|
Where am I now? Lawlink > privacynsw > For the Private Sector > Frequently asked questions (for the private sector)
|
Print page
|
Frequently asked questions (for the private sector)
General
What is privacy?
What is personal information?
What is health information?
What are the health privacy principles?
Health
Is my business/organisation covered by the HRIP Act?
How should an organisation proceed when they have privacy obligations under the HRIP Act as well as under the Federal Privacy Act 1988?
Do I need a separate health information privacy policy under the HRIP Act?
General
What is privacy?
Privacy has sometimes been described as:
- the right to be left alone, or
- the right to exercise control over one’s personal information, or
- a set of conditions necessary to protect our individual dignity and autonomy.
We often think about privacy in different ways, for example:
- physical privacy - such as bag searching, use of our DNA
- information privacy – the way in which governments or organisations handle our personal information such as our age, address, sexual preference and so on.
- freedom from excessive surveillance – our right to go about our daily lives without being surveilled or have all our actions caught on camera. More>>
What is personal information?
Personal information is any information or opinion about an identifiable person. This includes records containing your name, address, sex, etc., or physical information like fingerprints, body samples or your DNA. More>>
What is health information?
‘Health information’ is a specific type of personal information. Health information includes personal information that is information or an opinion about the physical or mental health or a disability of an individual.
Health information also includes personal information that is information or an opinion about:
- a health service provided, or to be provided, to an individual
- an individual’s express wishes about the future provision of health services to him or her
- other personal information collected in connection with the donation of human tissue
- genetic information that is or could be predictive of the health of an individual or their relatives or descendants.
If your organisation is a health service provider, ‘health information’ includes all of the above plus any other personal information collected to provide, or in providing a health service.
‘Health information’ is defined in section 6 of the HRIP Act.
What are the health privacy principles?
The 15 health privacy principles (HPPs) are the key to the Health Records and Information Privacy Act (HRIP Act). They are legal obligations describing what NSW public sector agencies and private sector organisations and individuals, such as businesses, private hospitals, GPs, gyms and so on must do when they handle health information. The 15 HPPs lay down the basic rules of what an organisation must do when it collects, stores, uses and discloses health information. The HPPs also cover access and correction rights.
See a plain English version of the HPPs.
However, in some cases, organisations do not have to comply with one or more of the HPPs. For more information about exemptions, read about the HRIP Act exemptions or contact the Privacy Contact Officer in your organisation or Privacy NSW.
Health
Is my business/organisation covered by the HRIP Act?
The HRIP Act covers all NSW public sector agencies and private sector persons or organisations in New South Wales that provide a health service or that collect, hold or use health information.
All health service providers are covered by the HRIP Act, regardless of their annual turnover. This means that individual GPs are covered.
The Act also covers all large businesses (annual turnover of $3 million or more). Small businesses (annual turnover of less than $3 million) are not covered. See the definition of ‘small business’ in section 6D of the Federal Privacy Act.
How should an organisation proceed when they have privacy obligations under the HRIP Act as well as under the Federal Privacy Act 1988?
If your organisation has privacy obligations under both the Federal Privacy Act 1988 and the HRIP Act, you should comply with both Acts concurrently. This should be possible in most cases, however the Australian Constitution says that when a law of the State is inconsistent with a law of the Australian Government, the latter will prevail to the extent of the inconsistency.
Do I need a separate health information privacy policy under the HRIP Act?
Not necessarily. If your organisation is already covered by a privacy law (such as the Federal Privacy Act), it is best to approach implementation of the HRIP Act in an integrated way.
For example your organisation’s privacy policy statement could address the way that your organisation deals with personal information and health information under the privacy laws by which it is bound. The preamble might state:
“This privacy policy details how the organisation deals with personal information and health information it collects to ensure that it complies with the the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW). In the privacy policy, a reference to ‘information’ is a reference to both personal information and health information.”
|
|
