Last updated 16 August 2016

Personal and sensitive health information collected by a hospital, health service or a health practitioner is also protected by both state and Commonwealth privacy legislation. The Information Privacy Act 2009 (Qld) (Information Privacy Act) regulates how this information is handled by public hospitals and health services in Queensland. Similar protection is provided to personal information about an individual collected by private sector health providers such as private hospitals, general practitioners and medical centres under the Privacy Act 1988 (Cth) (Commonwealth Privacy Act). Both Acts set out requirements in relation to the collection, storage, use and disclosure of personal and sensitive information by health agencies in the form of principles known as the National Privacy Principles (NNPs) and the Australian Privacy Principles (APPs) respectively. Under the NPPs, a health agency must:

  • not collect personal information unless it is necessary for its functions or activities (NPP 1(1)) and not collect sensitive information (which includes health information) unless consent is provided or another exception applies (NPP 9)
  • only use or disclose the collected personal information for the primary reason it was collected (NPP 2(1)). Some exceptions to this general rule include where:
    • consent is provided
    • disclosure is necessary to prevent a serious imminent threat to an individual’s life or a serious threat to public safety
    • another law requires or authorises the use or disclosure
  • take reasonable steps to make sure the information collected, used or disclosed is accurate, complete and up to date (NPP 3), and to make sure the information it holds is secure (NPP 4)
  • make sure there is a document which sets out the health agency’s policies on its management of personal information (NPP 5)
  • provide access to documents containing personal information if requested by the individual whose personal information it is (NPP 6).

The APPs that apply to organisations such as general practitioners’ practices and private hospitals impose similar obligations regarding collection, security, use and disclosure. For example, a person’s GP can only use or disclose the information they hold about the person for the purpose it was collected (i.e. the healthcare or treatment of the individual). It can only be used or disclosed for other purposes in limited situations including if the individual consents (APP 6.1, 6.2).