decisions Tribunal.
Clauses 20 and 22 deal with the relationship between the proposed Act, the State Records Act 1998 and the Freedom of Information Act 1989.
Part 4 Provisions for private sector persons
The Part contains specific provisions for private sector persons that are additional to, and assist the operation of, the Health Privacy Principles in their application to private sector persons.Division 1 General
The Division deals with two general matters. Clause 23 provides a general exemption from the requirements of Part 4 for private sector persons who are required or authorised not to comply with such a provision. There are similar exemptions to several of the Health Privacy Principles, set out in the relevant Health Privacy Principle in Schedule 1.Clause 24 provides for the issuing of guidelines by the Privacy Commissioner with respect to matters dealt with in Part 4 for private sector persons, for the purpose of assisting them to comply with the Health Privacy Principles and this Part.
Division 2 Retention of health information
Clause 25 requires health service providers to retain health information relating to an individual for 7 years from the last occasion on which a health service was provided to the individual by the health service provider. If the health information was collected while the individual was under the age of 18 years, the health service provider must retain the health information until the individual has attained the age of 25 years.Division 3 Access to health information
The Division (clauses 26–32) sets out procedures by which an individual can request and be given access to health information relating to the individual held by a private sector person. The private sector person may refuse to give the individual access on specified grounds (set out in clause 29).If the private sector person refuses to give the individual access to the health information on the ground that providing access would pose a serious threat to the life or health of the individual, the individual may request the private sector person to give access instead to a registered medical practitioner nominated by the individual.
Division 4 Amendment of health information
The Division (clauses 33–37) sets out procedures by which an individual can request amendment of health information relating to the individual held by a private sector person if the individual claims that the health information is inaccurate, out of date, incomplete or misleading. The private sector person may refuse to amend the health information on specified grounds (clause 34 (2)).If the private sector person refuses to amend the health information, the individual may require the private sector person to add a notation to the health information specifying the respects in which the individual claims the information is incomplete, incorrect, out of date or misleading, and setting out such information as the individual claims is necessary to complete the information or to bring it up to date.
Part 5 Health privacy codes of practice
The Part (clauses 38–40) makes provision for health privacy codes of practice to be made by the Minister. A health privacy code of practice may regulate any of the following matters:(a) the collection or retention of health information held by organisations,
(b) the use or disclosure of health information held by organisations,
(c) the transfer by organisations of health information from New South Wales to a jurisdiction outside New South Wales or to a Commonwealth agency,
(d) the electronic or computerised linkage of health information held by organisations,
(e) the procedures for dealing with health information held by organisations.Health privacy codes of practice can apply to specified classes of health information, or to specified organisations or classes of organisations, or to any specified activity or class of activity.
A health privacy code of practice may modify the application to any organisation of any Health Privacy Principle or any provision of Part 4.
Part 6 Complaints against private sector persons
Division 1 General
The Division (clauses 41–47) allows an individual to make a complaint to the Privacy Commissioner about an alleged contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice by a private sector person.A complaint against a private sector person is made to the Privacy Commissioner, who makes a preliminary assessment of the complaint to decide whether or not to deal with the complaint. If the Privacy Commissioner decides to deal with the complaint, the Privacy Commission carries out an assessment to determine if there is a prima facie case of contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice.
If the Privacy Commissioner is satisfied that there is such a prima facie case of contravention, the Privacy Commission can deal with the complaint by:(a) endeavouring to resolve the complaint by conciliation, or
(b) further investigating the complaint and making a report, or
(c) determining that the complaint has been resolved to the Privacy Commissioner’s satisfaction.If the Privacy Commissioner decides that the matter has been resolved or conducts a conciliation, no further action is to be taken by the Privacy Commissioner (whether or not the parties reach an agreement at conciliation).
If the Privacy Commissioner makes a report about the complaint, the complainant can apply to the Administrative Decisions Tribunal to hold an inquiry into the complaint under Division 2.Division 2 The functions of the Administrative Decisions Tribunal
The Division (clauses 48–57) provides for the Administrative Decisions Tribunal to conduct an inquiry into a complaint about which the Privacy Commissioner has made a report. After holding an inquiry, the Tribunal may decide to take no action on the matter, or it can make a number of orders, including the following:(a) an order requiring the respondent to the complaint to pay to the complainant damages not exceeding $40,000 if the respondent is a body corporate, or not exceeding $10,000 in any other case, by way of compensation for any loss or damage suffered by reason of the respondent’s conduct,
(b) an order requiring the respondent to refrain from any conduct or action in contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,
(c) an order requiring the performance of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,
(d) an order requiring health information that has been disclosed to be corrected by the respondent,
(e) an order requiring the respondent to take specified steps to remedy any loss or damage suffered by the complainant.However, the Tribunal make an order for payment of damages only if:
(a) the application relates to conduct that occurs after the end of the 12-month period following the date on which Schedule 1 commences, and
(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the respondent.A person may appeal against an order or decision made by the Tribunal to an Appeal Panel of the Tribunal.
Part 7 Privacy Commissioner
Clause 58 confers functions on the Privacy Commissioner relating to the following matters:(a) promoting the adoption of, and monitoring compliance with, the Health Privacy Principles and the provisions of Part 4,
(b) preparing and publishing guidelines relating to the protection of health information and other privacy matters, and promoting the adoption of such guidelines,
(c) providing assistance to organisations in adopting and complying with the Health Privacy Principles and the provisions of Part 4,
(d) conducting research, and collecting and collating information, about any matter relating to the protection of health information and the privacy of individuals,
(e) providing advice on matters relating to the protection of health information and the privacy of individuals,
(f) receiving, investigating and conciliating complaints about alleged contraventions of Health Privacy Principles, provisions of Part 4 or health privacy codes of practice.Clauses 59–61 provide the Privacy Commissioner with the same powers to make inquiries and conduct investigations that the Privacy Commissioner has under the Privacy and Personal Information Protection Act 1998, in order to enable the Privacy Commissioner to exercise the Privacy Commissioner’s functions under the proposed Act.
Clause 62 enables the Privacy Commissioner to make a written direction exempting an organisation from a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, or modifying the application of such a Principle, provision or code. However, such a direction may only be made if it is in the public interest, and after consultation with the Attorney General and approval by the Minister.Clause 63 empowers the Privacy Commissioner to require an organisation to provide the Privacy Commissioner with information:
(a) concerning the arrangements made by the organisation to enable the organisation to comply with the Health Privacy Principles, the provisions of Part 4 and any health privacy code of practice applying to the organisation, and
(b) demonstrating the means by which the organisation is implementing such arrangements.Clause 64 enables the Privacy Commissioner to issue guidelines with respect to certain matters, and provides for the preparation and making of guidelines. The Privacy Commissioner cannot issue guidelines unless the guidelines are approved by the Minister.
Clauses 65–67 provide for the Privacy Commissioner to refer complaints to the Health Care Complaints Commission, the Commonwealth Privacy Commissioner (that is, the Office of the Privacy Commissioner established by the Privacy Act 1988 of the Commonwealth), and other persons or bodies.
Part 8 Miscellaneous
Clauses 68 and 69 create new offences relating to corrupt disclosure of health information by public officials and offering to supply health information corruptly disclosed. These offences mirror existing offences in the Privacy and Personal Information Protection Act 1998. Clause 70 creates offences prohibiting the use of intimidation, threats or misrepresentations to persuade an individual to refrain from making or pursuing a request, complaint or application under the proposed Act, or to give a consent (or do, without consent, an act for which consent is required) under the proposed Act.Clause 71 prevents the proposed Act from giving rise to any civil or criminal liability except to the extent expressly provided by the proposed Act. For example, a contravention of the Act does not give rise to any action for a breach of statutory duty.
Clause 72 protects persons acting in good faith under the proposed Act from any action for defamation or breach of confidence or any criminal liability.
Clause 73 enables an organisation to charge a fee for certain matters, such as giving an individual a copy of health information. The fee must not exceed any fee prescribed by the regulations.
Clause 74 provides that offences against the proposed Act are to be dealt with summarily before a Local Court.
Clause 75 empowers the Governor to make regulations for or with respect to specified matters.
Clauses 76 and 77 are formal provisions giving effect to Schedule 2 (Savings and transitional provisions) and Schedule 3 (Amendment of the Privacy and Personal Information Protection Act 1998).
Clause 78 provides for the Minister to review the proposed Act as soon as possible after 5 years from the date of assent to the proposed Act. A report on the outcome of the review is to be tabled in Parliament.
Schedule 1 Health Privacy Principles
The Schedule contains the 15 Health Privacy Principles.Schedule 2 Savings and transitional provisions
The Schedule contains savings and transitional provisions consequent on the enactment of the proposed Act.Schedule 3 Amendment of Privacy and Personal Information Protection Act 1998
The Schedule contains various amendments to the Privacy and Personal Information Protection Act 1998 (the PPIP Act). The amendments set out in Schedule 3 [2], [3], [5], [12]–[20] and [22]–[25] are consequential to the enactment of the proposed Act. The other amendments are miscellaneous amendments to the PPIP Act.Schedule 3 [4] and [11] make it clear that the requirements in section 15 of the PPIP Act relating to alteration of personal information held by public sector agencies apply despite anything to the contrary in section 25 of the PPIP Act or section 21 of the State Records Act 1998. Section 25 of the PPIP Act is a general exemption that authorises public sector agencies not to comply with specified provisions of the PPIP Act if non-compliance is authorised under an Act or any other law (including the State Records Act 1998). Section 21 of the State Records Act 1998 prohibits a person from (among other things) altering a State record.
Section 19 (1) of the PPIP prevents a public sector agency from disclosing certain personal information unless the disclosure is necessary to prevent a “serious or imminent threat” to the life or health of the individual concerned or another person. Schedule 3 [6] alters “serious or imminent threat” to “serious and imminent threat” in section 19 (1), for consistency with the wording of section 18 (1) (c) of the PPIP Act.
Section 19 (2)–(5) of the PPIP Act prevent a public sector agency from disclosing personal information to any person or body who is in a jurisdiction outside New South Wales except in specified circumstances. Schedule 3 [1], [7], [8] and [10] extend the prohibition to disclosure to Commonwealth agencies, which may be located within New South Wales. Schedule 3 [9] removes some redundant matter from section 19.
Schedule 3 [21] inserts two new sections into the PPIP Act. Proposed section 66A protects persons acting in good faith under that Act from any action for breach of confidence or defamation and from any criminal liability. This provision reflects a similar provision in the proposed Health Records and Information Privacy Act 1998 (clause 72) and in the Freedom of Information Act 1989.
Proposed section 66B enables a public sector agency to charge a fee for specified matters, such as giving an individual a copy of health information.
Note: If this Bill is not modified, these Explanatory Notes would reflect the Bill as passed in the House. If the Bill has been amended by Committee, these Explanatory Notes may not necessarily reflect the Bill as passed.