The Law Handbook 2024

Chapter 12.2: Privacy and your rights 1121 – the information is confidential under section 27 of the HR Act. Note that HPP 6 does not apply to public sector organisations subject to the FoI Act (Vic) (see ‘Exemptions from the Health Records Act and the Health Privacy Principles’, below). If an individual establishes that health information held by an organisation is not accurate, complete or up-to-date, the organisation must take reasonable steps to correct that information – but cannot delete it unless in accordance with HPP 4. If the organisation is unwilling to correct the information, it must take reasonable steps to attach a written statement to the information about its inaccuracy. If the organisation accepts the need to correct the information, there are provisions that guide the organisation on how to address this where there are difficulties in correcting the information. If an organisation refuses a request to access and correct information, it must provide written reasons for its refusal. • HPP 7: Identifiers An organisation can only give an individual an identifier if it is reasonably necessary to enable the organisation to carry out its functions efficiently. If a public sector organisation has assigned an identifier, private sector organisations are only allowed to use and disclose the same identifier in limited circumstances. • HPP 8: Anonymity If lawful and practicable, organisations must give individuals the option of remaining anonymous when engaging with the organisation. • HPP 9: Transborder data flows An organisation can only transfer health information outside Victoria in limited circumstances, including with the individual’s consent, and where there are safeguards (in the territory to which the information is being transferred) around the privacy of the information that are similar to the HR Act. • HPP 10: Transfer or closure of a health service provider This HPP applies where a health service provider sells or otherwise transfers the business, or the business closes down. It details how individuals whose health information is held must be informed of both the business’ transfer or closure and how their information will be transferred. If individuals request their information to be transferred to them, this is treated as a request for access under Part 5 of the HR Act or HPP 6. If an individual asks for their information to be transferred to another health service provider, then HPP 11 applies. • HPP 11: Making information available to another health service provider A health service provider must make health information available to another health service provider on request with the authority of the individual who the information is about. Exemptions from the Health Records Act and the Health Privacy Principles The following are exempt from needing to comply with the HR Act and the Health Privacy Principles: • individuals who hold health information in connection with their personal, family or household affairs (s 13); • courts and tribunals in carrying out their judicial and quasi-judicial functions – this exemption also applies to court registrars and other court/tribunal staff carrying out tasks relating to the judicial and quasi-judicial functions of the court (s 14); • Royal Commissions, board of inquiries and formal reviews – this exemption only applies when health information is collected in connection with the function of the Royal Commission, board, or review (s 14A); • publicly available information – this mirrors the exemption under the PDP Act. Note that the exemption does not apply where the organisation knows that the publicly available health information has been obtained in breach of the HR Act (s 15); • organisations subject to the FoI Act (Vic) are not required to comply with any of the access and correction provisions under Part 5 of the HR Act, nor HPP 5.2 or HPP 6 (s 16); • news media are exempt from HPP 1, 2 and 9 (i.e. the collection, use, disclosure and transfer of health information) in relation to news activities. Unless the health information is published, they are not required to comply with Part 5 of the HR Act, nor HPP 5.2 or HPP 6 (s 17). ‘News media’ is defined as organisations whose principal business is news activities. ‘News activities’ include gathering news and preparing articles or programs

RkJQdWJsaXNoZXIy MTkzMzM0