Fact sheet - Health Privacy Principles for the public
The 15 Health Privacy Principles (HPPs) are the key to the Health Records and Information Privacy Act 2002 (HRIP Act).
These are legal obligations which NSW public sector agencies and private sector organisations must abide by when they collect, hold, use and disclose a person’s health information. Exemptions may apply, therefore it is suggested you contact the Privacy Contact Officer or the Health Information Manager in the organisation or agency in the first instance. Or contact the Information and Privacy Commission NSW (IPC) for further advice.
An agency or organisation can only collect your health information for a lawful purpose. It must also be directly related to the agency or organisation’s activities and necessary for that purpose.
An agency or organisation must ensure that your health information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
An agency or organisation must collect your health information directly from you, unless it is unreasonable or impracticable to do so.
An agency or organisation must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information, and any consequences if you decide not to provide it.
An agency or organisation must store your personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Access and accuracy
An agency or organisation must provide you with details regarding the health information they are storing, why they are storing it and what rights you have to access it.
An agency or organisation must allow you to access your health information without unreasonable delay or expense.
Allows a person to update, correct or amend their personal information where necessary.
Ensures that the health information is relevant and accurate before being used.
An agency or organisation can only use your health information for the purpose for which it was collected, or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise separate consent is required.
An agency or organisation can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 11 applies). Otherwise separate consent is required.
Identifiers and anonymity
12. Not identified
An agency or organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
Give the person the option of receiving services from you anonymously, where this is lawful and practicable.
Transferrals and linkage
Only transfer health information outside New South Wales in accordance with HPP 14.
Only use health records linkage systems if the person has provided or expressed their consent.
For more information
Contact the Information and Privacy Commission NSW (IPC):