Health Privacy Principles (HPPs) explained for members of the public

Read the document below or download it here Fact sheet - Health Privacy Principles for the public, updated April 2023

The 15 Health Privacy Principles (HPPs) are the key to the Health Records and Information Privacy Act 2002 (HRIP Act).

These are legal obligations which organisations, defined to include NSW public sector agencies and private sector organisations, must abide by when they collect, hold, use and disclose a person’s health information.

As exemptions may apply in certain circumstances, it is suggested that you contact the Privacy Contact Officer or the Health Information Manager in the organisation in the first instance. You can also contact the Information and Privacy Commission NSW (IPC) for further advice.

Collection
  1. Lawful

An organisation can only collect your health information for a lawful purpose. It must also be directly related to the organisation’s activities and necessary for that purpose. An organisation should not collect health information by any unlawful means.

  1. Relevant

An organisation must ensure that your health information is relevant, accurate, complete, up to date and not excessive. The collection should not unreasonably intrude into your personal affairs.

  1. Direct

An agency or organisation must collect your health information directly from you, unless it is unreasonable or impracticable to do so.

  1. Open

An organisation must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information, and any consequences if you decide not to provide it.

Storage
  1. Secure

An organisation must ensure that health information is stored securely, not kept any longer than necessary,  retained, and disposed of appropriately. Security safeguards should be in place so that health information is protected against loss, unauthorised access, use, modification, disclosure or any other misuse.

Access and accuracy
  1. Transparent

An organisation must provide you with details regarding the health information they are storing, why they are storing it and what rights you have to access it.

  1. Accessible

An organisation must allow you to access your health information without unreasonable delay or expense.

  1. Amendment

An organisation must allow a person to update, correct, delete, add or amend their personal information where necessary. This will ensure that your health information is accurate, is being collected or used for its directly related purpose, and is relevant, complete and not misleading.

  1. Accurate

An organisation must ensure that the health information is relevant, up to date, accurate, complete, and not misleading before being used.

Use
  1. Limited

An agency or organisation can only use your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise separate consent is required.

Disclosure
  1. Limited

An organisation can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exceptions in HPP 11 applies). Otherwise separate consent is required.

Identifiers and anonymity
  1. Not identified

An organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.

  1. Anonymous

An organisation must give you the opportunity of receiving services from them anonymously, where this is lawful and practicable.

Transferrals and linkage
  1. Controlled

An orgnisation can only transfer health information outside New South Wales in accordance with HPP 14.

  1. Authorised

An organisation can only use health records linkage systems if you have expressly consented to this information being included (this includes the disclosure of an identifier).

For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au

How easy did you find it to understand this resource?
Have you used the information in this resource to assist you?