Health privacy principles

summary

Information privacy

principles summary

1. Collection

Only collect health information if necessary for the performance of a function or activity and with consent (or if it falls within HPP 1).Notify individuals about what you do with the information and that they can gain access to it.

1. Collection

Collect only personal information that is necessary for performance of functions.

Advise individuals that they can gain access to personal information.

2. Use and disclosure

Only use or disclose health information for the primary purpose for which it was collected or a directly related secondary purpose the person would reasonably expect. Otherwise, you generally need consent.

2. Use and disclosure

Use and disclose personal information only for the primary purpose for which it was collected or a secondary purpose the person would reasonably expect. Use for secondary purposes should have the consent of the person.

3. Data quality

Take reasonable steps to ensure health information you hold is accurate, complete, up-to-date and relevant to the functions you perform.

3. Data quality

Make sure personal information is accurate, complete and up-to-date.

4. Data security and retention

Safeguard the health information you hold against misuse, loss, unauthorised access and modification. Only destroy or delete health information in accordance with HPP 4.

4. Data security

Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.

5. Openness

Document clearly expressed policies on your management of health information and make this statement available to anyone who asks for it.

5. Openness

Document clearly expressed policies on management of personal information and provide the policies to anyone who asks.

6. Access and correction

Individuals have a right to seek access to health information held about them in the private sector, and to correct it if it is inaccurate, incomplete, misleading or not up-to-date.*

6. Access and correction

Individuals have a right to seek access to their personal information and make corrections. Access and correction will be handled mostly under the Victorian Freedom of Information Act.

7. Identifiers

Only assign a number to identify a person if the assignment is reasonably necessary to carry out your functions efficiently.

7. Unique identifiers

A unique identifier is usually a number assigned to an individual in order to identify the person for the purposes of the organisation’s operations. Tax File Numbers and Driver’s Licence Numbers are examples. Unique identifiers can facilitate data matching. Data matching can diminish privacy. IPP 7 limits the adoption and sharing of unique numbers.

8. Anonymity

Give individuals the option of not identifying themselves when entering transactions with organisations where this is lawful and practicable.

8. Anonymity

Give individuals the option of not identifying themselves when entering transactions with organisations if that would be lawful and feasible.

9. Transborder data flows

Only transfer health information outside Victoria if the organisation receiving it is subject to laws substantially similar to the HPPs.

9. Transborder data flows

Basically, if your personal information travels, your privacy protection should travel with it. Transfer of personal information outside Victoria is restricted. Personal information may be transferred only if the recipient protects privacy under standards similar to Victoria’s IPPs.

10. Transfer/closure of practice of health service provider

If you’re a health service provider, and your business or practice is being sold, transferred or closed down, without you continuing to provide services, you must give notice of the transfer or closure to past service users.

10. Sensitive information

The law restricts collection of sensitive information like an Individual’s racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.

11. Making information available to another health service provider.

If you’re a health service provider, you must make health information relating to an individual available to another health service provider if requested by the individual.