{"id":"nsw:act-2002-071","name":"Health Records and Information Privacy Act 2002","slug":"health-records-and-information-privacy-act-2002","collection":"act","jurisdiction":"nsw","status":"in_force","isInForce":true,"actNumber":"71 of 2002","makingDate":null,"administeringDepartment":null,"currentVersion":{"id":105071,"registerId":"nsw-act-2002-071-current","compilationNumber":null,"startDate":"2026-04-03","status":"InForce","reasons":null,"registeredAt":null},"sections":[{"sectionNumber":"Part 1","sectionType":"part","heading":"Preliminary","content":"# Part 1 Preliminary\n\nPart 1 Preliminary","sortOrder":0},{"sectionNumber":"1","sectionType":"section","heading":"Name of Act","content":"#### 1 Name of Act\n\n1 Name of Act\n\n> This Act is the [Health Records and Information Privacy Act 2002](/view/html/inforce/current/act-2002-071).","sortOrder":1},{"sectionNumber":"2","sectionType":"section","heading":"Commencement","content":"#### 2 Commencement\n\n2 Commencement\n\n> This Act commences on a day or days to be appointed by proclamation.","sortOrder":2},{"sectionNumber":"3","sectionType":"section","heading":"Purpose and objects of Act","content":"#### 3 Purpose and objects of Act\n\n3 Purpose and objects of Act\n\n> > (1) The purpose of this Act is to promote fair and responsible handling of health information by—\n> > \n> > > (a) protecting the privacy of an individual’s health information that is held in the public and private sectors, and\n> > \n> > > (b) enabling individuals to gain access to their health information, and\n> > \n> > > (c) providing an accessible framework for the resolution of complaints regarding the handling of health information.\n> \n> > (2) The objects of this Act are—\n> > \n> > > (a) to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and\n> > \n> > > (b) to enhance the ability of individuals to be informed about their health care, and\n> > \n> > > (c) to promote the provision of quality health services.","sortOrder":3},{"sectionNumber":"4","sectionType":"section","heading":"Definitions","content":"#### 4 Definitions\n\n4 Definitions\n\n> > (1) In this Act—\n> > \n> > authorised representative has the meaning given by section 8.\n> > \n> > Commonwealth agency means an entity referred to in paragraph (a)–(h) of the definition of agency in the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth.\n> > \n> > Commonwealth Privacy Commissioner means the Office of the Privacy Commissioner established by the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth.\n> > \n> > emergency has the same meaning as in the [State Emergency and Rescue Management Act 1989](/view/html/inforce/current/act-1989-165).\n> > \n> > exercise a function includes perform a duty.\n> > \n> > function includes a power, authority or duty.\n> > \n> > generally available publication means a publication (whether in paper or electronic form) that is generally available to members of the public, but does not include any publication or document declared by the regulations not to be a generally available publication for the purposes of this Act.\n> > \n> > genetic information means health information of a type described in section 6 (d).\n> > \n> > genetic relative means a person who is related to an individual by blood, for example, a sibling, parent or descendant of the individual.\n> > \n> > guidelines means guidelines issued by the Privacy Commissioner as referred to in section 64.\n> > \n> > health care means any care, treatment, advice, service or goods provided in respect of the physical or mental health of a person.\n> > \n> > Health Care Complaints Commission means the Health Care Complaints Commission constituted by the [Health Care Complaints Act 1993](/view/html/inforce/current/act-1993-105).\n> > \n> > health information has the meaning given by section 6.\n> > \n> > health privacy code of practice or code means a privacy code of practice relating to health information made under Part 5.\n> > \n> > Health Privacy Principle or HPP means a clause of Schedule 1. A reference in this Act to a Health Privacy Principle by number is a reference to the clause of Schedule 1 with that number.\n> > \n> > health service includes the following services, whether provided as public or private services—\n> > \n> > > (a) medical, hospital, nursing and midwifery services,\n> > \n> > > (b) dental services,\n> > \n> > > (c) mental health services,\n> > \n> > > (d) pharmaceutical services,\n> > \n> > > (e) ambulance services,\n> > \n> > > (f) community health services,\n> > \n> > > (g) health education services,\n> > \n> > > (h) welfare services necessary to implement any services referred to in paragraphs (a)–(g),\n> > \n> > > (i) services provided in connection with Aboriginal and Torres Strait Islander health practices and medical radiation practices,\n> > \n> > > (j) Chinese medicine, chiropractic, occupational therapy, optometry, osteopathy, physiotherapy, podiatry and psychology services,\n> > \n> > > (j1) optical dispensing, dietitian, massage therapy, naturopathy, acupuncture, speech therapy, audiology and audiometry services,\n> > \n> > > (k) services provided in other alternative health care fields in the course of providing health care,\n> > \n> > > (l) a service prescribed by the regulations as a health service for the purposes of this Act.\n> > \n> > health service provider means an organisation that provides a health service but does not include—\n> > \n> > > (a) a health service provider, or a class of health service providers, that is prescribed by the regulations as an exempt health service provider—\n> > > \n> > > > (i) for the purposes of this Act generally, or\n> > > \n> > > > (ii) for the purposes of specified provisions of this Act, or\n> > > \n> > > > (iii) for the purposes of specified Health Privacy Principles or health privacy codes of practice, or\n> > > \n> > > > (iv) to the extent to which it is prescribed by the regulations as an exempt health service provider, or\n> > \n> > > (b) an organisation that merely arranges for a health service to be provided to an individual by another organisation.\n> > \n> > healthcare identifier has the same meaning as it has in the [Healthcare Identifiers Act 2010](http://www.legislation.gov.au/) of the Commonwealth.\n> > \n> > identifier means an identifier (which is usually, but need not be, a number), not being an identifier that consists only of the individual’s name, that is—\n> > \n> > > (a) assigned to an individual in conjunction with or in relation to the individual’s health information by an organisation for the purpose of uniquely identifying that individual, whether or not it is subsequently used otherwise than in conjunction with or in relation to health information, or\n> > \n> > > (b) adopted, used or disclosed in conjunction with or in relation to the individual’s health information by an organisation for the purpose of uniquely identifying that individual.\n> > \n> > immediate family member of an individual means a person who is—\n> > \n> > > (a) a parent, child or sibling of the individual, or\n> > \n> > > (b) a spouse of the individual, or\n> > \n> > > (c) a member of the individual’s household who is a relative of the individual, or\n> > \n> > > (d) a person nominated to an organisation by the individual as a person to whom health information relating to the individual may be disclosed.\n> > \n> > investigative agency means any of the following—\n> > \n> > > (a) the Ombudsman’s Office,\n> > \n> > > (b) the Independent Commission Against Corruption,\n> > \n> > > (b1) the Inspector of the Independent Commission Against Corruption,\n> > \n> > > (c) the Law Enforcement Conduct Commission,\n> > \n> > > (d) the Inspector of the Law Enforcement Conduct Commission and any staff of the Inspector,\n> > \n> > > (e) the Community Services Commission,\n> > \n> > > (f) the Health Care Complaints Commission,\n> > \n> > > (g) the office of Legal Services Commissioner,\n> > \n> > > (g1) the Ageing and Disability Commissioner,\n> > \n> > > (g2) the Children’s Guardian,\n> > \n> > > (h) a person or body prescribed by the regulations for the purposes of this definition.\n> > \n> > law enforcement agency means any of the following—\n> > \n> > > (a) the NSW Police Force, or the police force of another State or a Territory,\n> > \n> > > (b) the New South Wales Crime Commission,\n> > \n> > > (c) the Australian Federal Police,\n> > \n> > > (d) the Australian Crime Commission,\n> > \n> > > (e) the Director of Public Prosecutions of New South Wales, of another State or a Territory or of the Commonwealth,\n> > \n> > > (f) the Department of Corrective Services,\n> > \n> > > (g) the Department of Juvenile Justice,\n> > \n> > > (h) a person or body prescribed by the regulations for the purposes of this definition.\n> > \n> > local government authority means a council, a county council or a joint organisation within the meaning of the [Local Government Act 1993](/view/html/inforce/current/act-1993-030).\n> > \n> > news activity means—\n> > \n> > > (a) the gathering of news for the purposes of dissemination to the public or any section of the public, or\n> > \n> > > (b) the preparation or compiling of articles or programs of or concerning news, observations on news or current affairs for the purpose of dissemination to the public or any section of the public, or\n> > \n> > > (c) the dissemination to the public or any section of the public of any article or program of or concerning news, observations on news or current affairs.\n> > \n> > news medium means any organisation whose business, or whose principal business, consists of a news activity.\n> > \n> > organisation means a public sector agency or a private sector person.\n> > \n> > personal information has the meaning given by section 5.\n> > \n> > PPIP Act means the [Privacy and Personal Information Protection Act 1998](/view/html/inforce/current/act-1998-133).\n> > \n> > Privacy Commissioner means the Privacy Commissioner appointed under the PPIP Act.\n> > \n> > private sector person means any of the following that is not a public sector agency—\n> > \n> > > (a) a natural person,\n> > \n> > > (b) a body corporate,\n> > \n> > > (c) a partnership,\n> > \n> > > (d) a trust or any other unincorporated association or body,\n> > \n> > but does not include a small business operator within the meaning of the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth, or an agency within the meaning of that Act.\n> > \n> > Note.\n> > \n> > Small business operator is defined in section 6D of the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth. Several types of businesses or activities are excluded from that definition. In particular, under section 6D (4) (b) an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if it provides a health service to an individual and holds any health information except in an employee record.\n> > \n> > public sector agency means any of the following—\n> > \n> > > (a) a government department or the Teaching Service,\n> > \n> > > (b) a statutory body representing the Crown,\n> > \n> > > (c) a State owned corporation that is not subject to the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth,\n> > \n> > > (d) an auditable entity within the meaning of the [Government Sector Audit Act 1983](/view/html/inforce/current/act-1983-152) or any other entity within the meaning of that Act (or entity of a kind) prescribed by the regulations, but excluding an entity (or entity of a kind) prescribed by the regulations,\n> > \n> > > (e) the NSW Police Force,\n> > \n> > > (e1) Service NSW Division of the Government Service,\n> > \n> > > (f) a local government authority,\n> > \n> > > (g) a person or body that—\n> > > \n> > > > (i) provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraphs (a)–(f), or that receives funding from any such body in connection with providing data services, and\n> > > \n> > > > (ii) is prescribed by the regulations for the purposes of this definition.\n> > \n> > public sector official means any of the following—\n> > \n> > > (a) a person appointed by the Governor, or a Minister, to a statutory office,\n> > \n> > > (b) a judicial officer within the meaning of the [Judicial Officers Act 1986](/view/html/inforce/current/act-1986-100),\n> > \n> > > (c) a person employed in the Government Service, the Teaching Service, the NSW Health Service or the NSW Police Force,\n> > \n> > > (d) a local government councillor or a person employed by a local government authority,\n> > \n> > > (e) a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both,\n> > \n> > > (f) a person who is employed or engaged by—\n> > > \n> > > > (i) a public sector agency, or\n> > > \n> > > > (ii) a person referred to in paragraphs (a)–(e),\n> > \n> > > (g) a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraphs (a)–(e).\n> > \n> > related body corporate, in relation to an organisation that is a body corporate, has the same meaning as in the [Corporations Act 2001](http://www.legislation.gov.au/) of the Commonwealth.\n> > \n> > relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece of the individual.\n> > \n> > sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother or step-sister of the individual.\n> > \n> > spouse means—\n> > \n> > > (a) the person to whom a person is legally married (including the husband or wife of a person), or\n> > \n> > > (b) a de facto partner,\n> > \n> > but where more than one person would so qualify as a spouse, means only the last person so to qualify.\n> > \n> > Note.\n> > \n> > “De facto partner” is defined in section 21C of the [Interpretation Act 1987](/view/html/inforce/current/act-1987-015).\n> > \n> > staff of the Inspector of the Independent Commission Against Corruption means—\n> > \n> > > (a) any staff employed under section 57E (1) or (2) of the [Independent Commission Against Corruption Act 1988](/view/html/inforce/current/act-1988-035), and\n> > \n> > > (b) any consultants engaged under section 57E (3) of that Act.\n> > \n> > staff of the Inspector of the Law Enforcement Conduct Commission means the staff of the Inspector within the meaning of section 128 (1) of the [Law Enforcement Conduct Commission Act 2016](/view/html/inforce/current/act-2016-061).\n> > \n> > stage, of an emergency, means a stage in relation to an emergency mentioned in the [State Emergency and Rescue Management Act 1989](/view/html/inforce/current/act-1989-165), section 5.\n> > \n> > State record has the same meaning as in the [State Records Act 1998](/view/html/inforce/current/act-1998-017).\n> > \n> > Tribunal means the Civil and Administrative Tribunal.\n> > \n> > Note.\n> > \n> > The [Interpretation Act 1987](/view/html/inforce/current/act-1987-015) contains definitions and other provisions that affect the interpretation and application of this Act.\n> \n> > (2) A reference in this Act to non-compliance with a requirement of this Act being permitted (or necessarily implied or reasonably contemplated) under an Act or other law includes a reference to non-compliance that is permitted (or necessarily implied or reasonably contemplated) under an Act of the Commonwealth.\n> \n> > (3) Notes included in this Act do not form part of this Act.\n> \n> **s 4:** Am 2003 No 13, Sch 1.13; 2004 No 114, Sch 2.8; 2005 No 10, Sch 2.5 \\[1\\] \\[2\\]; 2006 No 2, Sch 5.4; 2006 No 94, Sch 3.15; 2009 No 61, Sch 4.4 \\[1\\] \\[2\\]; 2010 No 19, Sch 3.45 \\[1\\] \\[2\\]; 2010 No 34, Sch 2.26 \\[1\\] \\[2\\]; 2010 No 96, Sch 3 \\[1\\]; 2011 No 62, Schs 1.9, 3.13 \\[1\\]; 2012 No 39, Sch 1.2 \\[1\\]; 2012 No 42, Sch 1.13 \\[1\\] \\[2\\]; 2012 No 95, Sch 2.16; 2013 No 39, Sch 2.2; 2013 No 95, Sch 2.75 \\[1\\]; 2016 No 61, Sch 6.24 \\[1\\] \\[2\\]; 2017 No 50, Sch 5.17; 2017 No 65, Sch 2.12; 2018 No 28, Sch 1.13; 2018 No 70, Sch 4.48; 2019 No 7, Sch 1.5; 2019 No 25, Sch 5.23\\[1\\]; 2021 No 32, Sch 1.4\\[1\\]; 2024 No 22, Sch 4\\[1\\] \\[2\\].","sortOrder":4},{"sectionNumber":"5","sectionType":"section","heading":"Definition of “personal information”","content":"#### 5 Definition of “personal information”\n\n5 Definition of “personal information”\n\n> > (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.\n> \n> > (2) Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.\n> \n> > (3) Personal information does not include any of the following—\n> > \n> > > (a) information about an individual who has been dead for more than 30 years,\n> > \n> > > (b) information about an individual that is contained in a generally available publication,\n> > \n> > > (c) information about an individual that is contained in a document kept in a library, art gallery or museum for the purposes of reference, study or exhibition,\n> > \n> > > (d) information about an individual that is contained in a State record under the control of the State Records Authority that is available for public inspection in accordance with the [State Records Act 1998](/view/html/inforce/current/act-1998-017),\n> > \n> > > (e) information about an individual that is contained in archives within the meaning of the [Copyright Act 1968](http://www.legislation.gov.au/) of the Commonwealth,\n> > \n> > > (f) information about a witness who is included in a witness protection program under the [Witness Protection Act 1995](/view/html/inforce/current/act-1995-087) or who is subject to other witness protection arrangements made under an Act,\n> > \n> > > (g) information about an individual arising out of a warrant issued under the [Telecommunications (Interception) Act 1979](http://www.legislation.gov.au/) of the Commonwealth,\n> > \n> > > (h) information about an individual that is contained in a public interest disclosure within the meaning of the [Public Interest Disclosures Act 2022](/view/html/inforce/current/act-2022-014), or that has been collected while dealing with a voluntary public interest disclosure in accordance with that Act, Part 5, Division 2,\n> > \n> > > (i) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the [Law Enforcement (Controlled Operations) Act 1997](/view/html/inforce/current/act-1997-136),\n> > \n> > > (j) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,\n> > \n> > > (k) information about an individual arising out of a complaint made under Part 8A of the [Police Act 1990](/view/html/inforce/current/act-1990-047),\n> > \n> > > (l) information about an individual that is contained in Cabinet information or Executive Council information under the [Government Information (Public Access) Act 2009](/view/html/inforce/current/act-2009-052),\n> > \n> > > (m) information or an opinion about an individual’s suitability for appointment or employment as a public sector official,\n> > \n> > > (n) information about an individual that forms part of an employee record (within the meaning of the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth) about the individual held by a private sector person,\n> > \n> > > (o) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.\n> \n> **s 5:** Am 2009 No 54, Sch 2.23 \\[1\\]; 2010 No 84, Sch 2.4; 2011 No 37, Sch 2.2; 2011 No 62, Sch 3.13 \\[2\\]; 2022 No 14, Sch 8.13\\[1\\].","sortOrder":5},{"sectionNumber":"6","sectionType":"section","heading":"Definition of “health information”","content":"#### 6 Definition of “health information”\n\n6 Definition of “health information”\n\n> In this Act, health information means—\n> \n> > (a) personal information that is information or an opinion about—\n> > \n> > > (i) the physical or mental health or a disability (at any time) of an individual, or\n> > \n> > > (ii) an individual’s express wishes about the future provision of health services to him or her, or\n> > \n> > > (iii) a health service provided, or to be provided, to an individual, or\n> \n> > (b) other personal information collected to provide, or in providing, a health service, or\n> \n> > (c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or\n> \n> > (d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or\n> \n> > (e) healthcare identifiers,\n> \n> but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.\n> \n> **s 6:** Am 2010 No 96, Sch 3 \\[2\\]; 2012 No 39, Sch 1.2 \\[2\\].","sortOrder":6},{"sectionNumber":"7","sectionType":"section","heading":"Capacity","content":"#### 7 Capacity\n\n7 Capacity\n\n> > (1) An individual is incapable of doing an act authorised, permitted or required by this Act if the individual is incapable (despite the provision of reasonable assistance by another person) by reason of age, injury, illness, physical or mental impairment of—\n> > \n> > > (a) understanding the general nature and effect of the act, or\n> > \n> > > (b) communicating the individual’s intentions with respect to the act.\n> \n> > (2) An authorised representative of an individual may do such an act on behalf of an individual who is incapable of doing that act.\n> \n> > (3) An authorised representative may not do such an act on behalf of an individual who is capable of doing that act, unless the individual expressly authorises the authorised representative to do that act.","sortOrder":7},{"sectionNumber":"8","sectionType":"section","heading":"Definition of “authorised representative”","content":"#### 8 Definition of “authorised representative”\n\n8 Definition of “authorised representative”\n\n> > (1) In this Act, authorised representative, in relation to an individual, means—\n> > \n> > > (a) an attorney for the individual under an enduring power of attorney, or\n> > \n> > > (b) a guardian within the meaning of the [Guardianship Act 1987](/view/html/inforce/current/act-1987-257), or a person responsible within the meaning of Part 5 of that Act, or\n> > \n> > > (c) a person having parental responsibility for the individual, if the individual is a child, or\n> > \n> > > (d) a person who is otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual.\n> \n> > (2) A person is not an authorised representative of an individual for the purposes of this Act to the extent that acting as an authorised representative of the individual is inconsistent with an order made by a court or tribunal.\n> \n> > (3) In this section—\n> > \n> > child means an individual under 18 years of age.\n> > \n> > parental responsibility, in relation to a child, means all the duties, powers, responsibility and authority which, by law, parents have in relation to their children.","sortOrder":8},{"sectionNumber":"9","sectionType":"section","heading":"What constitutes “holding” information","content":"#### 9 What constitutes “holding” information\n\n9 What constitutes “holding” information\n\n> For the purposes of this Act, health information is held by an organisation if—\n> \n> > (a) the organisation is in possession or control of the information (whether or not the information is contained in a document that is outside New South Wales), or\n> \n> > (b) the information is in the possession or control of a person employed or engaged by the organisation in the course of such employment or engagement, or\n> \n> > (c) in the case of a public sector agency—the information is contained in a State record in respect of which the agency is responsible under the [State Records Act 1998](/view/html/inforce/current/act-1998-017).","sortOrder":9},{"sectionNumber":"10","sectionType":"section","heading":"Unsolicited information not considered “collected”","content":"#### 10 Unsolicited information not considered “collected”\n\n10 Unsolicited information not considered “collected”\n\n> For the purposes of this Act, health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited.","sortOrder":10},{"sectionNumber":"Part 2","sectionType":"part","heading":"General operation of Act","content":"# Part 2 General operation of Act\n\nPart 2 General operation of Act","sortOrder":11},{"sectionNumber":"11","sectionType":"section","heading":"How this Act applies to organisations","content":"#### 11 How this Act applies to organisations\n\n11 How this Act applies to organisations\n\n> > (1) This Act applies to every organisation that is a health service provider or that collects, holds or uses health information.\n> > \n> > Note.\n> > \n> > The term organisation means a public sector agency or a private sector person.\n> \n> > (2) An organisation to whom or to which this Act applies is required to comply with the Health Privacy Principles and with any health privacy code of practice or provision of Part 4 that is applicable to the organisation.\n> \n> > (3) An organisation must not do any thing, or engage in any practice, that contravenes a Health Privacy Principle or a health privacy code of practice or a provision of Part 4 in respect of which the organisation is required to comply.\n> \n> Note.\n> \n> The application of Health Privacy Principles and the provisions of Part 4 may be modified by health privacy codes of practice. See section 39.","sortOrder":12},{"sectionNumber":"12","sectionType":"section","heading":"Crown bound by Act","content":"#### 12 Crown bound by Act\n\n12 Crown bound by Act\n\n> This Act binds the Crown in right of New South Wales and also, in so far as the legislative power of Parliament permits, the Crown in all its other capacities.","sortOrder":13},{"sectionNumber":"13","sectionType":"section","heading":"Courts, tribunals and Royal Commissions not affected","content":"#### 13 Courts, tribunals and Royal Commissions not affected\n\n13 Courts, tribunals and Royal Commissions not affected\n\n> > (1) Nothing in this Act affects the manner in which a court or tribunal, or the manner in which the holder of an office relating to a court or tribunal, exercises the court’s, or the tribunal’s, judicial functions.\n> \n> > (2) Nothing in this Act affects the manner in which a Royal Commission, or any Special Commission of Inquiry, exercises the Commission’s functions.\n> \n> > (3) In this section, judicial functions of a court or tribunal means such of the functions of the court or tribunal as relate to the hearing or determination of proceedings before it, and includes—\n> > \n> > > (a) in relation to a justice—such of the functions of the justice as relate to the conduct of committal proceedings, and\n> > \n> > > (b) in relation to a coroner—such of the functions of the coroner as relate to the conduct of inquests and inquiries under the [Coroners Act 2009](/view/html/inforce/current/act-2009-041).\n> \n> **s 13:** Am 2009 No 41, Sch 4.","sortOrder":14},{"sectionNumber":"14","sectionType":"section","heading":"Exemption for personal, family or household affairs","content":"#### 14 Exemption for personal, family or household affairs\n\n14 Exemption for personal, family or household affairs\n\n> Nothing in this Act applies in respect of the collection, holding, management, use, disclosure or transfer of health information by an individual, or health information held by an individual, only for the purposes of, or in connection with, his or her personal, family or household affairs.","sortOrder":15},{"sectionNumber":"15","sectionType":"section","heading":"News media","content":"#### 15 News media\n\n15 News media\n\n> > (1) Nothing in HPP 1–4, 10, 11 or 14 applies in respect of the collection, use or disclosure of health information by a news medium if the collection, use or disclosure is in connection with its news activities.\n> \n> > (2) Nothing in HPP 6–8 or Part 4 applies to health information held by a news medium in connection with its news activities.","sortOrder":16},{"sectionNumber":"16","sectionType":"section","heading":"Group practices","content":"#### 16 Group practices\n\n16 Group practices\n\n> > (1) Nothing in HPP 1–6, 10 or 11 applies in respect of—\n> > \n> > > (a) the collection of information from a member of a group practice by another member of the group practice, or\n> > \n> > > (b) the use of health information held by a member of a group practice by another member of the group practice, or\n> > \n> > > (c) the disclosure of health information held by a member of a group practice to another member of the group practice,\n> > \n> > if the purpose of the collection, use or disclosure is to ensure that a patient of a member of the group practice receives quality health care from members of the group practice.\n> \n> > (2) Nothing in HPP 15 applies in respect of the keeping of combined or joint electronic records by members of a group practice.\n> \n> > (3) In this section—\n> > \n> > group practice means—\n> > \n> > > (a) a group of 2 or more individuals who each provide a health service in the course of carrying on a business and who, by written agreement—\n> > > \n> > > > (i) carry on the business at shared premises, and\n> > > \n> > > > (ii) maintain a shared reception, and\n> > > \n> > > > (iii) maintain combined or joint records, or\n> > \n> > > (b) the provision of a health service in accordance with such other arrangements or associations between health service providers as may be prescribed by the regulations for the purposes of this definition.","sortOrder":17},{"sectionNumber":"17","sectionType":"section","heading":"Specific exemptions (ICAC, ICAC Inspector and Inspector’s staff, NSW Police Force, LECC, Inspector of LECC and Inspector’s staff and NSW Crime Commission)","content":"#### 17 Specific exemptions (ICAC, ICAC Inspector and Inspector’s staff, NSW Police Force, LECC, Inspector of LECC and Inspector’s staff and NSW Crime Commission)\n\n17 Specific exemptions (ICAC, ICAC Inspector and Inspector’s staff, NSW Police Force, LECC, Inspector of LECC and Inspector’s staff and NSW Crime Commission)\n\n> This Act does not apply to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, the NSW Police Force, the Law Enforcement Conduct Commission, the Inspector of the Law Enforcement Conduct Commission, the staff of the Inspector of the Law Enforcement Conduct Commission and the New South Wales Crime Commission, except in connection with the exercise of their administrative and educative functions.\n> \n> **s 17:** Am 2005 No 10, Sch 2.5 \\[3\\]; 2011 No 62, Sch 3.13 \\[1\\]; 2016 No 61, Sch 6.24 \\[3\\].","sortOrder":18},{"sectionNumber":"17A","sectionType":"section","heading":"Exemption for certain translation services","content":"#### 17A Exemption for certain translation services\n\n17A Exemption for certain translation services\n\n> > The Health Privacy Principles do not apply in respect of health information collected or held by Multicultural NSW if—\n> > \n> > > (a) the information is collected or held by Multicultural NSW for the purpose only of translating the information, and\n> > \n> > > (b) all documents held by Multicultural NSW in which the information is contained are destroyed or returned to the person who submitted the information for translation when Multicultural NSW is satisfied that the documents are no longer required for the provision of the translation service, and\n> > \n> > > (c) in a case where it is necessary for the information to be given to another person in connection with the provision of the translation service, everything reasonably within the power of Multicultural NSW is done to prevent unauthorised disclosure of the information by that other person.\n> \n> **s 17A:** Ins 2010 No 62, Sch 2.2. Am 2014 No 64, Sch 2.8.","sortOrder":19},{"sectionNumber":"18","sectionType":"section","heading":"Act does not authorise unauthorised activities","content":"#### 18 Act does not authorise unauthorised activities\n\n18 Act does not authorise unauthorised activities\n\n> If an organisation is exempt from a Health Privacy Principle, or a provision of Part 4, the exemption does not operate to authorise the organisation to do any thing that it is otherwise prohibited from doing under an Act (including an Act of the Commonwealth) or any other law.","sortOrder":20},{"sectionNumber":"19","sectionType":"section","heading":"Application of Health Privacy Principles to information collected at certain times","content":"#### 19 Application of Health Privacy Principles to information collected at certain times\n\n19 Application of Health Privacy Principles to information collected at certain times\n\n> > (1) Except as otherwise provided by this section, the Health Privacy Principles apply in relation to all health information, whether collected by the organisation before or after the commencement of Schedule 1.\n> \n> > (2) HPP 1 (Purposes of collection of health information), HPP 2 (Information must be relevant, not excessive, accurate and not intrusive), HPP 3 (Collection to be from individual concerned) and HPP 4 (Individual to be made aware of certain matters), to the extent that they apply to the collection of health information, apply only in relation to the collection of health information after the commencement of Schedule 1.\n> \n> > (3) HPP 7 (Access to health information), HPP 8 (Amendment of health information) and Divisions 3 and 4 of Part 4 apply to all health information collected after the commencement of Schedule 1 and also apply to the following health information collected before that commencement—\n> > \n> > > (a) a history of the health or an illness of an individual,\n> > \n> > > (b) any findings on an examination of the individual in relation to the health or an illness of an individual,\n> > \n> > > (c) the results of an investigation into the health or an illness of an individual,\n> > \n> > > (d) a diagnosis, or preliminary diagnosis, of an illness of an individual,\n> > \n> > > (e) a plan of management, or proposed plan of management, of the treatment or care of an illness of the individual,\n> > \n> > > (f) action taken or services provided (whether or not in accordance with a plan of management) by or under the direction or referral of a health service provider in relation to the individual,\n> > \n> > > (g) health information about the individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances,\n> > \n> > > (h) genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual.\n> \n> > (4) HPP 13 (Anonymity) applies only in relation to transactions entered into, or health services received, after the commencement of Schedule 1.\n> \n> > (5) HPP 15 (Linkage of health records) applies only in relation to information collected after the commencement of Schedule 1.","sortOrder":21},{"sectionNumber":"Part 3","sectionType":"part","heading":"Provisions for public sector agencies","content":"# Part 3 Provisions for public sector agencies\n\nPart 3 Provisions for public sector agencies\n\nNote.\n\nSection 11 requires organisations to which this Act applies (including public sector agencies) to comply with the Health Privacy Principles. This Part makes special provision for public sector agencies, while Part 4 makes special provision for private sector persons.","sortOrder":22},{"sectionNumber":"20","sectionType":"section","heading":"Application of Health Privacy Principles—amendment of health information","content":"#### 20 Application of Health Privacy Principles—amendment of health information\n\n20 Application of Health Privacy Principles—amendment of health information\n\n> HPP 8 (Amendment of health information), and any provision of a health privacy code of practice applying to a public sector agency that relates to the requirements set out in that Health Privacy Principle, applies to public sector agencies despite HPP 8 (4) and section 21 of the [State Records Act 1998](/view/html/inforce/current/act-1998-017).","sortOrder":23},{"sectionNumber":"21","sectionType":"section","heading":"Complaints against public sector agencies","content":"#### 21 Complaints against public sector agencies\n\n21 Complaints against public sector agencies\n\n> > (1) The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies—\n> > \n> > > (a) the contravention of a Health Privacy Principle that applies to the agency,\n> > \n> > > (b) the contravention of a health privacy code of practice that applies to the agency.\n> \n> > (2) For that purpose, a reference in that Part—\n> > \n> > > (a) to personal information is taken to include health information, and\n> > \n> > > (b) to an information protection principle is taken to include a Health Privacy Principle, and\n> > \n> > > (c) to a privacy code of practice is taken to include a health privacy code of practice.\n> \n> > (3) This section applies only to conduct engaged in after the commencement of this section.","sortOrder":24},{"sectionNumber":"22","sectionType":"section","heading":"Government Information (Public Access) Act 2009 not affected","content":"#### 22 Government Information (Public Access) Act 2009 not affected\n\n22 [Government Information (Public Access) Act 2009](/view/html/inforce/current/act-2009-052) not affected\n\n> > (1) Nothing in this Act affects the operation of the [Government Information (Public Access) Act 2009](/view/html/inforce/current/act-2009-052).\n> \n> > (2) In particular, this Act does not operate to lessen any obligations under the [Government Information (Public Access) Act 2009](/view/html/inforce/current/act-2009-052) in respect of a public sector agency.\n> \n> > (3) Without limiting the generality of subsection (1), the provisions of the [Government Information (Public Access) Act 2009](/view/html/inforce/current/act-2009-052) and the [Privacy and Personal Information Protection Act 1998](/view/html/inforce/current/act-1998-133) that impose conditions or limitations (however expressed) with respect to any matter referred to in HPP 6 (Information about health information held by organisations), HPP 7 (Access to health information) or HPP 8 (Amendment of health information) are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act.\n> \n> **s 22:** Am 2009 No 54, Sch 2.23 \\[2\\]–\\[4\\].","sortOrder":25},{"sectionNumber":"Part 4","sectionType":"part","heading":"Provisions for private sector persons","content":"# Part 4 Provisions for private sector persons\n\nPart 4 Provisions for private sector persons\n\nNote.\n\nSection 11 requires organisations to which this Act applies (including private sector persons) to comply with the Health Privacy Principles and the provisions of this Part. This Part makes special provision for private sector persons, while Part 3 makes special provision for public sector agencies.","sortOrder":26},{"sectionNumber":"Division 1","sectionType":"division","heading":"General","content":"## Division 1 General\n\nDivision 1 General","sortOrder":27},{"sectionNumber":"23","sectionType":"section","heading":"When non-compliance authorised","content":"#### 23 When non-compliance authorised\n\n23 When non-compliance authorised\n\n> A private sector person is not required to comply with a requirement of this Part applying to the person if—\n> \n> > (a) the private sector person is lawfully authorised or required not to comply with it, or\n> \n> > (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law.\n> \n> **s 23:** Am 2010 No 34, Sch 2.26 \\[3\\].","sortOrder":28},{"sectionNumber":"24","sectionType":"section","heading":"Guidelines by Privacy Commissioner","content":"#### 24 Guidelines by Privacy Commissioner\n\n24 Guidelines by Privacy Commissioner\n\n> The Privacy Commissioner may issue guidelines with respect to access to, and retention and amendment of, health information held by private sector persons for the purpose of assisting them to comply with the Health Privacy Principles and this Part.","sortOrder":29},{"sectionNumber":"Division 2","sectionType":"division","heading":"Retention of health information","content":"## Division 2 Retention of health information\n\nDivision 2 Retention of health information\n\nNote.\n\nThis Division contains specific provisions that are additional to, and assist the operation of, the general principles in HPP 5 (Retention and security).","sortOrder":30},{"sectionNumber":"25","sectionType":"section","heading":"Retention of health information: health service providers","content":"#### 25 Retention of health information: health service providers\n\n25 Retention of health information: health service providers\n\n> > (1) A private sector person who is a health service provider must retain health information relating to an individual as follows—\n> > \n> > > (a) in the case of health information collected while the individual was an adult—for 7 years from the last occasion on which a health service was provided to the individual by the health service provider,\n> > \n> > > (b) in the case of health information collected while the individual was under the age of 18 years—until the individual has attained the age of 25 years.\n> \n> > (2) A health service provider who deletes or disposes of health information must keep a record of the name of the individual to whom the health information related, the period covered by it and the date on which it was deleted or disposed of.\n> \n> > (3) A health service provider who transfers health information to another organisation and does not continue to hold a record of that information must keep a record of the name and address of the organisation to whom or to which it was transferred.\n> \n> > (4) A record referred to in subsection (2) or (3) may be kept in electronic form, but only if it is capable of being printed on paper.\n> \n> > (5) Nothing in this section authorises a health service provider to delete, dispose of or transfer health information in contravention of an Act (including an Act of the Commonwealth) or any other law.","sortOrder":31},{"sectionNumber":"Division 3","sectionType":"division","heading":"Access to health information","content":"## Division 3 Access to health information\n\nDivision 3 Access to health information\n\nNote.\n\nThis Division contains specific provisions for private sector persons that are additional to, and assist the operation of, the general principles in HPP 7 (Access to health information).","sortOrder":32},{"sectionNumber":"26","sectionType":"section","heading":"Making a request for access","content":"#### 26 Making a request for access\n\n26 Making a request for access\n\n> > (1) An individual may request a private sector person to provide the individual with access to health information relating to the individual held by the private sector person. A request must—\n> > \n> > > (a) be in writing, and\n> > \n> > > (b) state the name and the address of the individual making the request, and\n> > \n> > > (c) sufficiently identify the health information to which access is sought, and\n> > \n> > > (d) specify the form in which the individual wishes the information to be provided, being a form provided for by this Act.\n> \n> > (2) An individual who requests access to health information relating to the individual may authorise another person to have access to the information in the place of the individual. Such an authority must—\n> > \n> > > (a) be in writing, and\n> > \n> > > (b) name the person who is authorised to have access to the information.\n> > \n> > A private sector person is to provide access under this Act in accordance with any such written authority.\n> \n> Note.\n> \n> This section does not prevent an individual and a private sector person from making other arrangements for access to information: see section 32.","sortOrder":33},{"sectionNumber":"27","sectionType":"section","heading":"Response to request for access","content":"#### 27 Response to request for access\n\n27 Response to request for access\n\n> > (1) A private sector person must respond to a request for access within 45 days after receiving the request.\n> \n> > (2) A private sector person responds to a request for access by—\n> > \n> > > (a) providing access to the information as required by this Act, or\n> > \n> > > (b) refusing access to the information.\n> \n> > (3) A private sector person who refuses to give an individual access to information must give the individual a written reason for refusal of access, being a reason for refusal provided for by this Act.\n> \n> > (4) A private sector person who charges a fee for providing access to information need not provide access until 7 days after payment of the fee, if—\n> > \n> > > (a) the private sector person has given the individual written notice stating that access will be provided on payment of a specified fee, and\n> > \n> > > (b) that notice is given within 45 days after receiving a request.\n> \n> > (5) Access may be refused to a part of the information to which a request relates (with access provided to the remainder of the information).\n> \n> > (6) A private sector person is taken to have refused access to health information if the private sector person fails to respond to the request for access as required by this section.","sortOrder":34},{"sectionNumber":"28","sectionType":"section","heading":"Form of access","content":"#### 28 Form of access\n\n28 Form of access\n\n> > (1) Access to health information relating to an individual is to be provided to the individual—\n> > \n> > > (a) by giving the individual a copy of the health information, or\n> > \n> > > (b) by giving the individual a reasonable opportunity to inspect and take notes from the health information.\n> \n> > (2) If an individual has requested that access to health information be provided in a particular form, the private sector person is to provide access in that form, and in accordance with any guidelines issued by the Privacy Commissioner for the purposes of this section.\n> \n> > (3) Despite subsection (2), a private sector person may refuse to provide access to health information in the form requested if providing the information in that form—\n> > \n> > > (a) would place unreasonable demands on the organisation’s resources, or\n> > \n> > > (b) would be detrimental to the preservation of the information or (having regard to the physical form in which the information is contained) would otherwise not be appropriate, or\n> > \n> > > (c) would involve an infringement of copyright subsisting in matter contained in the information.\n> > \n> > If access is refused under this clause, the information is to be provided in another form.\n> \n> > (4) Despite anything to the contrary in this Part or HPP 7, a private sector person who receives a request for access to health information collected before the commencement of this section need only give the individual an accurate summary of the health information.","sortOrder":35},{"sectionNumber":"29","sectionType":"section","heading":"Situations where access need not be granted","content":"#### 29 Situations where access need not be granted\n\n29 Situations where access need not be granted\n\n> A private sector person is not required to provide an individual with access to health information relating to the individual held by the private sector person if—\n> \n> > (a) providing access would pose a serious threat to the life or health of the individual or any other person and refusing access is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or\n> \n> > (b) providing access would have an unreasonable impact on the privacy of other individuals and refusing access is in accordance with guidelines, if any, issued by the Privacy Commissioner, or\n> \n> > (c) the information relates to existing or anticipated legal proceedings between the private sector person and the individual and the information would not be accessible by the process of discovery in those proceedings or is subject to legal professional privilege, or\n> \n> > (d) providing access would reveal the intentions of the private sector person in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the private sector person unreasonably to disadvantage, or\n> \n> > (e) providing access would be unlawful, or\n> \n> > (f) denying access is required or authorised by or under law, or\n> \n> > (g) providing access would be likely to prejudice an investigation of possible unlawful activity, or\n> \n> > (h) providing access would be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency, or\n> \n> > (i) a law enforcement agency performing a lawful security function asks the private sector person not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia, or\n> \n> > (j) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again, or\n> \n> > (k) the individual has been provided with access to the health information in accordance with this Act and is making an unreasonable, repeated request for access to the same information in the same manner.","sortOrder":36},{"sectionNumber":"30","sectionType":"section","heading":"Access refused because serious threat to individual","content":"#### 30 Access refused because serious threat to individual\n\n30 Access refused because serious threat to individual\n\n> > (1) This section applies if a private sector person that holds health information about an individual refuses to provide the individual with access to the health information on the ground that providing access would pose a serious threat to the life or health of the individual.\n> \n> > (2) The individual may request the private sector person to give access to the information to a registered medical practitioner nominated by the individual.\n> \n> > (3) The request is to be made within 21 days after the notice of refusal was received.\n> \n> > (4) The notice of refusal—\n> > \n> > > (a) must advise the individual that he or she may nominate a medical practitioner to be given access to the health information, and\n> > \n> > > (b) must advise the individual that if he or she nominates a medical practitioner, the nomination must be made to the private sector person within 21 days after receiving the notice of refusal.\n> \n> > (5) The private sector person must provide access to the health information to the nominated registered medical practitioner within 21 days after being advised by the individual of the nomination of the practitioner.","sortOrder":37},{"sectionNumber":"31","sectionType":"section","heading":"Private sector person may require evidence of identity or authority","content":"#### 31 Private sector person may require evidence of identity or authority\n\n31 Private sector person may require evidence of identity or authority\n\n> > (1) Before a private sector person provides access to health information to a person, the private sector person must take reasonable steps to be satisfied about that person’s authority to have access to the information.\n> \n> > (2) For this purpose, the private sector person may require evidence of—\n> > \n> > > (a) the person’s identity, and\n> > \n> > > (b) if person seeking access claims to be authorised to have access to the information under section 26 (2), the authority of that person, and\n> > \n> > > (c) if the person seeking access claims to be an authorised representative of the individual to whom the information relates, the authority of that person.\n> > \n> > Note.\n> > \n> > The term authorised representative is defined in section 8.","sortOrder":38},{"sectionNumber":"32","sectionType":"section","heading":"Alternative arrangements may be made","content":"#### 32 Alternative arrangements may be made\n\n32 Alternative arrangements may be made\n\n> > (1) Nothing in this Division is intended to prevent or discourage a private sector person from providing an individual, with his or her consent, with access to his or her health information otherwise than as required by this Division.\n> \n> > (2) A private sector person is not to provide an individual with access to health information otherwise than as required by this Division unless the private sector person has informed the individual of the requirements of this Division.","sortOrder":39},{"sectionNumber":"Division 4","sectionType":"division","heading":"Amendment of health information","content":"## Division 4 Amendment of health information\n\nDivision 4 Amendment of health information\n\nNote.\n\nThis Division contains specific provisions for private sector persons that are additional to, and assist the operation of, the general principles in HPP 8 (Amendment of health information).","sortOrder":40},{"sectionNumber":"33","sectionType":"section","heading":"Making a request for amendment","content":"#### 33 Making a request for amendment\n\n33 Making a request for amendment\n\n> An individual may request a private sector person to amend health information relating to the individual held by the private sector person. The request must—\n> \n> > (a) be in writing, and\n> \n> > (b) state the name and the address of the individual making the request, and\n> \n> > (c) identify the health information concerned, and\n> \n> > (d) specify the respect or respects in which the individual claims the health information is inaccurate, out of date, irrelevant, incomplete or misleading, and\n> \n> > (e) if the request specifies that the individual claims the health information is incomplete or out of date—be accompanied by such information as the individual claims is necessary to complete the health information or to bring it up to date.","sortOrder":41},{"sectionNumber":"34","sectionType":"section","heading":"Response to request for amendment","content":"#### 34 Response to request for amendment\n\n34 Response to request for amendment\n\n> > (1) A private sector person must respond to a request for amendment within 45 days after receiving the request.\n> \n> > (2) A private sector person responds to a request by—\n> > \n> > > (a) making the amendment requested, or\n> > \n> > > (b) refusing to make the amendment requested.\n> \n> > (3) A private sector person may refuse to amend health information in accordance with a request—\n> > \n> > > (a) if it is satisfied that the health information is not incomplete, incorrect, irrelevant, out of date or misleading, or\n> > \n> > > (b) if it is satisfied that the request contains or is accompanied by matter that is incorrect or misleading in a material respect.\n> \n> > (4) A private sector person who refuses to make an amendment requested must give the individual a written reason for the refusal.\n> \n> > (5) A private sector person is taken to have refused to make the amendment requested if the private sector person fails to respond to the request for amendment as required by this section.","sortOrder":42},{"sectionNumber":"35","sectionType":"section","heading":"Notations added to records","content":"#### 35 Notations added to records\n\n35 Notations added to records\n\n> > (1) If a private sector person has refused to amend health information held by the person, the individual to whom the information relates may, by notice in writing, require the private sector person to add to the health information a notation—\n> > \n> > > (a) specifying the respects in which the individual claims the information to be incomplete, incorrect, irrelevant, out of date or misleading, and\n> > \n> > > (b) if the individual claims the information to be incomplete or out of date—setting out such information as the individual claims is necessary to complete the information or to bring it up to date.\n> \n> > (2) The private sector person must take reasonable steps to comply with the requirements of a notice given under this section and is to cause written notice of the steps taken, and the nature of a notation, to be given to the individual.\n> \n> > (3) If the private sector person discloses to any person or organisation (including any public sector agency or any Minister) any health information to which a notice under this section relates, the private sector person—\n> > \n> > > (a) must ensure that there is given to that person or organisation, when the information is disclosed, a statement—\n> > > \n> > > > (i) stating that the person to whom the information relates claims that the information is incomplete, incorrect, irrelevant, out of date or misleading, and\n> > > \n> > > > (ii) setting out particulars of a notation added to the information under this section, and\n> > \n> > > (b) may include in the statement the reason for the private sector person’s refusal to amend its records in accordance with the notation.\n> \n> > (4) Nothing in this section is intended to prevent or discourage private sector persons from giving particulars of a notation added to health information under this section to a person or organisation (including a public sector agency or any Minister) to whom information was given before the commencement of this section.","sortOrder":43},{"sectionNumber":"36","sectionType":"section","heading":"Private sector person may require evidence of identity or authority","content":"#### 36 Private sector person may require evidence of identity or authority\n\n36 Private sector person may require evidence of identity or authority\n\n> > (1) Before a private sector person amends health information at the request of an individual or an authorised representative of the individual, the private sector person must take reasonable steps to be satisfied about the authority of the person making the request to request amendment of the information.\n> \n> > (2) For this purpose, the private sector person may require evidence of—\n> > \n> > > (a) the identity of the person making the request, and\n> > \n> > > (b) if the person making the request claims to be an authorised representative of the individual to whom the information relates, the authority of that person.\n> \n> Note.\n> \n> The term authorised representative is defined in section 8.","sortOrder":44},{"sectionNumber":"37","sectionType":"section","heading":"Alternative arrangements may be made","content":"#### 37 Alternative arrangements may be made\n\n37 Alternative arrangements may be made\n\n> > (1) Nothing in this Division is intended to prevent or discourage a private sector person from providing an individual, with his or her consent, with an opportunity to amend his or her health information otherwise than as required by this Division.\n> \n> > (2) A private sector person is not to provide an individual with an opportunity to amend health information otherwise than as required by this Division unless the private sector person has informed the individual of the requirements of this Division.","sortOrder":45},{"sectionNumber":"Part 5","sectionType":"part","heading":"Health privacy codes of practice","content":"# Part 5 Health privacy codes of practice\n\nPart 5 Health privacy codes of practice","sortOrder":46},{"sectionNumber":"38","sectionType":"section","heading":"Operation of health privacy codes of practice","content":"#### 38 Operation of health privacy codes of practice\n\n38 Operation of health privacy codes of practice\n\n> > (1) Health privacy codes of practice may be made for the purpose of protecting the privacy of health information with respect to individuals.\n> \n> > (2) A health privacy code of practice may regulate any of the following matters—\n> > \n> > > (a) the collection or retention of health information held by organisations,\n> > \n> > > (b) the use or disclosure of health information held by organisations,\n> > \n> > > (c) the transfer by organisations of health information from New South Wales to a jurisdiction outside New South Wales or to a Commonwealth agency,\n> > \n> > > (d) the electronic or computerised linkage of health information held by organisations,\n> > \n> > > (e) the procedures for dealing with health information held by organisations.\n> \n> > (3) In particular, a health privacy code of practice may provide for the protection of health information contained in a record that is more than 30 years old, and any such provision has effect despite the provisions of any other Act that deals with the disclosure of, or access to, health information of that kind. Any such code must, to the extent that it relates to health information contained in a State record that is more than 30 years old, be consistent with any relevant guidelines issued under section 52 of the [State Records Act 1998](/view/html/inforce/current/act-1998-017).\n> \n> > (4) A health privacy code of practice can apply to any one or more of the following—\n> > \n> > > (a) any specified class of health information,\n> > \n> > > (b) any specified organisation or class of organisation,\n> > \n> > > (c) any specified activity or class of activity.\n> \n> > (5) Except in the case of a health privacy code of practice that is referred to in subsection (3), a code cannot affect the operation of any exemption provided under this Act.\n> \n> > (6) A health privacy code of practice—\n> > \n> > > (a) must provide standards of health information privacy protection that operate to protect organisations from any restrictions in relation to the importation of health information into New South Wales, and\n> > \n> > > (b) must not impose on any organisation any requirements that are more stringent (or of a higher standard) than the Health Privacy Principles.","sortOrder":47},{"sectionNumber":"39","sectionType":"section","heading":"Modification of Health Privacy Principles or Part 4","content":"#### 39 Modification of Health Privacy Principles or Part 4\n\n39 Modification of Health Privacy Principles or Part 4\n\n> > (1) A health privacy code of practice may modify the application to any organisation or class of organisation of any one or more of the Health Privacy Principles or any provision of Part 4.\n> \n> > (2) A code may—\n> > \n> > > (a) specify requirements that are different from the requirements set out in the Health Privacy Principles or in a provision of Part 4, or exempt any activity or conduct of or by the organisation or class of organisation from compliance with any such Principle or provision, or\n> > \n> > > (b) specify the manner in which any one or more of the Health Privacy Principles or any provision of Part 4 are to be applied to, or are to be followed by, the organisation or class of organisation, and\n> > \n> > > (c) exempt an organisation or class of organisation from the requirement to comply with any Health Privacy Principle or any provision of Part 4.","sortOrder":48},{"sectionNumber":"40","sectionType":"section","heading":"Preparation and making of health privacy codes of practice","content":"#### 40 Preparation and making of health privacy codes of practice\n\n40 Preparation and making of health privacy codes of practice\n\n> > (1) The Privacy Commissioner, or any organisation, may—\n> > \n> > > (a) initiate the preparation of a draft health privacy code of practice, and\n> > \n> > > (b) develop the draft code in consultation with such other persons or bodies as the Commissioner or organisation thinks fit, and\n> > \n> > > (c) submit the draft code to the Minister.\n> \n> > (2) If a draft code is initiated and prepared by an organisation, the organisation must consult with the Privacy Commissioner on the draft code before it is submitted to the Minister.\n> \n> > (3) The Privacy Commissioner may make such submissions to the Minister in respect of a draft code as the Privacy Commissioner thinks appropriate.\n> \n> > (4) Once a draft code is submitted to the Minister, the Minister may, after taking into consideration any submissions by the Privacy Commissioner and after consulting the Attorney General about the draft code, decide to make the code.\n> \n> > (5) A health privacy code of practice is made by order of the Minister published in the Gazette.\n> \n> > (6) A code takes effect when the order making the code is published (or on such later date as may be specified in the order).\n> \n> > (7) The procedures specified in this section extend to any amendment of a health privacy code of practice.\n> \n> **s 40:** Am 2019 No 25, Sch 5.23\\[2\\]; 2026 No 2, Sch 2.9.","sortOrder":49},{"sectionNumber":"Part 6","sectionType":"part","heading":"Complaints against private sector persons","content":"# Part 6 Complaints against private sector persons\n\nPart 6 Complaints against private sector persons","sortOrder":50},{"sectionNumber":"41","sectionType":"section","heading":"Definitions","content":"#### 41 Definitions\n\n41 Definitions\n\n> In this Part—\n> \n> complainant, in relation to a complaint, means the person who makes the complaint.\n> \n> respondent, in relation to a complaint, means a person against whom the complaint is made.","sortOrder":52},{"sectionNumber":"42","sectionType":"section","heading":"Making of privacy related complaints","content":"#### 42 Making of privacy related complaints\n\n42 Making of privacy related complaints\n\n> > (1) A complaint may be made to the Privacy Commissioner about the alleged contravention of any of the following by a private sector person—\n> > \n> > > (a) a Health Privacy Principle,\n> > \n> > > (b) a provision of Part 4,\n> > \n> > > (c) a health privacy code of practice.\n> \n> > (2) A complaint must be made—\n> > \n> > > (a) in writing, and\n> > \n> > > (b) in accordance with such regulations (if any) as may be made for the purposes of this section.\n> \n> > (3) A complaint must be made within 6 months (or such later time as the Privacy Commissioner may allow) after the time the complainant first became aware of the conduct the subject of the complaint.\n> \n> > (4) A complainant may amend or withdraw a complaint.\n> \n> > (5) This Part does not apply to any conduct that occurred before the commencement of this Part.","sortOrder":53},{"sectionNumber":"43","sectionType":"section","heading":"Preliminary assessment of complaints","content":"#### 43 Preliminary assessment of complaints\n\n43 Preliminary assessment of complaints\n\n> > (1) The Privacy Commissioner may conduct a preliminary assessment of a complaint made under this Part for the purpose of deciding whether to deal with the complaint.\n> \n> > (2) The Privacy Commissioner may decide not to deal with a complaint if the Privacy Commissioner is satisfied that—\n> > \n> > > (a) the complaint is frivolous, vexatious or lacking in substance, or is not in good faith, or\n> > \n> > > (b) the subject matter of the complaint is trivial, or\n> > \n> > > (c) the subject matter of the complaint relates to a matter permitted or required by or under any law, or\n> > \n> > > (d) there is available to the complainant an alternative, satisfactory and readily available means of redress, or\n> > \n> > > (e) the matter should be referred to the Health Care Complaints Commission or another person or body under section 65, 66 or 67, or\n> > \n> > > (f) the person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth, and—\n> > > \n> > > > (i) the complaint has not been withdrawn, or\n> > > \n> > > > (ii) the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or\n> > > \n> > > > (iii) the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.\n> \n> > (3) If the Privacy Commissioner decides not to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for deciding not to deal with the complaint.","sortOrder":54},{"sectionNumber":"44","sectionType":"section","heading":"Assessment of complaints","content":"#### 44 Assessment of complaints\n\n44 Assessment of complaints\n\n> > (1) If the Privacy Commissioner decides to deal with a complaint made under this Part, the Privacy Commissioner—\n> > \n> > > (a) is to carry out an assessment to determine whether there is a prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, and\n> > \n> > > (b) for that purpose, may make such inquiries and investigations into the complaint as the Privacy Commissioner thinks appropriate.\n> \n> > (2) If, after carrying out such an assessment, the Privacy Commissioner is satisfied that there is no prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, the Privacy Commissioner is to cease to deal with the complaint.\n> \n> > (3) If the Privacy Commissioner ceases to deal with a complaint, the Privacy Commissioner must advise the complainant of the reasons for ceasing to deal with the complaint.","sortOrder":55},{"sectionNumber":"45","sectionType":"section","heading":"Dealing with complaint","content":"#### 45 Dealing with complaint\n\n45 Dealing with complaint\n\n> > (1) If the Privacy Commissioner is satisfied that there is a prima facie case that the respondent contravened a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, the Privacy Commissioner may—\n> > \n> > > (a) endeavour to resolve the complaint by conciliation under section 46, or\n> > \n> > > (b) further investigate the complaint and make a report under section 47, or\n> > \n> > > (c) determine that the complaint has been resolved to his or her satisfaction.\n> \n> > (2) In deciding which course of action to take, the Privacy Commissioner is to take into consideration the following matters—\n> > \n> > > (a) the nature of the complaint,\n> > \n> > > (b) the views of the complainant and respondent,\n> > \n> > > (c) any action taken by the respondent (or that the respondent gives an undertaking to take) to address the complaint,\n> > \n> > > (d) whether the complaint raises a matter of public interest.\n> \n> > (3) If the Privacy Commissioner determines that the complaint has been resolved to his or her satisfaction under subsection (1) (c), the Privacy Commissioner is to—\n> > \n> > > (a) notify the complainant and the respondent of the determination, and\n> > \n> > > (b) take no further action on the complaint.","sortOrder":56},{"sectionNumber":"46","sectionType":"section","heading":"Resolution of complaint by conciliation","content":"#### 46 Resolution of complaint by conciliation\n\n46 Resolution of complaint by conciliation\n\n> > (1) The Privacy Commissioner may endeavour to resolve the complaint by conciliation.\n> \n> > (2) The Privacy Commissioner may by written notice request the complainant and the respondent to appear before the Privacy Commissioner in conciliation proceedings.\n> \n> > (3) A person or body must not without reasonable excuse fail to comply with the terms of a notice under subsection (2).\n> > \n> > Maximum penalty—50 penalty units in the case of a body corporate or 10 penalty units in any other case.\n> \n> > (4) The parties to any such conciliation proceedings before the Privacy Commissioner are not entitled to be represented by any other person except by leave of the Privacy Commissioner.\n> \n> > (5) The procedures for conciliation are to be determined by the Privacy Commissioner.\n> \n> > (6) Evidence of anything said or done in the course of conciliation proceedings under this section is not admissible in subsequent proceedings under this Part relating to the complaint.\n> \n> > (7) The Privacy Commissioner is to take no further action after the conclusion of the conciliation proceedings, whether or not the parties reach any agreement as a result of the proceedings.","sortOrder":57},{"sectionNumber":"47","sectionType":"section","heading":"Reports and recommendations of Privacy Commissioner","content":"#### 47 Reports and recommendations of Privacy Commissioner\n\n47 Reports and recommendations of Privacy Commissioner\n\n> > (1) The Privacy Commissioner may make a written report as to any findings or recommendations by the Privacy Commissioner in relation to a complaint dealt with by the Privacy Commissioner under section 45 (1) (b).\n> \n> > (2) The Privacy Commissioner may give a copy of any such report to the complainant, the respondent and to such other persons or bodies as appear to be materially involved in matters concerning the complaint.\n> \n> > (3) A report under this section is admissible in subsequent proceedings under this Part relating to the complaint.","sortOrder":58},{"sectionNumber":"48","sectionType":"section","heading":"Application to Tribunal","content":"#### 48 Application to Tribunal\n\n48 Application to Tribunal\n\n> > (1) A person who has made a complaint to the Privacy Commissioner under Division 1 may apply to the Tribunal for an inquiry into the complaint, but only if the complaint was the subject of a report of the Privacy Commissioner under section 47.\n> > \n> > Note.\n> > \n> > This section confers jurisdiction on the Tribunal to make an original decision. It does not confer jurisdiction to review a decision of the Privacy Commissioner.\n> \n> > (2) An application may only be made within 28 days after—\n> > \n> > > (a) the day on which the complainant received the report of the Privacy Commissioner, or\n> > \n> > > (b) the day (if any) recommended in the report of the Privacy Commissioner as the day after which an application may be made to the Tribunal,\n> > \n> > whichever is later.\n> \n> > (3) However, a person cannot apply to the Tribunal if the person has made a complaint about the same subject matter to the Commonwealth Privacy Commissioner, or to an adjudicator under an approved privacy code within the meaning of the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth, and—\n> > \n> > > (a) the complaint has not been withdrawn, or\n> > \n> > > (b) the Commonwealth Privacy Commissioner has made a determination under section 52 of that Act, or\n> > \n> > > (c) the adjudicator has made a determination under a provision of the approved privacy code that corresponds to section 52 of that Act.","sortOrder":60},{"sectionNumber":"49","sectionType":"section","heading":"Inquiries into complaints","content":"#### 49 Inquiries into complaints\n\n49 Inquiries into complaints\n\n> The Tribunal is to hold an inquiry into a complaint that is the subject of an application.","sortOrder":61},{"sectionNumber":"50","sectionType":"section","heading":"Appearance by Privacy Commissioner","content":"#### 50 Appearance by Privacy Commissioner\n\n50 Appearance by Privacy Commissioner\n\n> > (1) The Privacy Commissioner is to be notified by the Tribunal of any application made to it under section 48.\n> \n> > (2) The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an inquiry under this Part.","sortOrder":62},{"sectionNumber":"51","sectionType":"section","heading":"Proof of exemption","content":"#### 51 Proof of exemption\n\n51 Proof of exemption\n\n> If in proceedings in relation to an inquiry into a complaint the respondent relies on an exemption under any provision of this Act or the regulations, the onus of proving that the exemption applies to the respondent in the circumstances lies on the respondent.","sortOrder":63},{"sectionNumber":"52","sectionType":"section","heading":"Tribunal may dismiss frivolous etc complaints","content":"#### 52 Tribunal may dismiss frivolous etc complaints\n\n52 Tribunal may dismiss frivolous etc complaints\n\n> > (1) If, at any stage of an inquiry into a complaint, the Tribunal is satisfied that the complaint is frivolous, vexatious, misconceived or lacking in substance, or that for any other reason the complaint should not be dealt with, it may dismiss the complaint.\n> \n> > (2) The Tribunal may dismiss a complaint if satisfied that the person does not wish to proceed with the complaint.\n> \n> > (3) If the Tribunal dismisses a complaint under this section, it may order the complainant to pay the costs of the inquiry.","sortOrder":64},{"sectionNumber":"53","sectionType":"section","heading":"Relationship to Civil and Administrative Tribunal Act 2013","content":"#### 53 Relationship to Civil and Administrative Tribunal Act 2013\n\n53 Relationship to [Civil and Administrative Tribunal Act 2013](/view/html/inforce/current/act-2013-002)\n\n> Nothing in section 52 limits the generality of the powers conferred on the Tribunal by Part 4 of the [Civil and Administrative Tribunal Act 2013](/view/html/inforce/current/act-2013-002).\n> \n> **s 53:** Am 2013 No 95, Sch 2.75 \\[3\\].","sortOrder":65},{"sectionNumber":"54","sectionType":"section","heading":"Order or other decision of Tribunal","content":"#### 54 Order or other decision of Tribunal\n\n54 Order or other decision of Tribunal\n\n> > (1) After holding an inquiry, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders—\n> > \n> > > (a) subject to subsection (2), an order requiring the respondent to pay to the complainant damages not exceeding $40,000 if the respondent is a body corporate, or not exceeding $10,000 in any other case, by way of compensation for any loss or damage suffered by reason of the respondent’s conduct,\n> > \n> > > (b) an order requiring the respondent to refrain from any conduct or action in contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,\n> > \n> > > (c) an order requiring the performance of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice,\n> > \n> > > (d) an order requiring health information that has been disclosed to be corrected by the respondent,\n> > \n> > > (e) an order requiring the respondent to take specified steps to remedy any loss or damage suffered by the complainant,\n> > \n> > > (f) such ancillary orders as the Tribunal thinks appropriate.\n> \n> > (2) The Tribunal may make an order under subsection (1) (a) only if—\n> > \n> > > (a) the application relates to conduct that occurs after the end of the 12-month period following the date on which Schedule 1 commences, and\n> > \n> > > (b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the respondent.\n> \n> > (3) In making an order for damages under this section concerning a complaint lodged on behalf of a person or persons, the Tribunal may make such order as it thinks fit as to the application of those damages for the benefit of the person or persons.","sortOrder":66},{"sectionNumber":"55","sectionType":"section","heading":null,"content":"#### 55\n\n55–57 (Repealed)","sortOrder":67},{"sectionNumber":"Part 7","sectionType":"part","heading":"Privacy Commissioner","content":"# Part 7 Privacy Commissioner\n\nPart 7 Privacy Commissioner","sortOrder":69},{"sectionNumber":"58","sectionType":"section","heading":"Functions of Privacy Commissioner","content":"#### 58 Functions of Privacy Commissioner\n\n58 Functions of Privacy Commissioner\n\n> The Privacy Commissioner has the following functions—\n> \n> > (a) to promote the adoption of, and monitor compliance with, the Health Privacy Principles and the provisions of Part 4,\n> \n> > (b) to prepare and publish guidelines relating to the protection of health information and other privacy matters, and to promote the adoption of such guidelines,\n> \n> > (c) to provide assistance to organisations in adopting and complying with the Health Privacy Principles and the provisions of Part 4,\n> \n> > (d) to conduct research, and collect and collate information, about any matter relating to the protection of health information and the privacy of individuals,\n> \n> > (e) to provide advice on matters relating to the protection of health information and the privacy of individuals,\n> \n> > (f) to receive, investigate and conciliate complaints about alleged contraventions of the Health Privacy Principles, the provisions of Part 4 or any health privacy code of practice,\n> \n> > (g) such other functions as are conferred by this Act.\n> \n> Note.\n> \n> The Privacy Commissioner may also deal with privacy related complaints under Parts 4 and 5 of the PPIP Act.","sortOrder":70},{"sectionNumber":"59","sectionType":"section","heading":"Requirement to give information","content":"#### 59 Requirement to give information\n\n59 Requirement to give information\n\n> > (1) The Privacy Commissioner may, in connection with the exercise of the Privacy Commissioner’s functions, require any person or organisation—\n> > \n> > > (a) to give the Privacy Commissioner a statement of information, or\n> > \n> > > (b) to produce to the Privacy Commissioner any document or other thing, or\n> > \n> > > (c) to give the Privacy Commissioner a copy of any document.\n> \n> > (2) The Privacy Commissioner is not to make any such requirement if it appears to the Privacy Commissioner that—\n> > \n> > > (a) the person or organisation concerned does not consent to compliance with the requirement, and\n> > \n> > > (b) the person or organisation would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege.\n> \n> > (3) A requirement under this section must be in writing, must specify or describe the information, document or thing required, and must specify the time and manner for complying with the requirement.\n> \n> > (4) This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption.","sortOrder":71},{"sectionNumber":"60","sectionType":"section","heading":"Inquiries and investigations","content":"#### 60 Inquiries and investigations\n\n60 Inquiries and investigations\n\n> > (1) For the purposes of any inquiry or investigation conducted by the Privacy Commissioner under this Act, the Privacy Commissioner has the powers, authorities, protections and immunities conferred on a commissioner by Division 1 of Part 2 of the [Royal Commissions Act 1923](/view/html/inforce/current/act-1923-029), and that Act (section 13 and Division 2 of Part 2 excepted) applies (subject to this section) to any witness summoned by or appearing before the Privacy Commissioner in the same way as it applies to a witness summoned by or appearing before a commissioner.\n> \n> > (2) Subsection (1) does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Law Enforcement Conduct Commission, Inspector of the Law Enforcement Conduct, staff of the Inspector of the Law Enforcement Conduct Commission or New South Wales Crime Commission.\n> \n> > (3) Any inquiry or investigation conducted by the Privacy Commissioner under this Act is to be conducted in the absence of the public, except as otherwise directed by the Privacy Commissioner.\n> \n> > (4) The Privacy Commissioner, in the course of conducting an inquiry or investigation under this Act, must set aside any requirement—\n> > \n> > > (a) to give any statement of information, or\n> > \n> > > (b) to produce any document or other thing, or\n> > \n> > > (c) to give a copy of any document, or\n> > \n> > > (d) to answer any question,\n> > \n> > if it appears to the Privacy Commissioner that the person or organisation concerned does not consent to compliance with the requirement and the person or organisation would not, in court proceedings, be required to comply with a similar requirement on the grounds of public interest, privilege against self-incrimination or legal professional privilege. However, the person or organisation must comply with any such requirement despite any duty of secrecy or other restriction on disclosure.\n> \n> > (5) A person is not entitled to be represented by another person at an inquiry or investigation conducted by the Privacy Commissioner except with the leave of the Privacy Commissioner.\n> \n> > (6) The Privacy Commissioner may allow any person appearing before the Privacy Commissioner to have the services of an interpreter.\n> \n> **s 60:** Am 2005 No 10, Sch 2.5 \\[4\\]; 2016 No 61, Sch 6.24 \\[4\\].","sortOrder":72},{"sectionNumber":"61","sectionType":"section","heading":"General procedure for inquiries and investigations","content":"#### 61 General procedure for inquiries and investigations\n\n61 General procedure for inquiries and investigations\n\n> The Privacy Commissioner—\n> \n> > (a) may determine the procedures to be followed in exercising the Privacy Commissioner’s functions under this Act, including the procedures to be followed at an inquiry or investigation conducted by the Privacy Commissioner, and\n> \n> > (b) is to act in an informal manner (including avoiding conducting formal hearings) as far as possible, and\n> \n> > (c) is not bound by the rules of evidence and may inform himself or herself on any matter in any way that the Privacy Commissioner considers to be just, and\n> \n> > (d) is to act according to the substantial merits of the case without undue regard to technicalities.","sortOrder":73},{"sectionNumber":"62","sectionType":"section","heading":"Exempting organisations from complying with Principles and codes","content":"#### 62 Exempting organisations from complying with Principles and codes\n\n62 Exempting organisations from complying with Principles and codes\n\n> > (1) The Privacy Commissioner may, in accordance with this section, make a written direction that—\n> > \n> > > (a) an organisation is not required to comply with a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice, or\n> > \n> > > (b) the application of a Health Privacy Principle, a provision of Part 4 or a code to an organisation is to be modified as specified in the direction.\n> \n> > (2) Any such direction has effect despite any other provision of this Act.\n> \n> > (3) The Privacy Commissioner is not to make a direction under this section unless—\n> > \n> > > (a) the Privacy Commissioner is satisfied that the public interest in requiring the organisation to comply with the Health Privacy Principle, the provision of Part 4 or health privacy code of practice is outweighed by the public interest in the Privacy Commissioner making the direction, and\n> > \n> > > (b) the Privacy Commissioner has consulted the Attorney General about the direction, and\n> > \n> > > (c) the Minister has approved the making of the direction.\n> \n> **s 62:** Am 2019 No 25, Sch 5.23\\[2\\]; 2026 No 2, Sch 2.9.","sortOrder":74},{"sectionNumber":"63","sectionType":"section","heading":"Information about compliance arrangements","content":"#### 63 Information about compliance arrangements\n\n63 Information about compliance arrangements\n\n> > (1) The Privacy Commissioner may require an organisation to provide the Commissioner with information—\n> > \n> > > (a) concerning the arrangements made by the organisation to enable the organisation to comply with the Health Privacy Principles, the provisions of Part 4 and any health privacy code of practice applying to the organisation, and\n> > \n> > > (b) demonstrating the means by which the organisation is implementing such arrangements.\n> \n> > (2) Any such requirement must be in writing and specify a time for complying with the requirement.\n> \n> > (3) This section does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Law Enforcement Conduct Commission, Inspector of the Law Enforcement Conduct Commission, staff of the Inspector of the Law Enforcement Conduct Commission, New South Wales Crime Commission or Ombudsman’s Office.\n> \n> **s 63:** Am 2005 No 10, Sch 2.5 \\[5\\]; 2016 No 61, Sch 6.24 \\[5\\].","sortOrder":75},{"sectionNumber":"64","sectionType":"section","heading":"Guidelines by Privacy Commissioner","content":"#### 64 Guidelines by Privacy Commissioner\n\n64 Guidelines by Privacy Commissioner\n\n> > (1) The Privacy Commissioner may issue guidelines for or with respect to any matter for which guidelines may be issued under this Act. The Privacy Commissioner may from time to time amend or replace the guidelines.\n> \n> > (2) Guidelines issued by the Privacy Commissioner may apply, adopt or incorporate any publication as in force for the time being.\n> \n> > (3) The Minister may request the Privacy Commissioner to develop guidelines relating to any matter that the Minister considers should be the subject of guidelines.\n> \n> > (4) The procedure for the issuing of guidelines is as follows—\n> > \n> > > (a) the Privacy Commissioner is to prepare proposed guidelines in draft form and is to prepare an impact assessment statement for the proposed guidelines in accordance with such requirements as the Minister may from time to time determine,\n> > \n> > > (b) the draft guidelines and impact assessment statement are to be publicly exhibited for a period of at least 21 days,\n> > \n> > > (c) the Privacy Commissioner is to seek public comment on the draft guidelines during the period of public exhibition and public comment may be made during the period of the exhibition and for 21 days (or such longer period as the Privacy Commissioner may determine) after the end of that period,\n> > \n> > > (d) the Privacy Commissioner is to submit the draft guidelines to the Minister for approval together with a report by the Privacy Commissioner giving details of public comment received during the period allowed for public comment and the Privacy Commissioner’s response to it,\n> > \n> > > (e) the Privacy Commissioner is not to issue the draft guidelines as guidelines unless the Minister approves the guidelines.\n> \n> > (5) The procedure for the amendment or replacement of guidelines is the same as for the issuing of the guidelines unless the Minister otherwise directs in respect of a particular amendment.","sortOrder":76},{"sectionNumber":"65","sectionType":"section","heading":"Referring privacy related complaint to Health Care Complaints Commission","content":"#### 65 Referring privacy related complaint to Health Care Complaints Commission\n\n65 Referring privacy related complaint to Health Care Complaints Commission\n\n> > (1) The Privacy Commissioner may refer a complaint made under this Act to the Health Care Complaints Commission if the complaint concerns—\n> > \n> > > (a) the professional conduct of a health service provider, or\n> > \n> > > (b) a health service that affects the clinical management or care of a person who uses or receives a health service (including a patient).\n> \n> > (2) The Privacy Commissioner may communicate to the Health Care Complaints Commission any information that the Privacy Commissioner has obtained in relation to the complaint.\n> \n> > (3) The Privacy Commissioner and the Health Care Complaints Commission are to consult regularly to ensure the appropriate referral of complaints between them.\n> > \n> > Note.\n> > \n> > Section 26 of the [Health Care Complaints Act 1993](/view/html/inforce/current/act-1993-105) provides that the Health Care Complaints Commission may refer a complaint to another person or body. The Commission may therefore refer a complaint that raises a possible contravention of a Health Privacy Principle, a provision of Part 4 or a health privacy code of practice to the Privacy Commissioner.\n> \n> > (4) This section does not affect the operation of section 47 (Referring privacy related complaints to other authorities) of the PPIP Act.","sortOrder":77},{"sectionNumber":"66","sectionType":"section","heading":"Referring privacy related complaint to Commonwealth Privacy Commissioner","content":"#### 66 Referring privacy related complaint to Commonwealth Privacy Commissioner\n\n66 Referring privacy related complaint to Commonwealth Privacy Commissioner\n\n> > (1) The Privacy Commissioner may refer a complaint made under this Act to the Commonwealth Privacy Commissioner if it appears that the complaint should be dealt with by the Commonwealth Privacy Commissioner.\n> \n> > (2) The Privacy Commissioner may communicate to the Commonwealth Privacy Commissioner any information that the Privacy Commissioner has obtained in relation to the complaint.\n> \n> > (3) This section does not affect the operation of section 47 (Referring privacy related complaints to other authorities) of the PPIP Act.","sortOrder":78},{"sectionNumber":"67","sectionType":"section","heading":"Referring privacy related complaint to other persons or bodies","content":"#### 67 Referring privacy related complaint to other persons or bodies\n\n67 Referring privacy related complaint to other persons or bodies\n\n> > (1) The Privacy Commissioner may refer a complaint made under this Act for investigation or other action to any person or body (the relevant authority) considered by the Privacy Commissioner to be relevant in the circumstances (other than as provided by section 65 or 66).\n> \n> > (2) The Privacy Commissioner may communicate to the relevant authority any information that the Privacy Commissioner has obtained in relation to the complaint.\n> \n> > (3) The Privacy Commissioner may only refer a complaint to a relevant authority after appropriate consultation with the complainant and the relevant authority, and after taking their views into consideration.\n> \n> > (4) This section does not affect the operation of section 47 (Referring privacy related complaints to other authorities) of the PPIP Act.","sortOrder":79},{"sectionNumber":"Part 8","sectionType":"part","heading":"Miscellaneous","content":"# Part 8 Miscellaneous\n\nPart 8 Miscellaneous","sortOrder":80},{"sectionNumber":"68","sectionType":"section","heading":"Corrupt disclosure or use of health information by public sector officials","content":"#### 68 Corrupt disclosure or use of health information by public sector officials\n\n68 Corrupt disclosure or use of health information by public sector officials\n\n> > (1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any health information about an individual to which the official has or had access in the exercise of his or her official functions.\n> > \n> > Maximum penalty—100 penalty units or imprisonment for 2 years or both.\n> \n> > (2) A person must not induce or attempt to induce a public sector official (by way of a bribe or other similar corrupt conduct) to disclose any health information about an individual to which the official has or had access in the exercise of his or her official functions.\n> > \n> > Maximum penalty—100 penalty units or imprisonment for 2 years or both.\n> \n> > (3) Subsection (1) does not prohibit a public sector official from disclosing health information if the disclosure is—\n> > \n> > > (a) a public interest disclosure within the meaning of the [Public Interest Disclosures Act 2022](/view/html/inforce/current/act-2022-014), or\n> > \n> > > (b) made for the purpose of exercising a function under that Act.\n> \n> > (4) In this section, a reference to a public sector official includes a reference to a person who was formerly a public sector official.\n> \n> Note.\n> \n> Corrupt conduct by employees or agents of private sector persons in relation to health information may be dealt with under Part 4A (Corruptly receiving commissions and other corrupt practices) of the [Crimes Act 1900](/view/html/inforce/current/act-1900-040).\n> \n> **s 68:** Am 2010 No 84, Sch 2.4; 2022 No 14, Sch 8.13\\[2\\].","sortOrder":81},{"sectionNumber":"69","sectionType":"section","heading":"Offering to supply health information that has been disclosed unlawfully","content":"#### 69 Offering to supply health information that has been disclosed unlawfully\n\n69 Offering to supply health information that has been disclosed unlawfully\n\n> > (1) A person who offers to supply (whether to a particular person or otherwise), or holds himself or herself out as being able to supply (whether to a particular person or otherwise), health information that the person knows, or ought reasonably to know, has been or is proposed to be disclosed in contravention of section 68 is guilty of an offence.\n> > \n> > Maximum penalty—100 penalty units or imprisonment for 2 years, or both.\n> \n> > (2) If a person is convicted of an offence under section 68 or subsection (1), the court may order the confiscation of any money or other benefit alleged to have been obtained by the person in connection with the offence and for that money or other benefit to be forfeited to the Crown.","sortOrder":82},{"sectionNumber":"70","sectionType":"section","heading":"Intimidation, threats or misrepresentation","content":"#### 70 Intimidation, threats or misrepresentation\n\n70 Intimidation, threats or misrepresentation\n\n> > (1) A person must not, by threat, intimidation or misrepresentation, persuade or attempt to persuade an individual—\n> > \n> > > (a) to refrain from making or pursuing—\n> > > \n> > > > (i) a request for access to health information, or\n> > > \n> > > > (ii) a complaint to the Privacy Commissioner or the Tribunal under Part 6, or\n> > > \n> > > > (iii) an application under Part 5 of the PPIP Act with respect to the alleged contravention of a Health Privacy Principle or a health privacy code of practice, or\n> > \n> > > (b) to withdraw such a request, complaint or application.\n> > \n> > Maximum penalty—100 penalty units.\n> \n> > (2) A person must not, by threat, intimidation or false representation, require another person—\n> > \n> > > (a) to give a consent under this Act, or\n> > \n> > > (b) to do, without consent, an act for which consent is required.\n> > \n> > Maximum penalty—100 penalty units.","sortOrder":83},{"sectionNumber":"71","sectionType":"section","heading":"Legal rights not affected","content":"#### 71 Legal rights not affected\n\n71 Legal rights not affected\n\n> > (1) Nothing in this Act gives rise to, or can be taken into account in, any civil cause of action, and, without limiting the generality of the foregoing, nothing in this Act—\n> > \n> > > (a) operates to create in any person any legal rights enforceable in a court or tribunal otherwise than in accordance with the procedures set out in this Act, or\n> > \n> > > (b) affects the validity, or provides grounds for review, of any judicial or administrative act or omission.\n> \n> > (2) A contravention of this Act does not create any criminal liability except to the extent expressly provided by this Act.","sortOrder":84},{"sectionNumber":"72","sectionType":"section","heading":"Protection from liability","content":"#### 72 Protection from liability\n\n72 Protection from liability\n\n> > (1) Civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person by reason only of any of the following acts done in good faith—\n> > \n> > > (a) the making of a complaint or application under this Act,\n> > \n> > > (b) the making of a statement to, or the giving of a document or information to, the Privacy Commissioner, whether or not pursuant to a requirement under section 59 or 63.\n> \n> > (2) If an organisation provides an individual with access to health information under this Act, and the access was required by HPP 7 (Access to health information) or Part 4, or an employee, officer or agent of the organisation believed in good faith that the access was required by HPP 7 or a provision of Part 4—\n> > \n> > > (a) no action for defamation or breach of confidence lies against the organisation, any employee, officer or agent of the organisation or the Crown by reason of the provision of access, and\n> > \n> > > (b) no action for defamation or breach of confidence in respect of any publication involved in, or resulting from, the giving of access lies against the person who provided the health information to the organisation by reason of the person having supplied the health information to the organisation, and\n> > \n> > > (c) the organisation, or any employee, officer or agent of the organisation, or any other person concerned in giving access to the health information is not guilty of an offence merely because of the giving of access.\n> \n> > (3) The provision of access to health information in the circumstances referred to in subsection (2) must not be taken to constitute, for the purposes of the law relating to defamation or breach of confidence, an authorisation or approval of the publication of the health information by the person to whom access to the information is provided.","sortOrder":85},{"sectionNumber":"73","sectionType":"section","heading":"Fees","content":"#### 73 Fees\n\n73 Fees\n\n> > (1) An organisation may charge a fee for any of the following matters—\n> > \n> > > (a) giving an individual a copy of health information,\n> > \n> > > (b) giving an individual an opportunity to inspect and take notes of the health information,\n> > \n> > > (c) amending health information at the request of an individual,\n> > \n> > > (d) any other matter prescribed by the regulations.\n> \n> > (2) Any fee charged must not exceed such fee (if any) prescribed by the regulations for the matter concerned.","sortOrder":86},{"sectionNumber":"74","sectionType":"section","heading":"Proceedings for offences","content":"#### 74 Proceedings for offences\n\n74 Proceedings for offences\n\n> Proceedings for an offence against this Act are to be dealt with summarily before the Local Court.\n> \n> **s 74:** Am 2007 No 94, Sch 2.","sortOrder":87},{"sectionNumber":"75","sectionType":"section","heading":"Regulations","content":"#### 75 Regulations\n\n75 Regulations\n\n> > (1) The Governor may make regulations, not inconsistent with this Act, for or with respect to any matter that by this Act is required or permitted to be prescribed or that is necessary or convenient to be prescribed for carrying out or giving effect to this Act.\n> \n> > (2) Without limiting the generality of subsection (1), regulations may be made for or with respect to the following matters—\n> > \n> > > (a) disapplying any provision or provisions of Part 6 with respect to any private sector person or class of private sector persons, subject to subsection (3),\n> > \n> > > (b) the manner in which health privacy codes of practice are to be prepared and developed,\n> > \n> > > (c) exempting specified persons, private sector persons or public sector agencies, or classes of person, private sector persons or public sector agencies, from—\n> > > \n> > > > (i) any of the requirements of this Act or the regulations relating to the collection, use or disclosure of specified classes of health information, or\n> > > \n> > > > (ii) any other provision of this Act,\n> > \n> > > (d) providing for 2 or more public sector agencies or classes of public sector agencies to be treated as a single agency—\n> > > \n> > > > (i) for the purposes of this Act generally, or\n> > > \n> > > > (ii) for the purposes of specified provisions of this Act, or\n> > > \n> > > > (iii) for the purposes of specified Health Privacy Principles or health privacy codes of practice,\n> > \n> > > (e) providing for 2 or more private sector persons or classes of private sector persons (including private sector persons that are related bodies corporate) to be treated as a single private sector person—\n> > > \n> > > > (i) for the purposes of this Act generally, or\n> > > \n> > > > (ii) for the purposes of specified provisions of this Act, or\n> > > \n> > > > (iii) for the purposes of specified Health Privacy Principles or health privacy codes of practice,\n> > \n> > > (f) the auditing of compliance by organisations with the provisions of this Act, including the types of activities or conduct that may be subject to audit, the persons or bodies by whom an audit may be conducted and the frequency or timing of audits.\n> \n> > (3) A regulation made under subsection (2) (a) applies with respect to a private sector person only for so long as an individual is entitled to make a complaint that an act or practice by the private sector person may be an interference with the privacy of the individual (as referred to in section 13A of the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth) under a Commonwealth privacy code binding the private sector person or class of private sector persons concerned that sets out procedures for making and dealing with complaints in relation to acts or practices of the private sector person or class of private sector persons.\n> \n> > (4) The regulations may create offences punishable by a penalty not exceeding 50 penalty units.\n> \n> > (5) In this section—\n> > \n> > Commonwealth privacy code means a privacy code approved by the Commonwealth Privacy Commissioner under the [Privacy Act 1988](http://www.legislation.gov.au/) of the Commonwealth.\n> > \n> > complaint means a complaint of any kind, regardless of the nature of any remedies that may be available in respect of the complaint.","sortOrder":88},{"sectionNumber":"75A","sectionType":"section","heading":"Regulations with respect to healthcare identifiers","content":"#### 75A Regulations with respect to healthcare identifiers\n\n75A Regulations with respect to healthcare identifiers\n\n> > (1) Without limiting section 75, regulations may be made for or with respect to healthcare identifiers.\n> \n> > (2) In particular, the regulations may specify the circumstances in which a person may or may not use or disclose a healthcare identifier.\n> \n> > (3) A person who uses or discloses a healthcare identifier in contravention of a regulation made under subsection (2) is guilty of an offence.\n> > \n> > Maximum penalty—\n> > \n> > > (a) 600 penalty units in the case of a body corporate, or\n> > \n> > > (b) 120 penalty units or imprisonment for 2 years, or both, in any other case.\n> \n> **s 75A:** Ins 2010 No 96, Sch 3 \\[3\\].","sortOrder":89},{"sectionNumber":"76","sectionType":"section","heading":"Savings and transitional provisions","content":"#### 76 Savings and transitional provisions\n\n76 Savings and transitional provisions\n\n> Schedule 2 has effect.","sortOrder":90},{"sectionNumber":"77","sectionType":"section","heading":null,"content":"#### 77\n\n77 (Repealed)","sortOrder":91},{"sectionNumber":"78","sectionType":"section","heading":"Review of Act","content":"#### 78 Review of Act\n\n78 Review of Act\n\n> > (1) The Minister is to review this Act to determine whether the policy objectives of the Act remain valid and whether the terms of the Act remain appropriate for securing those objectives.\n> \n> > (2) The review is to be undertaken as soon as possible after the period of 5 years from the date of assent to this Act.\n> \n> > (3) A report on the outcome of the review is to be tabled in each House of Parliament within 12 months after the end of the period of 5 years.","sortOrder":93},{"sectionNumber":"Schedule 1","sectionType":"schedule","heading":"Health Privacy Principles","content":"# Schedule 1 Health Privacy Principles\n\nSchedule 1 Health Privacy Principles\n\n(Section 4)\n\n**sch 1:** Am 2006 No 58, Sch 2.21; 2009 No 54, Sch 2.23 \\[5\\] \\[6\\]; 2010 No 34, Sch 2.26 \\[4\\]; 2012 No 39, Sch 1.2 \\[3\\] \\[4\\]; 2016 No 55, Sch 3.15; 2021 No 32, Sch 1.4\\[2\\]–\\[4\\]; 2022 No 59, Sch 1.19\\[1\\]–\\[3\\].","sortOrder":94},{"sectionNumber":"Schedule 2","sectionType":"schedule","heading":"Savings and transitional provisions","content":"# Schedule 2 Savings and transitional provisions\n\nSchedule 2 Savings and transitional provisions\n\n(Section 76)\n\n**sch 2:** Am 2010 No 96, Sch 3 \\[4\\]; 2024 No 22, Sch 4\\[3\\]–\\[5\\].","sortOrder":111},{"sectionNumber":"Schedule 3","sectionType":"schedule","heading":null,"content":"# Schedule 3\n\nSchedule 3 (Repealed)\n\n**sch 3:** Am 2002 No 112, Sch 2.8; 2003 No 40, Sch 2.15. Rep 2005 No 64, Sch 3.","sortOrder":117}],"analysis":{"kimi_summary":{"_metrics":{"provider":"moonshot","completionTokens":3032},"content_quality":"ok","complexity_score":7,"scope_assessment":{"changed":false,"description":"While the Act has been heavily amended since 2002 to cover new technologies (e.g., healthcare identifiers in 2010, electronic record linkage) and expanded agency definitions (e.g., LECC, Inspector of ICAC), these changes represent natural evolution within the health privacy sphere rather than expansion beyond the original purpose of protecting health information and balancing privacy with legitimate use."},"complexity_factors":["47+ defined terms in section 4, including complex nested definitions for 'health service', 'health service provider', and 'public sector agency'","15 Health Privacy Principles (Schedule 1) containing numerous conditional exceptions—HPP 10 (Limits on use) has 11 separate grounds for secondary use, and HPP 11 (Limits on disclosure) has 12 grounds","Dual regulatory tracks with different complaint mechanisms: Part 3 for public sector agencies (linking to the PPIP Act) vs Part 6 for private sector persons (via Privacy Commissioner to NCAT)","Extensive cross-referencing to at least 10 other statutes, including the Commonwealth *Privacy Act 1988*, *State Records Act 1998*, *Government Information (Public Access) Act 2009*, and *Health Care Complaints Act 1993*","Complex transitional provisions (section 19) applying different HPPs to information collected before, during, and after the Act's commencement","Nested exemption structures: section 29 lists 11 specific grounds for refusing access; section 5 lists 15 categories of excluded information; multiple agency-specific exemptions (sections 14–17A)","Interaction with co-regulatory instruments: health privacy codes of practice (Part 5) can modify or exempt compliance with HPPs, creating a three-layer regulatory framework (Act, Principles, Codes)"],"plain_english_summary":"This is New South Wales’ main law protecting the privacy of your medical and health records. It applies to anyone who provides health services—think doctors, hospitals, dentists, psychologists, chiropractors, and even government health agencies.\n\n**What it does:**\nThe Act sets out **15 Health Privacy Principles (HPPs)** that organisations must follow. These rules cover:\n*   **Collection:** Only collect what is necessary, and tell you why it’s being collected.\n*   **Use and disclosure:** Generally, your information can only be used for the reason it was collected. There are specific exceptions—such as emergencies, preventing serious threats to health, research (if de-identified), or where required by law.\n*   **Storage:** Keep records secure and dispose of them safely when no longer needed.\n*   **Access and correction:** You have the right to see your own health records and ask for mistakes to be fixed.\n*   **Anonymity:** Where possible, you should be able to receive services without identifying yourself.\n\n**Who it covers:**\nThe law applies to both **public sector** agencies (like NSW Health) and **private sector** health providers. It does not cover individuals handling family medical records at home, or the media when reporting news.\n\n**How to complain:**\nIf you believe a private provider has breached your privacy, you can complain to the **Privacy Commissioner**, who can try to resolve the dispute. If that fails, you can apply to the **Civil and Administrative Tribunal (NCAT)**, which can award compensation (up to $40,000 against companies or $10,000 against individuals) or order the provider to fix the issue. For public sector agencies, complaints are handled under the *Privacy and Personal Information Protection Act 1998*.\n\n**Record keeping:**\nPrivate doctors and clinics must keep adult health records for **7 years** after the last service, and children’s records until the patient turns **25**.\n\n**Special protections:**\nThe Act creates specific offences for corrupt disclosure of health information by public officials and prohibits intimidation of people trying to access their records."},"summary":{"complexity_score":7,"scope_assessment":{"changed":true,"description":"The Act has been amended over 40 times since its original enactment in 2002, reflecting significant expansion and refinement of its scope. It now covers a broader range of health service providers and data types than originally contemplated, and has been updated to interact with evolving federal privacy law, digital health records, and new health service delivery models. The responsible ministers have also expanded to include Mental Health and Regional Health, suggesting the law's reach has grown beyond its original focus."},"complexity_factors":["Multiple sets of Health Privacy Principles that organisations must comply with, each with detailed sub-rules and exceptions","Covers both public and private sector entities, with different obligations potentially applying to each","Numerous exceptions to privacy protections (e.g. law enforcement, public health, research, emergencies) that require careful interpretation","Interaction with federal privacy legislation (Privacy Act 1988 Cth), requiring understanding of which law applies in which circumstance","Broad definition of 'health information' and 'health service provider' that requires analysis to determine who is covered","Complaint and enforcement mechanisms involve multiple steps and bodies (Privacy Commissioner, Administrative Decisions Tribunal/NCAT)","Extensive amendment history — over 40 versions since 2002 — meaning the law has evolved significantly and tracking current obligations requires care","Special rules for sensitive categories such as mental health, genetic information, and deceased persons"],"plain_english_summary":"## Health Records and Information Privacy Act 2002 (NSW)\n\n**What is this law?**\nThis is a New South Wales law that protects the privacy of your personal health information. It controls how organisations — including doctors, hospitals, pharmacists, health insurers, and other health service providers — can collect, store, use, and share your medical and health records.\n\n**Who does it affect?**\n- **Patients and individuals:** Anyone who has ever seen a doctor, gone to hospital, or received any health service in NSW. This law gives you rights over your own health information.\n- **Health organisations:** Public and private sector health service providers in NSW — including GPs, specialists, hospitals, allied health practitioners (like physios and psychologists), pharmacies, and health insurers.\n\n**What rights does it give you?**\n- You generally have the right to **access your own health records**.\n- You can request that incorrect information be **corrected**.\n- Your health information **cannot be shared** without your consent in most circumstances — for example, your doctor generally can't tell your employer about your medical condition.\n- You can **make a complaint** if you think your health privacy has been breached.\n\n**What rules does it impose on health organisations?**\nOrganisations must follow a set of **Health Privacy Principles** (think of these as a rulebook for handling your health data). These cover things like:\n- Only collecting health information that is actually needed\n- Keeping your information secure\n- Only using it for the purpose it was collected\n- Not sharing it with third parties without your consent (with some exceptions, like emergencies or legal requirements)\n\n**Who enforces it?**\nThe NSW **Privacy Commissioner** oversees compliance and can investigate complaints.\n\n**Why does it matter?**\nHealth information is among the most sensitive personal data there is. This law ensures that your medical history, mental health records, and other health details stay private and are only used in ways you'd expect — primarily to help treat you."},"flash_summary":{"complexity_score":8,"scope_assessment":{"changed":true,"description":"The text of the Act as provided shows the original framework has been modified over time by multiple amendments and additions reflected in the in-text amendment notes (see s 4 amendment annotations). Concrete scope changes visible in the source include: the explicit inclusion of healthcare identifiers in the definition of health information (s 6(e)) and related regulation-making and offence powers (s 75A); the insertion of an exemption for certain translation services (s 17A); expanded Privacy Commissioner powers to issue directions exempting or modifying application of HPPs (s 62, noting 2019 and 2026 amendment references); and application adjustments for State owned corporations in Schedule 2, Part 2 (cl 3). The Act therefore contains layers of added provisions, new offences, new exclusions and expanded regulatory levers that alter the original practical scope of obligations and the range of entities and circumstances to which the HPPs apply (as evidenced by the amendment notes and inserted clauses cited above)."},"complexity_factors":["Extensive cross-references to other NSW and Commonwealth statutes (e.g. Privacy Act 1988, State Records Act 1998, various investigative and health statutes).","Many detailed exceptions and carve-outs within the Health Privacy Principles (HPPs 10 and 11 contain numerous specific permitted secondary purposes and conditions).","Separate procedural regimes for public sector agencies and private sector persons with overlapping but distinct obligations (Parts 3 and 4).","Discretionary powers given to the Privacy Commissioner (investigatory powers, guideline-making, exemption/ modification directions) and to the Minister (making codes), creating multiple administrative levers (ss 40, 59–64, 62).","Health privacy codes of practice can modify or exempt application of HPPs to particular classes or activities (ss 38–39), producing variability across sectors.","Detailed operational requirements for access and amendment by individuals (written request forms, 45‑day deadlines, ID checks, fees) that require internal process and record systems (Part 4, Divs 3–4).","Criminal and civil consequences are split across provisions (penalties for corrupt disclosure, penalties for non-compliance notices, Tribunal damages capped by class of respondent), producing multiple enforcement pathways (ss 54, 68–70).","Multiple amendment and transitional provisions and numerous historical amendment notes visible in the text, indicating layered changes over time (see amendment notes in s 4 and elsewhere)."],"plain_english_summary":"### What this law does, in plain terms\n\nThis Act sets rules for how \"health information\" must be handled in New South Wales. It defines who the rules apply to (organisations that provide health services or that collect, hold or use health information) and sets out a set of Health Privacy Principles (HPPs) that deal with: collection, retention and security, access, amendment, accuracy, limits on use and disclosure, identifiers, anonymity, transborder transfers and record linkage (see Schedule 1, HPPs 1–15). (See particularly s 11 and Schedule 1.)\n\nThe Act also:\n- creates a complaints and enforcement scheme centred on the NSW Privacy Commissioner (functions and powers at s 58–64) and provides a route to the Civil and Administrative Tribunal for certain disputes (Part 6, especially ss 42–54);\n- allows health privacy codes of practice to be developed and to modify how HPPs apply to particular organisations or activities (Part 5, especially ss 38–40);\n- sets retention rules for private health service providers (retain adult records for 7 years; records collected while under 18 retained until 25) and requires records of deletion or transfers (s 25);\n- creates specific offences and penalties for corrupt or unlawful disclosure or trading in unlawfully disclosed health information (ss 68–69), and for intimidation and misrepresentation designed to stop people seeking access or making complaints (s 70);\n- provides a number of exemptions and carve-outs for particular bodies or activities (for example, investigative agencies, certain news activities, group practices and specified bodies — see ss 15–17, and other specific subclauses in Schedule 1).\n\nWho is affected\n- Individuals: gain rights to be informed, to access and seek amendment of health information, and to complain if principles are breached (HPPs 4, 7, 8; Part 6).\n- Organisations that hold or use health information: public sector agencies, private health service providers and other private sector persons must follow the HPPs and Part 4 provisions unless an explicit exemption applies (s 11 and Schedule 1).\n- The Privacy Commissioner and the Tribunal: exercise supervisory, investigatory and remedial powers (Part 6 and Part 7).\n\nWhy it matters (mechanically)\n- It creates legal duties that change what organisations must do operationally: limit and justify collection (HPP 1), keep records only as long as necessary and secure them (HPP 5), respond to access and amendment requests within defined timeframes (Part 4, ss 26–34), and restrict reuse, disclosure and cross-border transfers except where specified exceptions apply (HPPs 10, 11, 14). Those duties impose compliance costs (policies, staff training, recordkeeping, security), create friction for data sharing, and give individuals formal mechanisms for redress.\n\nImplementation mechanics, incentives and costs (source-linked)\n- Who pays: organisations bear the direct costs of compliance — e.g. retention, responding to access/amendment requests (private-sector timeframes and fees allowed, ss 26–31, 73), security safeguards (HPP 5), and possible damages or remedial orders if the Tribunal finds a contravention (s 54).\n- Who decides and where discretion sits: the Privacy Commissioner has significant discretionary powers to investigate, conciliate, require information from organisations (ss 59–64), and can exempt or modify application of HPPs to organisations (s 62) — but s 62 requires consultation with the Attorney General and Ministerial approval. The Minister also formally makes health privacy codes of practice (s 40), and regulations can further modify scope (s 75).\n- Compliance burden and operational detail: private health service providers have explicit retention and recordkeeping duties (s 25). Private sector access and amendment processes are prescribed in detail (ss 26–36) including written request requirements, 45‑day response deadlines (ss 26, 27, 34), reasonable proof of identity/authority (ss 31, 36) and the ability to charge capped fees (s 73). These create predictable operating procedures but require internal processes and record systems.\n- Trade-offs and exceptions: the HPPs themselves contain many specified exceptions that allow use or disclosure without consent for emergencies, serious threats to health, management of health services, training, research (often only where de-identification is used), law enforcement, investigative agencies and specified regulatory or contractual circumstances (HPPs 10 and 11). Those enumerated exceptions provide operational flexibility but also complicate compliance because organisations must identify which exception applies and meet the conditions in those clauses.\n- Data sharing and identifiers: rules restrict adopting or using public-sector identifiers unless consent or specific conditions are met (HPP 12) and restrict transfers outside NSW unless equivalent protections exist or another listed condition applies (HPP 14). These clauses affect how private-sector entities integrate with public systems or cross-border providers.\n\nGovernance levers and risks visible in the text\n- Codes of practice and regulations can change how the HPPs apply to a whole class of organisations or activities (ss 38–40, s 75). The Act permits organisations or the Privacy Commissioner to initiate codes (s 40(1)–(2)). That creates a pathway for industry-specific rules to be designed and formalised.\n- The Privacy Commissioner can make binding directions that exempt or modify HPPs for organisations (s 62), but only after consultation and Ministerial approval. This is a concrete mechanism that can change obligations without primary-legislation amendment.\n- Multiple carve-outs and cross-references to other NSW and Commonwealth statutes mean compliance requires checking other laws and regulations (e.g. State Records Act, Privacy Act 1988, law enforcement and public interest disclosure laws). Those cross-links increase legal complexity for implementers (see s 4(2) and many HPP cross-references).\n\nPractical immediate effects for everyday actors\n- Individuals: can ask who holds their health information, request access and corrections, and complain to the Privacy Commissioner (Schedule 1 HPP 6–8; Part 6).\n- Small and large providers: must adopt documented processes for collecting only what is necessary, securing and retaining information for specified periods, responding to access/amendment requests within 45 days (private sector), and complying with code or Commissioner directions where applicable.\n\nSections cited frequently: s 11 (application to organisations), Schedule 1 (HPPs 1–15), Part 4 (private sector obligations, ss 25–37), Part 5 (codes of practice, ss 38–40), Part 6 (complaints and Tribunal remedies, ss 42–54), Part 7 (Privacy Commissioner powers, ss 58–64), offence provisions (ss 68–70), regulations and penalties (ss 75–75A)."},"issue_detection":{"absurdities":[],"contradictions":[]}},"importantCases":[],"_links":{"self":"/api/acts/health-records-and-information-privacy-act-2002","history":"/api/acts/health-records-and-information-privacy-act-2002/history","analysis":"/api/acts/health-records-and-information-privacy-act-2002/analysis","conflicts":"/api/acts/health-records-and-information-privacy-act-2002/conflicts","importantCases":"/api/acts/health-records-and-information-privacy-act-2002/important-cases","documents":"/api/acts/health-records-and-information-privacy-act-2002/documents"}}