2 NPP2 - Limits on use or disclosure of personal information
(1) A health agency must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(a) both of the following apply—
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the health agency to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety—
(i) it is impracticable for the health agency to seek the individual's consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the chief executive of the health department for the purposes of this subparagraph; and
(iii) for disclosure—the health agency reasonably believes that the entity receiving the health information will not disclose the health information or personal information derived from the health information; or
(d) the health agency reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual's life, health, safety or welfare or a serious threat to public health, safety or welfare; or
(e) the health agency has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(f) the use or disclosure is authorised or required by or under law; or
(g) the health agency reasonably believes that the use or disclosure is reasonably necessary for 1 or more of the following by or for an enforcement body—
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties or sanctions;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
1 It is not intended to deter a health agency from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.
2 Subsection (1) does not override any existing legal obligations not to disclose personal information (for example, Hospital and Health Boards Act 2011, section 142). Nothing in subsection (1) requires a health agency to disclose personal information. A health agency is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
3 A health agency is also subject to the requirements of chapter 2, part 3 if it transfers personal information to an entity outside Australia.
(2) If a health agency uses or discloses personal information under subsection (1)(g), it must include with the personal information a note of the use or disclosure.
(3) Despite subsection (1), if a health agency provides a health service to an individual, it may disclose health information about the individual to a person who is responsible for the individual if—
(a) the individual—
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically can not communicate consent to the disclosure; and
(b) a health professional providing the health service for the health agency is satisfied that either—
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(c) the disclosure is not contrary to any wish—
(i) expressed by the individual before the individual became unable to give or communicate consent; and
(ii) of which the health professional is aware, or of which the health professional could reasonably be expected to be aware; and
(d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).
(4) For subsection (3), a person is responsible for an individual if the person is—
(a) a parent of the individual; or
(b) a child or sibling of the individual who a health professional believes has capacity; or
(c) a spouse or de facto partner of the individual; or
(d) a relative of the individual and a member of the individual's household; or
(e) a guardian of the individual; or
(f) a person exercising a power under an enduring power of attorney made by the individual that is exercisable in relation to decisions about the individual's health; or
(g) a person who has sufficient personal interest in the health and welfare of the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
Subsection (3) does not override any law with respect to assisted and substituted decision-making, including, for example, the Guardianship and Administration Act 2000 and the Powers of Attorney Act 1998.
(5) Despite subsection (1), a health agency may use an individual's personal information that is not sensitive information for a commercial purpose involving the health agency's marketing of anything to the individual, but only if—
(a) it is impracticable for the health agency to seek the consent of the individual before the personal information is used for the purposes of the marketing; and
(b) the health agency will not charge the individual for giving effect to a request from the individual to the health agency that the individual not receive any marketing communications; and
(c) the individual has not made a request mentioned in paragraph (b); and
(d) in each marketing communication with the individual, the health agency will draw to the individual's attention, or prominently display a notice, that the individual may ask not to receive any further marketing communications; and
(e) each written marketing communication from the health agency to the individual, up to and including the communication that involves the use, will state the department's business address and telephone number and, if the communication with the individual is made by fax or other electronic means, a number or address at which the health agency can be directly contacted electronically.
(6) In this section—
child, of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.
enforcement body means an enforcement body within the meaning of the Privacy Act 1988 (Cwlth).
parent, of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.
relative, of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.
sibling, of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.