PRIVACY AND NATURAL MEDICINE PRACTITIONERS

Transcription

1 PRIVACY AND NATURAL MEDICINE PRACTITIONERS Table of Contents Introduction... 3 Privacy Key Concepts... 4 Summary of a Practitioner s Privacy Obligations... 5 Collecting Information... 5 Storage and Maintenance... 5 Use and Disclosure of Information... 6 Access (by the individual) to information... 6 Openness... 6 Frequently Asked Questions... 7 I am a sole operator self employed natural medicine practitioner. Do the Privacy Rules apply to me?... 7 I have been told that my State/Territory does not have any specific Privacy legislation for private health care providers. Does this mean I am not bound by any Privacy Legislation?... 7 I work in a health food shop or pharmacy. My job is to talk to people in the general public area. I don t do full consultations and therefore do not consider I am working as a natural medicine practitioner. Do I have any Privacy obligations?... 7 How long do I need to keep a patient s records for?... 8 Who owns the records, me or the clinic owner?... 8 What should I tell a patient about my collection of their health and other information?.. 10 Do I need to have a Privacy Policy? What is required to keep records securely? What does access to records mean? Can access be refused? What if a record needs to be amended? Can I charge for access and/or correction to a record? Can I share a patient s health information with another person or practitioner? ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 1 of 24

2 My records for a patient contain information which was given to me by another practitioner in confidence. Do I need to provide access to this information? Additional Resources ATMS Federal Other Jurisdictions Victoria New South Wales Queensland Western Australia South Australia Tasmania Northern Territory Australian Capital Territory DISCLAIMER ATMS is not authorised to provide legal advice, and this document does not purport to provide any legal advice or guidance. All reasonable care was taken in its compilation, but compliance with Privacy Legislation remains at all times the sole responsibility of the individual. Individuals should seek their own independent legal advice if required. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 2 of 24

3 PRIVACY AND NATURAL MEDICINE PRACTITIONERS Introduction The issue of Privacy in the health care setting is incredibly important. Unfortunately as each State and Territory along with the Federal Government all have oversight responsibilities in this area, it can also be complex. Regardless however of how complex the situation might be, every natural medicine practitioner has an unambiguous duty and responsibility to ensure he or she fully complies with all Privacy requirements which apply to them in their individual situation. This Australian Traditional-Medicine Society (ATMS) Fact Sheet does not attempt to set out the relevant criteria and responsibilities for each and every situation. Rather it sets out some general guidelines, FAQs and identifies the various resources where a practitioner may seek further information specific to their situation. The preparation of this document has relied heavily on the information provided by The Office of the Australian Information Commissioner (formerly the Office of the Federal Privacy Commissioner). This approach has been taken as the Federal requirements apply to all practitioners. The information and guidelines provided by the Office of the Australian Information Commissioner (OIAC) will also in many instances be reflective of that contained in the various State and Territory Privacy Legislation. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 3 of 24

4 Privacy Key Concepts The relevant Federal Privacy legislation (the Privacy Amendment (Private Sector) Act 2000 and the Privacy Act 1988) establishes ten National Privacy Principles (NPPs). The OIAC Guidelines on Privacy in the Private Health Sector, (available at summarises the key concepts set out in these NPPs as: Access This involves a health service provider giving an individual information about themselves. Access may include inspecting personal information or having a copy of it. Collection A health service provider collects personal information if it gathers, acquires or obtains personal information from any source and by any means. Collection includes when a health service provider keeps personal information it has not asked for or it has come across by accident. Disclosure In general terms, a health service provider discloses personal information when it releases information to others outside the organisation. Disclosure does not include giving an individual information about themselves (this is access, see above). Use In general terms, use of personal information refers to the handling of personal information within an organisation, including the inclusion of information in a publication. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 4 of 24

5 Summary of a Practitioner s Privacy Obligations The OIAC Guidelines on Privacy in the Private Health Sector also provide a summary of the obligations arising under the ten National Privacy Principles. Before these are set out it is critically important to note that the following is only a summary. Additional obligations might arise in a specific circumstance, or by virtue of applicable State or Territory Privacy Law. Therefore it is essential that every practitioner is fully cognisant of their individual Privacy obligations. See the section Further Information for details of where additional information concerning State and Territory legislation may be found. The summary contained in the OIAC Guidelines on Privacy in the Private Health Sector of the obligations of a practitioner arising under the ten National Privacy Principles is: Collecting Information Only collect health information necessary for your functions or activities. Use fair and lawful ways to collect health information. Collect health information directly from an individual if it is reasonable and practicable to do so. At the time you collect health information or as soon as practicable afterwards, take reasonable steps to make an individual aware of: why you are collecting information about them; who else you might give it to; and other specified matters. Take reasonable steps to ensure the individual is aware of the above points even if you collect information about them from someone else. Get consent to collect health information, unless an exemption applies. If it is lawful and practicable to do so, give people the option of interacting with you anonymously. Storage and Maintenance Take reasonable steps to ensure the health information you collect, use or disclose is accurate, complete and up-to-date. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 5 of 24

6 Take reasonable steps to protect the health information you hold from misuse and loss and from unauthorised access, modification or disclosure. Take reasonable steps to destroy or permanently de-identify health information if it is no longer needed for any further purposes. Use and Disclosure of Information Only use or disclose health information for the primary purpose of collection unless one of the exceptions in NPP 2.1 applies (for example, if it is for a directly related secondary purpose within the individual s reasonable expectations, if you have consent, or where there are specified law enforcement or public health and public safety circumstances). Only adopt, use or disclose a Commonwealth government identifier if particular circumstances apply that allow you to do so. Only transfer health information overseas if you have checked that you meet the requirements of NPP 9. Access (by the individual) to information If an individual asks, give them access to the health information you hold about them unless particular circumstances apply that allow you to deny access these include where there is a serious threat to life or health. (ATMS expects that whenever reasonable access will be provided in the manner requested by the individual. For example, if a person requests a copy of their records, then a copy will be provided.) Openness Have a short document that sets out your policies on how you manage health information. Make it available to anyone who asks for it. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 6 of 24

7 Frequently Asked Questions The above key concepts and summary answer, in a general way, many queries in respect of Privacy. The information service provided by ATMS for members however receives specific inquiries regarding Privacy. Some of the more common ones are: I am a sole operator self employed natural medicine practitioner. Do the Privacy Rules apply to me? Yes. All organisations that provide a health service are covered by at least the Federal Privacy Act 1988 (whether or not they are small businesses). Additional State or Territory legislation might also apply. Organisations providing a health service include natural medicine practitioners such as naturopaths, massage therapists etc. All practitioners accredited by ATMS are subject to the Privacy Rules. I have been told that my State/Territory does not have any specific Privacy legislation for private health care providers. Does this mean I am not bound by any Privacy Legislation? No. The Federal Government Federal Privacy Act 1988, the Privacy Amendment (Private Sector) Act 2000 and the National Privacy Principles (NPPs) apply to ALL health service providers in the private sector, regardless of whether or not any separate State or Territory legislation exists. Therefore all ATMS accredited practitioners must as a minimum make sure they comply with the applicable requirements of Federal Privacy Act 1988, the Privacy Amendment (Private Sector) Act 2000 and the National Privacy Principles. I work in a health food shop or pharmacy. My job is to talk to people in the general public area. I don t do full consultations and therefore do not consider I am working as a natural medicine practitioner. Do I have any Privacy obligations? In most cases, the answer is yes. When you collect a person s sensitive information or discuss their symptoms with them, the person may have concerns about discussing their health issues in public. Where conversations may be overheard, they should be conducted in a manner sensitive to the surroundings. Depending on the circumstances, you may need to take ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 7 of 24

8 additional steps to protect the person s privacy, such as taking them to a more private area. Be mindful that even calling out a person s name might be inappropriate in some circumstances. How long do I need to keep a patient s records for? Perhaps the most common question. There are unfortunately various answers. Insurers, and by implication Compensation Courts, would prefer that records are kept indefinitely. Most of the applicable Privacy Legislation require that records be kept for a minimum of 7 years. In the case of treatment provided to a child, (anyone under the age of 18), the records must be kept until the person has reached the age of 25. The Chinese Medicine Registration Board however require that TCM practitioners in Victoria maintain records for at least 12 years, and longer if possible. The ATMS position is that records be securely maintained for at least 12 years, or until the person turns 25, whichever is the longer period. This will meet all current (at the time of writing) requirements. If however you can reasonably and securely store the records for a longer period, then this should be considered. The above position is consistent with the advice provided in the NSW Government publication Your Legal Obligations Under The Hrip Act The 15 Health Privacy Principles (HPPs) which notes that if other legislation requires you to retain records for a minimum period, then this must be followed. (Available at t2#2.4) However should a patient request you destroy his or her records, you must check the specific legislation that applies in your situation and if destruction is permitted under that specific legislation, you must act to securely destroy the records. Who owns the records, me or the clinic owner? Perhaps the second most common question, and the one that causes most angst. Unfortunately there is no clear answer which will apply in all cases, and who has the responsibility for a patient s records will depend on the facts of each individual circumstance. In some instances it might be the person who wrote the records who is responsible for the records. In some other ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 8 of 24

9 instances the clinic owner might more properly be responsible for the safe storage and ongoing access to the records. However an overriding consideration is always that the person to whom the records relate must be able to have access to the records. So in reality the question is not who owns the records, but who has the responsibility for securely storing the records for the required period and for subsequently ensuring the patient/client can have access to those records if requested. Disputes about who is to maintain a person s records are best prevented, rather than attempted to be cured. In this regard, other Privacy considerations are useful. As explained in the next two questions, what a person should be told at time of collection and what information should be contained in the mandatory Privacy Policy should also prompt and guide practitioners and clinic owners in ensuring that this question of who is responsible for a person s records when a practitioner leaves the clinic is addressed at the time the person s health information is first collected. In particular the Office of the Federal Privacy Commissioner Guidelines on Privacy in the Private Health Sector make it clear that Advising the individual, at the time health information is collected, about how the health service provider will handle their information is an important part of protecting privacy. This guidance from the Office of the Federal Privacy Commissioner would apply to ensure that the person is made aware of what will happen to their health records if the practitioner should leave the clinic. Accordingly prevention may always be achieved by the clinic owner and the practitioner establishing clearly and in writing before any problems arise as to what will happen with a patient s records once the relationship between the practitioner and clinic owner ends. This agreement should then be reflected in the clinic s Privacy Policy and also reiterated in the information provided to each person at the initial consultation regarding the collection, access etc of their private health information. What if there is no agreement and a dispute arises? Again it must be stressed there is no black and white answer, and each case will depend on its individual merits. However always remember that the overriding consideration is that the person to whom the records relate ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 9 of 24

10 must be able to have access to the records. Consequently if at all reasonable one suggestion is that the parties agree to seek the patient s wishes as to who should now store the records, and those wishes should be recorded and followed if there is a dispute. This however is only a suggestion, and may not be suitable or appropriate for all cases. And a final word here. Remember that under the NPPs, a person s health records may only be used for the purpose they were obtained. This will generally exclude most marketing initiatives. What should I tell a patient about my collection of their health and other information? The Office of the Federal Privacy Commissioner Guidelines on Privacy in the Private Health Sector make it clear that Advising the individual, at the time health information is collected, about how the health service provider will handle their information is an important part of protecting privacy. At the time he/she collects the information, or as soon as practicable afterwards, a health service provider should take reasonable steps to make the individual aware of a number of things including: the identity of the organisation and how to contact it; the purposes for which the information was collected; what organisations the information could be given to; the fact that the individual can access the information held by the provider; any law that requires the particular information to be collected; and the main consequences (if any) for the individual if all or part of the information is not provided What is 'practicable' and what is 'reasonable' will depend on the circumstances. For example, these may relate to the costs involved, or the circumstances of collection such as whether the information is collected in an emergency. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 10 of 24

11 Do I need to have a Privacy Policy? Yes. You are required to develop a document explaining how you handle personal information. This document is often referred to as a Privacy Policy. The detail and length of the policy will depend on the size of the clinic. However as explained in the Office of the Federal Privacy Commissioner Guidelines on Privacy in the Private Health Sector a health service provider also has obligations under National Privacy Principle 1.3 to inform an individual, at the time of collection, about how their information will be handled. While a Privacy Policy can assist in meeting some of these obligations, other information is likely to be required around the time of collection, to fully satisfy this provision. Most ATMS practitioners are self employed sole or small operator healthcare providers. Consequently most ATMS practitioners would be able to rely on a straightforward policy explaining, in simple terms, how and what information is collected and the privacy safeguards the practitioner/practice has in place to protect information. Reference should be made to the fact the practitioner/practice is bound by the Privacy Act and other relevant Privacy legislation; that the practitioner is also bound by the ATMS Code of Conduct; and that a patient can get more information, on request, about the way the practitioner/practice manages personal information held. The Privacy Policy can be made available in a number of ways, depending on what is most effective in the circumstances. For example, it could be on a sign in a practice or in a printout or a pamphlet that could be handed out by the health service provider if someone asks for it. When deciding how best to make the policy available, a key factor will be to ensure that individuals are able to readily access and as far as possible be able to understand the policy. For example, additional assistance or explanation may be needed for people whose first language is a language other than English, people with disabilities or for people with literacy difficulties. As not all individuals have access to a computer or the Internet, a policy placed only on a website may not be sufficient and you may need to make the policy available in other forms. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 11 of 24

12 What is required to keep records securely? The NSW Government publication Your Legal Obligations Under The Hrip Act The 15 Health Privacy Principles (HPPs) provides: You must take such security safeguards as are reasonable in the circumstances to protect the security of the health information. If health information is not held and managed securely, the risks of privacy breaches (intentional and unintentional) are increased. Some reasonable physical safeguards might include: Locking filing cabinets and unattended storage areas Physically securing the areas in which the health information is stored Not storing health information in public areas Positioning computer terminals and fax machines so that they cannot be seen or accessed by unauthorised people or members of the public. Some reasonable technical safeguards might include: Using passwords to restrict computer access, and requiring regular changes to passwords At least one back up of health information is stored on a physically separate drive, and this back up drive is kept securely and with all the protections applying to the source drive Establishing different access levels so that not all staff can view all information Ensuring information is transferred securely (for example, not transmitting health information via non-secure ) Using electronic audit trails Installing virus protections and firewalls. Some reasonable administrative safeguards might include: Introducing appropriate policies and procedures to address information security Training staff on those policies and procedures. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 12 of 24

13 What does access to records mean? Access may be provided in a number of different ways. Several suggested by the NSW Government in its publication Your Legal Obligations Under The Hrip Act The 15 Health Privacy Principles (HPPs) are: giving the person a copy of the health information providing a reasonable opportunity for the patient to inspect the health information, take notes on its contents and talk through the contents with an appropriate staff member, if required allowing the person to listen to or view the contents of an audio or visual recording giving the person a print-out of the information if it is stored electronically, or giving them an electronic copy of the information. Consistent with the above Guidelines, ATMS expects that practitioners will grant access to a person in the particular form it is requested. For example, if a patient requests a paper copy of their records, then access should be provided by supplying a photocopy, printout etc of the record. Exceptions to this might occur if it would result in an unreasonable financial strain, be detrimental to the preservation of the information or involve an infringement of copyright. If so, access should still be provided in some other convenient form. Can access be refused? It is generally expected that access will be granted. Access may be refused in some limited circumstances. The Federal National Privacy Principle 6.1 says: If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that: (a) in the case of personal information other than health information providing access would pose a serious and imminent threat to the life or health of any individual; or ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 13 of 24

14 (b) in the case of health information'' providing access would pose a serious threat to the life or health of any individual; or (c) providing access would have an unreasonable impact upon the privacy of other individuals; or (d) the request for access is frivolous or vexatious; or (e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or (f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or (g) providing access would be unlawful; or (h) denying access is required or authorised by or under law; or (i) providing access would be likely to prejudice an investigation of possible unlawful activity; or (j) providing access would be likely to prejudice: (i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or (ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or (iii) the protection of the public revenue; or (iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or (v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders; ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 14 of 24

15 by or on behalf of an enforcement body; or (k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia. Further exemptions might apply under other legislation. Where access is denied some legislation requires, and ATMS expects, that the person seeking access will be given written reasons as to why access has been denied. ATMS further expects that an ATMS practitioner would advise the person that if they felt the decision by the practitioner was unreasonable they may contact ATMS to inquire about lodging a complaint. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 15 of 24

16 What if a record needs to be amended? The first guiding principle here is that if a record is found to contain information that is incorrect, misleading, irrelevant, out of date etc, then it must be corrected. If there is disagreement about the accuracy of the information, the practitioner should on request associate a statement setting out the patient s concerns with the information in question. The second guiding principle is that the correction should if possible be carried out in such a way that it is possible to identify what it was that was corrected. This means that the use of correcting fluid, tape, erasures etc should be avoided. The incorrect record should be annotated in such a way that it is still legible but which clearly shows that it is subject to a correction. The correction must then be entered and clearly identified as correcting the relevant section. If a large section needs correcting, for example an entire page, it will generally be most useful to write an entire new record, but keeping the old record attached to the new. Can I charge for access and/or correction to a record? ATMS encourages practitioners to provide access and amendment to a patient s records without charge. However you may charge an administrative fee provided that fee is not excessive and does not discourage a person seeking access to their records. ATMS expects that if charged, any administrative fee would be unambiguously reasonable and able to be fully justified. In most cases a patient may complain about an unreasonable fee to the relevant State or Territory Government Authority. A person may also complain to ATMS if the fee charged by an ATMS practitioner was thought to be excessive. Can I share a patient s health information with another person or practitioner? The various pieces of Legislation provide quite a wide range of rules and conditions which must be applied when sharing health information. The general rule to apply is to always fully explain to the patient why you wish to share their information, and what information will be shared, and then obtain the patient s written permission before you divulge any of their health information to any person. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 16 of 24

17 If you work within a multi-disciplinary/practitioner team it is often necessary to share information to deliver optimum health care. When first collecting information, the patient should be advised of this fact, and you should discuss with the patient how this approach to treatment will affect the handling of their health information. That this disclosure occurred, and the outcome, should be recorded in writing and acknowledged in writing by the patient. In the very rare (for a natural medicine practitioner) circumstance of an emergency, health information may be disclosed without prior permission. There are limitations however that still apply. These are explained by the OAIC at as follows: The patient must be physically or legally incapable of giving consent The disclosure must be necessary for the care or treatment, or for compassionate reasons (in the health service provider's opinion) The disclosure cannot go against a patient s known wishes No more information should be shared than what is necessary for the care, treatment or for compassionate reasons. You also can not disclose information to just anyone. In an emergency, information may only be shared with: A spouse, de facto, or someone the patient is in an intimate relationship with A parent A child aged 18 or older A guardian A relative in the patient s household A person with an enduring power of attorney' for health decisions (a legal document that allows someone to handle certain affairs even if a person loses mental capacity) Someone nominated by the patient as an emergency contact. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 17 of 24

18 My records for a patient contain information which was given to me by another practitioner in confidence. Do I need to provide access to this information? Yes. Access to information may only be refused if specifically allowed for under the relevant legislation. See Can access be refused? above. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 18 of 24

19 Additional Resources ATMS ATMS members may contact ATMS on to seek information/advice on a specific Privacy matter. Federal Historically the Office of the Privacy Commissioner administered the Federal Privacy Act 1988 and the Privacy Amendment (Private Sector) Act On 1 November 2010 this Office was integrated into the Office of the Australian Information Commissioner (OAIC). An interim site for the OAIC is available at The site will be maintained until a site incorporating all OAIC material is established. OAIC also administers the National Privacy Principles (NPPs). These are the base line privacy standards which some private sector organisations need to comply with in relation to personal information they hold. All health service providers in the private sector need to comply with the Federal Privacy Act 1988, the Privacy Amendment (Private Sector) Act 2000 and the National Privacy Principles (NPPs). The NPPs, a Summary and Guidelines to their use may be accessed via The OAIC website also hosts a detailed and informative FAQ section at Other Jurisdictions The following is an abridged and annotated version of the additional information provided at the OIAC site at It is a useful summary of the various other jurisdiction schemes: ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 19 of 24

20 Victoria The Victorian Information Privacy Act 2000 (VIP Act) came into effect on 1 September The VIP Act covers the handling of all personal information except health information in the public sector in Victoria. This Act adopts ten Information Privacy Principles which are similar to the NPPs set out in the Federal Privacy Act. The Office of the Victorian Privacy Commissioner has more information. The Victorian Health Records Act 2001 (Health Records Act) came into effect from 1 July This Act covers the handling of all personal information held by health service providers in the State public sector and also seeks to govern acts or practices in the Victorian private health sector. The Health Records Act contains a set of principles adapted from the National Privacy Principles. The Office of the Health Services Commissioner provides more information on the operation and application of the Health Records Act. The Office of the Health Services Commissioner may be accessed at The Charter of Human Rights and Responsibilities Act 2006 commenced on 1 January 2007 and became fully operational on 1 January The Charter incorporates a general right to privacy for individuals in addition to other rights, and is administered by the Victorian Equal Opportunity and Human Rights Commission. New South Wales The Privacy and Personal Information Protection Act 1998 (PPIP Act) deals with how all New South Wales public sector agencies manage personal information. It also sets out the role of the Office of the New South Wales Privacy Commissioner. While the PPIP Act applies primarily to the New South Wale public sector, it gives the New South Wales Privacy Commissioner the power to investigate and conciliate privacy breaches by organisations and individuals who are not public sector agencies. The Health Records and Information Privacy Act 2002 (HRIP Act) came into effect on 1 September It governs the handling of health information in the public sector, and it also ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 20 of 24

21 seeks to regulate the handling of health information in the private sector in New South Wales. In December 2004 Privacy NSW developed four statutory guidelines under the HRIP Act. These guidelines are legally binding documents that define the scope of particular exemptions in the health privacy principles. The 15 NSW Health Privacy Principles (HPPs) are the key to the HRIP Act. They are legal obligations describing what NSW public sector agencies and private sector organisations and individuals, including natural medicine practitioners, must do when they handle health information. The 15 HPPs lay down the basic rules of what an organisation/practitioner must do when it collects, stores, uses and discloses health information. The HPPs also cover access and correction rights. For more on NSW requirements see Privacy NSW, (Office of the NSW Privacy Commissioner) at A plain English guide to the 15 HPPs may be accessed at Queensland The Information Privacy Act 2009 regulates the handling of personal information by Queensland government agencies. It contains 11 Information Privacy Principles which set out the way that all Queensland government agencies except Queensland Health are to handle personal information. It also contains nine National Privacy Principles which set out the way that Queensland Health is to handle personal information. For further information, see the Queensland Office of the Information Commissioner s website at Before the commencement of the Information Privacy Act 2009, a privacy scheme applied to Queensland government agencies and most statutory government-owned corporations. The regime, based on the federal Information Privacy Principles, included Information Standards and Privacy Guidelines. To ensure a nationally consistent approach between the Queensland ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 21 of 24

22 public health sector and private health sectors, the scheme required Queensland Health to comply with principles which were the same as the 10 federal NPPs. The Queensland Health Quality and Complaints Commission provides an enquiry service and a health complaint system, including privacy-related complaints involving the State public health sector. The Queensland Health Quality and Complaints Commission may be accessed at Western Australia The State public sector in Western Australia does not currently have a legislative privacy regime. Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act On 28 March 2007 the Information Privacy Bill 2007 was introduced to the WA Parliament. This Bill establishes a set of Information Privacy Principles and regulate the handling of personal information by the public sector and the handling of health information by the public and private sectors. It will also establish an Information and Privacy Commissioner (encompassing the current Information Commissioner) and provide for that Office to be amalgamated with the Office of the Western Australian Ombudsman. The current Office of the Information Commissioner (WA) may be accessed at South Australia South Australia has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles and has established a privacy committee. South Australia also has a Code of Fair Information Practice based on the National Privacy Principles. This Code applies to the South Australian Department of Health and its funded service providers and to others with access to the Department s personal information. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 22 of 24

23 The Information Privacy Principles may be accessed at Tasmania In 1997 Tasmania issued Information Privacy Principles based on the federal Privacy Act and recommended the principles to Tasmanian government agencies. These Information Privacy Principles have been superseded by the Personal Information and Protection Act 2004 which came into effect on 5 September It applies to the public and local government sectors and the University of Tasmania. The Act is administered by the Department of Justice and complaints may be made to the Tasmanian Ombudsman. General information on the Act is hosted on the Department of Premier and Cabinet web site. Northern Territory The Information Commissioner for the Northern Territory is the independent authority responsible for overseeing the Freedom of Information (FOI) and privacy provisions of the Northern Territory Information Act 2002 (Information Act). The Information Act which covers the protection of personal information, record keeping and archive management of information held in the public sector was passed in October 2002 and commenced 1 July The Information Act incorporates FOI, privacy principles and record and archive management. The Office Of The Information Commissioner Northern Territory may be accessed at Australian Capital Territory The federal Privacy Act in a slightly amended version applies to Australian Capital Territory government agencies and is administered by the Privacy Commissioner on behalf of the ACT government. The Health Records (Privacy and Access) Act 1997 (Health Records Act) covers health records held in the public sector in the ACT and also seeks to apply to acts or practices in the private sector not covered by the Privacy Act. The Health Records Act contains privacy principles based on the federal legislation but modified to suit the requirements of health records. The Human Rights Commission handles health record privacy complaints. ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 23 of 24

24 The ACT has also enacted the Human Rights Act 2004 which incorporates a right for an individual not to have their privacy, family, home or correspondence interfered with unlawfully or arbitrarily. The ACT Human Rights Commission may be accessed at ATMS Privacy and Natural Medicine Practitioners V2/Feb 2012/s/drive/Privacy Page 24 of 24