Submission to the Information and Privacy Commission NSW on draft access resources

27 November 2014

Thank you for the opportunity to comment on the draft access resources developed for stakeholders when seeking or providing access to health records under the NSW Health Records and Information Privacy Act 2002 (HRIP Act).

As you know, the Privacy Act 1988 (Cth) regulates the handling of personal information by entities, including private sector health service providers throughout Australia. Given that private health service providers in NSW are covered by both NSW and federal privacy legislation, I am keen to ensure as much consistency as possible in the guidance developed for these providers by our respective offices. Consistency will lead to greater clarity among health service providers as to what privacy standards they need to meet.

With this aim in mind, we have some suggestions for how the checklist for organisations could be amended to guide health service providers who are covered by both Acts. For example:

  • The first checklist question on HRIP Act coverage may not clearly reflect the regulatory position for private sector entities. The first question asks whether the entity is covered by the HRIP Act. If the answer to that question is No, there is a note to say ’you may be regulated by the Federal Privacy Act 1988 and need to apply these provisions’. This may imply that entities covered by the HRIP Act (and therefore answering ‘yes’ to the question) do not need to consider the application of the Privacy Act 1988.

  • The checklist refers to the s 26 HRIP Act requirement for access requests to be in writing. The Privacy Act has no such requirement and, in addition, our office encourages entities to provide access in a manner that is as prompt, uncomplicated and inexpensive as possible. Would it be possible to use s 32 of the HRIP Act (which provides for alternative arrangements for access) to encourage similar flexibility in approach?

  • The HRIP Act requires an entity to respond to an access request within 45 days, while our office requires a response within a reasonable period, which generally should not exceed 30 days.

We would like to offer to assist your office to explore the possibility of further developing the guidance for private health service providers which takes into account the various jurisdictional requirements such that providers can rely on it to comply with all of their privacy obligations. We would be pleased to discuss this further.

In addition, I note that my office is currently developing revised resources for private sector health service providers in relation to their obligations under the Privacy Act and the Australian Privacy Principles. The topics for those resources are likely to include:

  • collecting, using and disclosing health information to provide a health service
  • handling health information for health research, and for the management, funding or monitoring of a health service
  • using and disclosing genetic information
  • providing access to health information
  • correcting health information
  • change in business circumstances of a health service

Once draft resources are prepared, we intend to conduct a targeted consultation (including with the NSW Information and Privacy Commission) in the first half of next year, followed by a public consultation.

Please let me know if you’d like staff to meet with your officers and we will make ourselves available.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at