You are using a version of the website built for webcrawlers and people whose devices cannot use javascript.
Some functionality will not be available.
Contents (2002 - 71)
Skip to content
Health Records and Information Privacy Act 2002 No 71
Current version for 1 July 2019 to date (accessed 20 September 2019 at 05:38)
Part 1
Part 1 Preliminary
1   Name of Act
This Act is the Health Records and Information Privacy Act 2002.
2   Commencement
This Act commences on a day or days to be appointed by proclamation.
3   Purpose and objects of Act
(1)  The purpose of this Act is to promote fair and responsible handling of health information by:
(a)  protecting the privacy of an individual’s health information that is held in the public and private sectors, and
(b)  enabling individuals to gain access to their health information, and
(c)  providing an accessible framework for the resolution of complaints regarding the handling of health information.
(2)  The objects of this Act are:
(a)  to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and
(b)  to enhance the ability of individuals to be informed about their health care, and
(c)  to promote the provision of quality health services.
4   Definitions
(1)  In this Act:
authorised representative has the meaning given by section 8.
Commonwealth agency means an entity referred to in paragraph (a)–(h) of the definition of agency in the Privacy Act 1988 of the Commonwealth.
Commonwealth Privacy Commissioner means the Office of the Privacy Commissioner established by the Privacy Act 1988 of the Commonwealth.
exercise a function includes perform a duty.
function includes a power, authority or duty.
generally available publication means a publication (whether in paper or electronic form) that is generally available to members of the public, but does not include any publication or document declared by the regulations not to be a generally available publication for the purposes of this Act.
genetic information means health information of a type described in section 6 (d).
genetic relative means a person who is related to an individual by blood, for example, a sibling, parent or descendant of the individual.
guidelines means guidelines issued by the Privacy Commissioner as referred to in section 64.
health care means any care, treatment, advice, service or goods provided in respect of the physical or mental health of a person.
Health Care Complaints Commission means the Health Care Complaints Commission constituted by the Health Care Complaints Act 1993.
health information has the meaning given by section 6.
health privacy code of practice or code means a privacy code of practice relating to health information made under Part 5.
Health Privacy Principle or HPP means a clause of Schedule 1. A reference in this Act to a Health Privacy Principle by number is a reference to the clause of Schedule 1 with that number.
health service includes the following services, whether provided as public or private services:
(a)  medical, hospital, nursing and midwifery services,
(b)  dental services,
(c)  mental health services,
(d)  pharmaceutical services,
(e)  ambulance services,
(f)  community health services,
(g)  health education services,
(h)  welfare services necessary to implement any services referred to in paragraphs (a)–(g),
(i)  services provided in connection with Aboriginal and Torres Strait Islander health practices and medical radiation practices,
(j)  Chinese medicine, chiropractic, occupational therapy, optometry, osteopathy, physiotherapy, podiatry and psychology services,
(j1)  optical dispensing, dietitian, massage therapy, naturopathy, acupuncture, speech therapy, audiology and audiometry services,
(k)  services provided in other alternative health care fields in the course of providing health care,
(l)  a service prescribed by the regulations as a health service for the purposes of this Act.
health service provider means an organisation that provides a health service but does not include:
(a)  a health service provider, or a class of health service providers, that is prescribed by the regulations as an exempt health service provider:
(i)  for the purposes of this Act generally, or
(ii)  for the purposes of specified provisions of this Act, or
(iii)  for the purposes of specified Health Privacy Principles or health privacy codes of practice, or
(iv)  to the extent to which it is prescribed by the regulations as an exempt health service provider, or
(b)  an organisation that merely arranges for a health service to be provided to an individual by another organisation.
healthcare identifier has the same meaning as it has in the Healthcare Identifiers Act 2010 of the Commonwealth.
identifier means an identifier (which is usually, but need not be, a number), not being an identifier that consists only of the individual’s name, that is:
(a)  assigned to an individual in conjunction with or in relation to the individual’s health information by an organisation for the purpose of uniquely identifying that individual, whether or not it is subsequently used otherwise than in conjunction with or in relation to health information, or
(b)  adopted, used or disclosed in conjunction with or in relation to the individual’s health information by an organisation for the purpose of uniquely identifying that individual.
immediate family member of an individual means a person who is:
(a)  a parent, child or sibling of the individual, or
(b)  a spouse of the individual, or
(c)  a member of the individual’s household who is a relative of the individual, or
(d)  a person nominated to an organisation by the individual as a person to whom health information relating to the individual may be disclosed.
investigative agency means any of the following:
(a)  the Ombudsman’s Office,
(b)  the Independent Commission Against Corruption,
(b1)  the Inspector of the Independent Commission Against Corruption,
(c)  the Law Enforcement Conduct Commission,
(d)  the Inspector of the Law Enforcement Conduct Commission and any staff of the Inspector,
(e)  the Community Services Commission,
(f)  the Health Care Complaints Commission,
(g)  the office of Legal Services Commissioner,
(g1)  the Ageing and Disability Commissioner,
(h)  a person or body prescribed by the regulations for the purposes of this definition.
law enforcement agency means any of the following:
(a)  the NSW Police Force, or the police force of another State or a Territory,
(b)  the New South Wales Crime Commission,
(c)  the Australian Federal Police,
(d)  the Australian Crime Commission,
(e)  the Director of Public Prosecutions of New South Wales, of another State or a Territory or of the Commonwealth,
(f)  the Department of Corrective Services,
(g)  the Department of Juvenile Justice,
(h)  a person or body prescribed by the regulations for the purposes of this definition.
local government authority means a council, a county council or a joint organisation within the meaning of the Local Government Act 1993.
news activity means:
(a)  the gathering of news for the purposes of dissemination to the public or any section of the public, or
(b)  the preparation or compiling of articles or programs of or concerning news, observations on news or current affairs for the purpose of dissemination to the public or any section of the public, or
(c)  the dissemination to the public or any section of the public of any article or program of or concerning news, observations on news or current affairs.
news medium means any organisation whose business, or whose principal business, consists of a news activity.
organisation means a public sector agency or a private sector person.
personal information has the meaning given by section 5.
Privacy Commissioner means the Privacy Commissioner appointed under the PPIP Act.
private sector person means any of the following that is not a public sector agency:
(a)  a natural person,
(b)  a body corporate,
(c)  a partnership,
(d)  a trust or any other unincorporated association or body,
but does not include a small business operator within the meaning of the Privacy Act 1988 of the Commonwealth, or an agency within the meaning of that Act.
Note.
 
Small business operator is defined in section 6D of the Privacy Act 1988 of the Commonwealth. Several types of businesses or activities are excluded from that definition. In particular, under section 6D (4) (b) an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if it provides a health service to an individual and holds any health information except in an employee record.
public sector agency means any of the following:
(a)  a government department or the Teaching Service,
(b)  a statutory body representing the Crown,
(c)    (Repealed)
(d)  a person or body in relation to whom, or to whose functions, an account is kept of administration or working expenses, if the account:
(i)  is part of the accounts prepared under the Public Finance and Audit Act 1983, or
(ii)  is required by or under any Act to be audited by the Auditor-General, or
(iii)  is an account with respect to which the Auditor-General has powers under any law, or
(iv)  is an account with respect to which the Auditor-General may exercise powers under a law relating to the audit of accounts if requested to do so by a Minister of the Crown,
(e)  the NSW Police Force,
(e1)  Service NSW Division of the Government Service,
(f)  a local government authority,
(g)  a person or body that:
(i)  provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraphs (a)–(f), or that receives funding from any such body in connection with providing data services, and
(ii)  is prescribed by the regulations for the purposes of this definition,
but does not include a State owned corporation.
public sector official means any of the following:
(a)  a person appointed by the Governor, or a Minister, to a statutory office,
(b)  a judicial officer within the meaning of the Judicial Officers Act 1986,
(c)  a person employed in the Government Service, the Teaching Service, the NSW Health Service or the NSW Police Force,
(d)  a local government councillor or a person employed by a local government authority,
(e)  a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both,
(f)  a person who is employed or engaged by:
(i)  a public sector agency, or
(ii)  a person referred to in paragraphs (a)–(e),
(g)  a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraphs (a)–(e).
related body corporate, in relation to an organisation that is a body corporate, has the same meaning as in the Corporations Act 2001 of the Commonwealth.
relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece of the individual.
sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother or step-sister of the individual.
spouse means:
(a)  the person to whom a person is legally married (including the husband or wife of a person), or
(b)  a de facto partner,
but where more than one person would so qualify as a spouse, means only the last person so to qualify.
Note.
 “De facto partner” is defined in section 21C of the Interpretation Act 1987.
staff of the Inspector of the Independent Commission Against Corruption means:
(a)  any staff employed under section 57E (1) or (2) of the Independent Commission Against Corruption Act 1988, and
(b)  any consultants engaged under section 57E (3) of that Act.
staff of the Inspector of the Law Enforcement Conduct Commission means the staff of the Inspector within the meaning of section 128 (1) of the Law Enforcement Conduct Commission Act 2016.
State record has the same meaning as in the State Records Act 1998.
Tribunal means the Civil and Administrative Tribunal.
Note.
 The Interpretation Act 1987 contains definitions and other provisions that affect the interpretation and application of this Act.
(2)  A reference in this Act to non-compliance with a requirement of this Act being permitted (or necessarily implied or reasonably contemplated) under an Act or other law includes a reference to non-compliance that is permitted (or necessarily implied or reasonably contemplated) under an Act of the Commonwealth.
(3)  Notes included in this Act do not form part of this Act.
5   Definition of “personal information”
(1)  In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2)  Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.
(3)  Personal information does not include any of the following:
(a)  information about an individual who has been dead for more than 30 years,
(b)  information about an individual that is contained in a generally available publication,
(c)  information about an individual that is contained in a document kept in a library, art gallery or museum for the purposes of reference, study or exhibition,
(d)  information about an individual that is contained in a State record under the control of the State Records Authority that is available for public inspection in accordance with the State Records Act 1998,
(e)  information about an individual that is contained in archives within the meaning of the Copyright Act 1968 of the Commonwealth,
(f)  information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,
(g)  information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,
(h)  information about an individual that is contained in a public interest disclosure within the meaning of the Public Interest Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a public interest disclosure,
(i)  information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,
(j)  information about an individual arising out of a Royal Commission or Special Commission of Inquiry,
(k)  information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,
(l)  information about an individual that is contained in Cabinet information or Executive Council information under the Government Information (Public Access) Act 2009,
(m)  information or an opinion about an individual’s suitability for appointment or employment as a public sector official,
(n)  information about an individual that forms part of an employee record (within the meaning of the Privacy Act 1988 of the Commonwealth) about the individual held by a private sector person,
(o)  information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.
6   Definition of “health information”
In this Act, health information means:
(a)  personal information that is information or an opinion about:
(i)  the physical or mental health or a disability (at any time) of an individual, or
(ii)  an individual’s express wishes about the future provision of health services to him or her, or
(iii)  a health service provided, or to be provided, to an individual, or
(b)  other personal information collected to provide, or in providing, a health service, or
(c)  other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or
(d)  other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
(e)  healthcare identifiers,
but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.
7   Capacity
(1)  An individual is incapable of doing an act authorised, permitted or required by this Act if the individual is incapable (despite the provision of reasonable assistance by another person) by reason of age, injury, illness, physical or mental impairment of:
(a)  understanding the general nature and effect of the act, or
(b)  communicating the individual’s intentions with respect to the act.
(2)  An authorised representative of an individual may do such an act on behalf of an individual who is incapable of doing that act.
(3)  An authorised representative may not do such an act on behalf of an individual who is capable of doing that act, unless the individual expressly authorises the authorised representative to do that act.
8   Definition of “authorised representative”
(1)  In this Act, authorised representative, in relation to an individual, means:
(a)  an attorney for the individual under an enduring power of attorney, or
(b)  a guardian within the meaning of the Guardianship Act 1987, or a person responsible within the meaning of Part 5 of that Act, or
(c)  a person having parental responsibility for the individual, if the individual is a child, or
(d)  a person who is otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual.
(2)  A person is not an authorised representative of an individual for the purposes of this Act to the extent that acting as an authorised representative of the individual is inconsistent with an order made by a court or tribunal.
(3)  In this section:
child means an individual under 18 years of age.
parental responsibility, in relation to a child, means all the duties, powers, responsibility and authority which, by law, parents have in relation to their children.
9   What constitutes “holding” information
For the purposes of this Act, health information is held by an organisation if:
(a)  the organisation is in possession or control of the information (whether or not the information is contained in a document that is outside New South Wales), or
(b)  the information is in the possession or control of a person employed or engaged by the organisation in the course of such employment or engagement, or
(c)  in the case of a public sector agency—the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
10   Unsolicited information not considered “collected”
For the purposes of this Act, health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited.