The Health Records and Information Privacy Act 2002

The University will endeavour to resolve any health privacy complaint informally with the applicant without the need for a formal review in the first instance.

However, any person who is aggrieved by the conduct of the University in relation to their health information is entitled to a formal review of that conduct by the University in accordance with Part 5 of PPIPA (pursuant to section 21 of HRIPA).

This means that an application for an internal review of conduct must be provided in accordance with Part 5 of PPIPA. It must be addressed to the University in writing with a return address, within 6 months of the time when the applicant first became aware of the offending conduct. The University must inform the Privacy Commissioner of the application and keep the Privacy Commissioner informed as to the progress and findings of the University.

The University will appoint a person who is suitably qualified (such as the privacy officer) to conduct a review of the application as soon as reasonably practicable. If the review is not completed within 60 days, the applicant is entitled to make an application to the Administrative Decisions Tribunal.

Within 14 days after the completion of the review, the University must notify the applicant in writing of the:

• findings of the review (and the reasons)
• the action proposed to be taken
• the right of the person to have those findings and the University's proposed action, reviewed by the Administrative Decisions Tribunal.

A person dissatisfied with the findings of the review or the action of the University may apply to the Administrative Decisions Tribunal (ADT) for a review of the conduct of the University. If the applicant is not satisfied with the findings of the ADT and orders made (if any), they may appeal to the Appeal Panel of the ADT.

HPP 1 — purposes of collection of health information

Health information that the University collects about you must be for a lawful purpose which is directly related to the University's activities and the information is reasonably necessary for that purpose.

HPP 2 — information must be relevant, not excessive, accurate and not intrusive

The University must ensure that the information it collects is relevant, and not excessive, accurate, up-to-date and complete. The collection should not unreasonably intrude into your personal affairs.

HPP 3 — collection to be from individual concerned

The University must only collect health information directly from the person concerned unless it is unreasonable or impractical to do so. For example, if a person lacks the capacity to provide their health information, the University may collect it from an authorised representative such as a carer or guardian. The statutory guideline on "use or disclosure of health information from a third party" provides more detail in relation to this HPP.

HPP 4 — individual to be made aware of certain matters

At or before the time when the health information is collected, or as soon as practicable after collection, the University must take reasonable steps to ensure that you are aware of the following:

• our contact details
• your right to request access to your information
• the purposes for which your information is collected
• the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind
• any law that requires that information to be collected
• the main consequences (if any) for the individual if all or part of the information is not provided.

The University does this by providing you with or publishing a collection notice, where appropriate.

HPP 5 — retention and security

Health information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from loss, unauthorised access, use, modification or disclosure and any other misuse. This means that the University should have appropriate access restrictions in place.

The University endeavours to ensure that:

• access to information is restricted according to the level of responsibility within the University
• computer passwords are regularly changed
• entry to buildings where important information is stored is by card access
• sensitive information is securely stored and locked;
• offices unattended are locked
• health information is stored away and not left exposed; and
• staff are aware of their privacy obligations.

The University's records and archives department (Macquarie Memory) stores information for so long as it is required to do so pursuant to the State Records Act 1998 (NSW) and other legislation.

HPP 6 — information about health information held by organisations

The University must provide you with enough details about what health information it is storing, why it is storing it and what rights you have to access it.

HPP 7 — access to health information

The University must allow you access to your health information without unreasonable delay and expense, subject to any applicable exemptions. The University may require that your application is provided in writing and that it state your name or the name of the person whose information is sought and (if relevant) the authorisation of the person on whose behalf the application is made. To make a formal application, please write to our privacy officer at privacyofficer@mq.edu.au.

HPP 8 — amendment to health information

The University must allow you to update, correct or amend your health information where necessary upon your reasonable request.

HPP 9 — accuracy

The University must ensure, before using health information that it holds, that it is relevant, accurate up to date and not misleading before using it.

HPP 10 — limits on use of health information

Generally, the University can only use your health information for the purpose for which it was collected. The purpose for which your information was collected should have been communicated to you at the time when your information was collected, or as soon as practicable thereafter, in accordance with HPP 3.

The University may use your health information for other purposes where you:

• consent to that use, or
• where it is for a purpose directly related to the purpose for which it was collected and you would expect the organization to use the information for that secondary purpose, or
• where it is reasonably believed by the organization to be necessary to prevent or lessen a serious and imminent threat to the life, health or safety of an individual or serious threat to public health or safety.

There are also other uses of health information which are permissible under the Act. For instance, where the use of the health information is reasonably necessary for the management of health services, training, or research, by a law enforcement agency to find a missing person or for their law enforcement functions where there are reasonable grounds to believe an offence may have been committed or where the organisation has reasonable grounds to suspect that unlawful activity may have been engaged in.

Further explanation and examples of these provisions are set out in the Handbook to Health Privacy.

HPP 11 — limits on disclosure of health information

In the absence of consent from you, the University may only disclose your health information to third parties where:

• the disclosure is directly related to the purpose for which the information was collected and you would reasonably expect that the University would disclose that information for that purpose, or
• where the University reasonably believes that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life, health or safety of you or another person or to lessen or prevent a serious threat to public health or public safety.

If the University has informed you at or around the time when your health information is collected of the likely third parties to whom your information may be disclosed, in accordance with HPP 3, you would reasonably expect that your information will be disclosed to those types of parties.

The circumstances pursuant to which your information will be disclosed to a third party because of a serious and imminent threat to your life or health or to others will be rare and uncommon. The University will only disclose your health information to others when the circumstances are serious and impending, such as in a life-threatening situation in which you are involved where you could be seriously injured or others might be injured as a result of your actions. Some likely parties to whom your information might be disclosed include the ambulance services or the police.

There are also other permissible disclosures of health information under the Act. For instance, where the disclosure of the health information is reasonably necessary for the management of health services, training, research, for compassionate reasons, and by a law enforcement agency to find a missing person or for their law enforcement functions where there are reasonable grounds to believe an offence may have been committed or where the organisation has reasonable grounds to suspect that unlawful activity may have been engaged in.

Further explanation and examples of these provisions are set out in the Handbook to Health Privacy.

If the University discloses health information under this HPP to another public sector agency, then the receiving agency must not use the information for a purpose other than the purpose for which it was given. For example, if the University disclosed personal details to the NSW police or ambulance service, and if they are a public sector agency, they cannot use the information for any other purpose other than to provide the response required for that situation.

HPP 12 — identifiers

The University may assign a health identifier to you if it is reasonably necessary to enable it to carry out is functions of providing the service to you.

HPP 13 — anonymity

Wherever it is lawful and practicable, the University must allow you the opportunity not to identify yourself when entering into transactions or receiving health services from the University or its controlled entities.

HPP 14 — transborder data flows and data flow to Commonwealth agencies

The University must not transfer health information about you to any person outside of NSW or to a Commonwealth agency, unless the University reasonably believes that the recipient has laws in place similar to the HPP's or you provide your consent to that transfer, or the transfer is necessary for the performance of a contract between you and us or in other circumstances listed in that HPP.

HPP 15 — linkage of health records

The University will not link your health records with the health records of other organisations unless you have provided your consent.

Exemptions from compliance with the HPPs

The University is not required to comply with HPPs 4, 5, 6, 7, 8, 10, 11 or 15 where it is lawfully authorised or required not to comply or where non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act).

Examples of where this exemption might apply to the University are:

• where the University is issued with a subpoena or a search warrant for certain information
• where a government department requests by formal notice certain health information held by the University, pursuant to its governing legislation, or
• where legislation requires that the University provide certain information in relation to its students or staff for the purposes of compiling statistics about the University, for example under the Tertiary Education and Quality Standards Agency Act 2011 (Cth).