Skip to content

http://www.monash.edu/privacy-monash http://www.monash.edu/privacy-monash

The Health Privacy Principles

The Health Records Act has created new privacy rights that enable individual's to exercise greater control over how an organisation collects, uses and discloses health information that relates to them. The new Act has implemented eleven Health Privacy Principles (HPP’s) to describe how health information is to be handled.

The purpose of this section is to provide a summary of the eleven Health Privacy Principles.

When referring to this section, please be aware that the HPP’s are very similar to the IPP's. The requirements contained in the IPP's in relation to ‘sensitive information’, are comparable.

  1. Collection
  2. Use and Disclosure
  3. Data Quality
  4. Data Security and Data Retention
  5. Openness
  6. Access and Correction
  7. Unique Identifiers
  8. Anonymity
  9. Transborder Data Flows
  10. Transfer or closure of the practice of a health service provider
  11. Making information available to another health service provider

HPP 1 - Collection

Monash must only collect health information if it is necessary for our functions and activities and at least one of the following applies

It is not acceptable for Monash to collect information simply because we would like to have it, or because it might be needed at some time in the future. Information is necessary only if there is legitimate justification for its collection.

The individual has consented

It is preferable to obtain written consent. In some circumstances, written consent is not practicable. Verbal or implied consent can be relied upon however if a dispute were to arise it would be more difficult to prove that we had obtained consent.

It is important to consider the elements of consent when obtaining consent:

  • individual must have capacity to consent
  • consent must be voluntary
  • consent must be informed
  • consent must be specific
  • consent must be current

The collection is required, authorised or permitted by law

The information is necessary to provide a health service and the individual is incapable of giving consent due to age, disability, mental disorder etc and there is no authorised representative available to provide consent

The collection is for a secondary purpose directly related to the primary purpose and the individual would reasonably expect the organisation to collect the information for the secondary purpose

If in doubt about whether the collection falls within the secondary purpose obtain consent from the individual or seek advice from the Monash University Privacy Officer.

The organisation has reason to suspect that unlawful activity has been, or is being engaged in and collects the information as a necessary part of its investigation of the matter or in reporting its concerns to the relevant persons or authorities (and if it relates to a health service provider eg Community Services, it is not a breach of confidence)

‘Breach of confidence" relates to the general law of confidence (including but not limited to the common law or in equity), which requires, amongst other things, that a duty of confidence exists under that law which is not, in the particular circumstances, outweighed by any countervailing public interest under that law.

Suspicion should be based on reasonable grounds and not on gossip or rumour. The activity should be unlawful, not just unethical or objectionable. The information should be confined in the early stages of investigation to only those individuals who must have access. The relevant persons or authorities should be those who need to have access to the information because they have relevant duties to perform.

The information is collected about a deceased or missing person or a person involved in an accident who is unable to consent and the health information is collected for the purposes of identifying the individual and contacting family members unless this is against expressed wishes of the individual before they died, went missing or became incapable of providing consent

The collection is necessary for research in the public interest and it is not practicable to seek the individual’s consent and is conducted in accordance with guidelines produced by the Health Services Commissioner

All research conducted by Monash University involving humans must receive ethics approval from the Standing Committee on Ethics in Research Involving Humans (SCERH). SCERH may approve projects which fall within the category of acceptable use and disclosure in accordance with the privacy laws

Monash believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety and welfare or a serious threat to public health, public safety or public welfare and the information is collected in accordance with any guidelines produced by the Health Services Commissioner

By their nature, such circumstances may be unusual. But in general, the recipient would need to be appropriate police, emergency services or health authorities. The decision to rely on this exemption for using or disclosing information should only be made by senior staff.

The collection is by or on behalf of a law enforcement agency and the organisation reasonably believes that the collection is necessary for the law enforcement function and advice has been obtained from the Monash University Privacy Officer to confirm collection is in accordance with the laws.

The law relating to collection health information on behalf of a law enforcement agency (eg Victoria Police, Australian Federal Police) is complex and advice must be obtained from the Monash University Privacy Officer prior to collecting information.

The collection is necessary for the establishment, exercise or defence of a legal or equitable claim

Other limited circumstances which are very specific to health service providers and would not as a matter of course occur at Monash.

Monash must only collect health information by lawful and fair means and not in an unreasonably intrusive way.

To decide whether something is fair, lawful and not intrusive, consider whether relevant laws are complied with eg surveillance must be conducted in accordance with the Surveillance Devices Act (Vic), is the individual made aware of the collection eg the use of cookie technology to track an individual’s use of the website without making it clear to them via a prominent privacy notice or do we have an unfair advantage when collecting information unequal relationship such as children, non-English speaking people or traumatised individual.

At or before the time of collection, Monash must take reasonable steps to inform individuals of the following matters:

  • the identity of Monash and how to contact it;
  • the fact that he or she is able to gain access to the information;
  • the purposes for which the information is collected;
  • to whom, or the types of organisations to whom, Monash discloses information of this kind;
  • any law that requires the particular information to be collected; and
  • the main consequences (if any) for the individual if all or part of the information is not provided.

Monash University has created the following standard wording which complies with the above requirements. The wording can be amended depending on the circumstances for collection. It is recommended that this wording is included on all forms (paper and electronic) which collect health information. If you would like to make changes to this wording it is recommended that you obtain confirmation from the Monash University Privacy Officer that the amended wording meets the requirements of the privacy laws.

The information on this form is collected for the primary purpose of [insert primary purpose]. Other purposes of collection include [insert secondary purposes]. If you choose not to complete all the questions on this form, it may not be possible for [insert name eg. the Faculty] to [insert consequence]. Personal information may also be disclosed to [list any 3rd parties personal information is disclosed to (do not include Monash staff)] You have a right to access personal information that Monash University holds about you, subject to any exceptions in relevant legislation. If you wish to seek access to your personal information or inquire about the handling of your personal information, please contact the University Privacy Officer at privacyofficer@adm.monash.edu.au.

If it is reasonable and practicable Monash must only collect health information about an individual only from the individual. However, if Monash collects health information about an individual from a third party, we must take reasonable steps to inform the individual of the matters outlined above, unless this would pose a serious threat to the life or health of any individual.

If you regularly collect information about individuals from a third party you may like to consider contractually binding the third party to provide the relevant notification in accordance with the privacy laws and indemnification if they fail to provide the notification. For advice on the necessary contractual clauses please contact the Monash University Privacy Officer or the Solicitor's Office.

‘Information given in confidence’ is a special category of information which applies to health service providers such as Community Services and some areas within the Faculty of Medicine, Nursing and Health Sciences. ‘Information given in confidence’ under the privacy laws is information about an individual which has been provided to the health service provider by someone other than the individual or another health service provider with a request that the information is not communicated to the individual to whom it relates. If someone provides ‘information in confidence’, the health service provider must confirm that the information is to remain confidential, take reasonable steps to ensure it accuracy and take reasonable steps to record that the information is given in confidence and is to remain confidential.

HPP 2 - Use and Disclosure

Monash may only use or disclose health information about an individual for the primary purpose for which it was collected or a directly related purpose the individual would reasonably expect.

To determine how health information can subsequently be used and to who it can be disclosed, requires an understanding of the primary purpose that the information was collected. If the requirements of IPP 1 have been met, the primary purpose should be clear and should have been communicated to the person at the time of collection.

Health information can also be used or disclosed for a secondary purpose if:

The individual has consented to the use or disclosure.

It is preferable to obtain written consent. In some circumstances, written consent is not practicable. Verbal or implied consent can be relied upon however if a dispute were to arise it would be more difficult to prove that we had obtained consent.

It is important to consider the elements of consent when obtaining consent:

  • individual must have capacity to consent
  • consent must be voluntary
  • consent must be informed
  • consent must be specific
  • consent must be current

The use or disclosure is required or authorised by or under law.

Examples of use or disclosure required or authorised by or under law at Monash is the reporting of communicable diseases to the Department of Human Services. For advice about whether something is required or authorised by or under law please contact the Monash University Privacy Office.

The use or disclosure by a health service provider is necessary to provide a health service and the individual is incapable of giving consent due to age, disability, mental disorder etc and there is no authorised representative available to provide consent

The use or disclosure is necessary for research in the public interest when it will be published in a non-identifiable format and it is not practicable to seek the individual's consent and in the case of disclosure, Monash reasonably believes the recipient will not disclose the information.

All research conducted by Monash University involving humans must receive ethics approval from the Standing Committee on Ethics in Research Involving Humans (SCERH). SCERH may approve projects which fall within the category of acceptable use and disclosure in accordance with the privacy laws

Monash believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety and welfare or a serious threat to public health, public safety or public welfare and is in accordance with guidelines issued by the Health Services Commissioner.

By their nature, such circumstances would be unusual and uncommon. In general, the recipient of the information would need to be appropriate police, emergency services or health authorities. The decision to rely on this exemption for using or disclosing information should only be made by senior staff.

Monash has reason to suspect that unlawful activity has been or is being engaged in and uses or discloses the health information to investigate the matter or to report concerns to relevant persons or authorities (and if it relates to a health service provider eg Community Services, it is not a breach of confidence)

'Breach of confidence' relates to the general law of confidence (including but not limited to the common law or in equity), which requires, amongst other things, that a duty of confidence exists under that law which is not, in the particular circumstances, outweighed by any countervailing public interest under that law.

Suspicion should be based on reasonable grounds and not on gossip or rumour. The activity should be unlawful, not just unethical or objectionable. The information should be confined in the early stages of investigation to only those individuals who must have access. The relevant persons or authorities should be those who need to have access to the information because they have relevant duties to perform.

A law enforcement agency has requested health information and authorisation has been obtained from the Monash University Privacy Officer to assist the law enforcement agency.

The law relating to use and disclosure of health information to a law enforcement agency (eg Victoria Police, Australian Federal Police) is complex and advice must be obtained from the Monash University Privacy Officer prior to releasing information.

Health information can be used or disclosed in other limited circumstances which are very specific to health service providers and would not as a matter of course occur at Monash.

TIP: If you are in doubt about whether you can use or disclose health information in accordance with Health Privacy Principle 2 obtain the consent of the individual for the use or disclosure of information or alternatively, contact the Monash University Privacy Officer for advice.

HPP 3 - Data Quality

Monash must take reasonable steps to make sure that health information it collects, uses or discloses is accurate, complete and up to date and relevant to its functions or activities.

The accuracy, completeness and currency of the information should be established at the time of collection, and reviewed when the information is used or re-used, and when it is disclosed to another organisation. Organisations do not have to monitor data quality when information is dormant. Health information collected and used for a particular purpose and then archived does not need to be constantly checked for accuracy.

It is important to identify the main risks associated with the use or disclosure of inaccurate, incomplete or out-of-date information. The degree to which any such measures might be considered a requirement of reasonable steps which an organisation should take will depend on the risks involved to the individual. Eg: a health service provider that provided a person with medication or advised a medical procedure without ensuring that the information which was held about the individual was up to date would be likely to have breached the principle because of the risks for the individual in the use of the out-of-date information.

HPP 4 - Data Security and Data Retention

Monash must take reasonable steps to protect health information from:

  • misuse;
  • loss;
  • unauthorised access;
  • unauthorised modification; and
  • unauthorised disclosure.

In the case of a large organisation such as Monash, just because an individual provides health information to one part of Monash, does not mean that they expect all parts of Monash to use this information. Health information must be protected from misuse, loss, unauthorised access, modification or disclosure both within Monash as well as from misuse, loss etc to external parties.

There are a number of things that individual staff members can do to enhance compliance with this privacy principle which include:

  • locking offices when unattended
  • not leaving health information lying around
  • for open plan offices, staggering lunch breaks to ensure someone is always present in the office
  • storing sensitive or confidential health information in locked filing cabinets
  • changing passwords on computers regularly
  • activating a screen saver on computers

Monash must take reasonable steps to destroy or permanently de-identify health information if it is no longer needed. (The health service providers which are a part of Monash University (eg Community Services) have additional obligations detailed below.)

Staff should comply with the Public Records Act when considering when information is no longer needed. When determining how long health information should be stored for please refer to the ‘Records Disposal Authority’ which is managed by Monash University Archives.

A health service provider can only delete information about an individual if

  • the deletion is permitted by law
  • if the health information was collected while the individual was a child, after the child reaches 25 years or
  • in any other case, more than 7 years after the last occasion on which the health service was provided

If a health service provider deletes health information it must make a written note which details the name of the individual, the period it related to and the date it was deleted. A written note containing these details must also be made if a health service provider transfer health information to another organisation and does not continue to hold a record for that individual.

Health information must be destroyed securely when it is no longer needed. Examples of secure destruction include shredding, pulping or disintegration of paper files, fire, confidential disposal in accordance with any guidelines provided by Records & Archives, or contracting an authorised disposal company for secure disposal.

HPP 5 - Openness

Monash must set out in a document clearly expressed policies on its management of health information. The organisation must make the document available to anyone who asks for it.

Monash University has developed the Monash University Privacy Policy. It can also be obtained by contacting the Monash University Privacy Officer. Other areas within the university have separate privacy policies which deal more specifically with the collection of heath information eg Community Services Privacy Policy

On request by a person, Monash must take reasonable steps to let the person know generally, what sort of health information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

HPP 6 - Access and Correction

Individuals have the right to seek access to their personal information and make corrections. Monash will, on request, provide students and staff with access to information it holds about them and allow them to make corrections unless an exemption applies at law.

Monash University may, on request, provide staff and students with access to information it holds about them, unless there is an exception that applies under the Information Privacy Principles or Health Privacy Principles. To make an application for formal access to your personal information, please see the FOI information on the Monash Executive Services website and contact the Freedom of Information Officer (FOI) in writing

Students may access their files in accordance with the Monash University Freedom of Information Policy. This policy states that if a student would like to access their student records they need to contact the Manager, Client Services, Student and Staff Services Division.

Individuals who want access to their medical records held by Monash University (eg Community Services) should be referred to their health care professional (eg doctor, counsellor).

Freedom of Information laws continue to apply. If access cannot be granted under either of the above policies, please contact the Monash University Privacy Officer or the Monash University Freedom of Information Officer (contact details below).

For more information about Freedom of Information at Monash University is available from the University Secretariat website, or contact the Freedom of Information Officer by telephone (03) 9905 5137 or email foi@adm.monash.edu.au.

HPP 7 - Unique Identifiers

'Unique identifiers' are numbers or codes which are assigned to an individual to assist with identification. Examples of common unique identifiers used by Monash University are the student ID number and the staff ID number.

Monash must only assign unique identifiers if it is necessary for Monash to carry out any of its functions efficiently.

When thinking about creating a new type of unique identifier (other than the student/staff number), consider whether it is necessary, eg would it be sufficient to identify the individual by their name. In some sensitive or delicate situations unique identifiers may enhance privacy. In testing whether efficiency is established, an assessment of efficiency from the perspective of both Monash and those with whom it deals is required.

HPP 8 - Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into a transaction with Monash.

As a general rule, it is not lawful and practicable for individuals to remain anonymous when dealing with Monash. For example it may not possible to provide a complete health service to an individual without knowing who they are. Examples of situations where individuals remain anonymous are the sale of products or services by cash such as books or theatre tickets, or the making of general enquiries such as ‘What time are you open?’

HPP 9 - Transborder Data Flows

Monash may only transfer information about an individual to someone (other than the individual or Monash) who is outside of Victoria if:

Monash University South Africa and Monash University Malaysia are not considered to be transfers to Monash and therefore transfers to these overseas campuses must be treated in accordance with this principle. The Monash University centres located in Prato, Italy and London, United Kingdom are considered to be transfers to Monash and therefore do not have to be treated in accordance with this principle.

Monash reasonably believes the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of information that are substantially similar to the Health Privacy Principles.

Commonwealth government organisations, companies with annual turnover of more than $3million, some state government agencies (eg NSW) or a selection of other types of organisations in Australia have equivalent privacy laws. Therefore transfers to these types of organisations located outside of Victoria comply with this Transborder Data Flow principle.

Some countries have equivalent privacy laws in place (eg United Kingdom) and transfer can occur under this provision. However, many countries do not have equivalent privacy laws (eg no laws in Malaysia or South Africa) and a transfer must fall within one of the following categories in order to comply with this principle.

The individual consents to the transfer

When obtaining consent from the individual to transfer information to a organisation who is located outside Victoria, the individual must be made aware of whether the privacy protection will travel with the information for legitimate consent to be obtained.

The transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request

The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party

All of the following apply:

  • the transfer is for the benefit of the individual
  • it is impracticable to obtain the consent of the individual to that transfer
  • if it were practicable to obtain that consent, the individual would be likely to give it.

The organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles.

If a transfer of health information outside of Victoria does not fall within any of the above categories, then this category can be complied with if the recipient of the information is requested to sign a contract which binds them to comply with the Health Privacy Principles. The standard privacy contract can be obtained from the Monash University Privacy Officer.

HPP 10 - Transfer or Closure of the Practice of a Health Service Provider

This principle sets out the procedure which must be followed if a health service provider is closed or sold. Advice can be provided from the Monash University Privacy Officer if Monash University intends to close a health service provider it operates.

HPP 11 - Making Information Available to Another Health Service Provider

If an individual requests a health service provider to make health information relating to the individual held by the provider to another health service provider, or authorises another health service provider to request the health service provider to make information available to the health service provider about the individual, the health service provider who holds the information about the individual must provide copies or a summary of the health information to the health service provider.

A health service provider must comply with the requirements of this principle as soon as practicable.