Information Sharing for Victorian ‘Authorised Hub Entities’

Children Legislation Amendment (Information Sharing) Act 2018 No.11 (Vic)

Certain provisions of the Children Legislation Amendment (Information Sharing) Act 2018 No.11 (Vic) (the Amending Act) amended the Health Records Act 2001 (Vic) (the HR Act) and the Privacy and Data Protection Act 2014 (Vic) (the PDP Act) on 11 April 2018.

By way of overview, the Amending Act has amended the HR Act and the PDP Act to provide exceptions to the collection of information requirements contained in those Acts. These changes are discussed in more detail below.

New exception to the collection of information requirements in the HR Act

Organisations which are required to comply with the HR Act will be familiar with the Health Privacy Principles (HPP’s) contained in Schedule 1 of that Act.

Most notably, HPP 1.3 provides that if it is reasonable and practicable to do so, an organisation must collect health information about an individual only from that individual.

In addition, HPP 1.4 provides that at or before the time (or, if that is not practicable, as soon as practicable thereafter) an organisation collects health information about an individual from the individual, the organisation must take steps that are reasonable in the circumstances to ensure that the individual is generally aware of:

  • the identity of the organisation and how to contact it; and
  • the fact that he or she is able to gain access to the information; and
  • the purposes for which the information is collected; and
  • to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and
  • any law that requires the particular information to be collected;
  • and the main consequences (if any) for the individual if all or part of the information is not provided.

Furthermore, HPP 1.5 provides that if an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence.

Organisations should be aware that the Amending Act has amended section 14B of the HR Act to provide that nothing in HPP’s 1.3, 1.4 or 1.5 applies to the collection of health information by an authorised Hub entity for the purposes of Part 5B of the Family Violence Protection Act 2008 (Vic) (the FVP Act). An authorised Hub entity is defined in the FVP Act:

  • as a person or body declared under section 144SC of the FVP Act to be an authorised Hub entity,
  • the Department of Health and Human Services,
  • Family Safety Victoria,

and includes an officer, employee or contracted service provider of such an entity.

If your organisation is required to comply with the HR Act and operates as a authorised Hub entity, your organisation should update its confidentiality and privacy policies to reflect that it is not necessary to comply with HPP’s 1.3, 1.4 or 1.5 when collecting health information for the purposes of Part 5B of the FVP Act, (as set out in the VIC – Health Privacy Principles module).

 

New exception to the collection of information requirements in the PDP Act

Organisations which are required to comply with the PDP Act will be familiar with the Information Privacy Principles (IPP’s) contained in Schedule 1 of that Act.

Most notably IPP 1.3 provides that at or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

  • the identity of the organisation and how to contact it; and
  • the fact that the individual is able to gain access to the information; and
  • the purposes for which the information is collected; and
  • to whom (or the types of individuals or organisations to which) the organization usually discloses information of that kind; and
  • any law that requires the particular information to be collected; and
  • the main consequences (if any) for the individual if all or part of the information is not provided.

In addition, IPP 1.4 provides that if is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

Moreover, IPP 1.5 provides that if an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in IPP 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

Organisations which are required to comply with the IPP’s in the PDP Act should be aware that the Amending Act has introduced section 15A(1A) to that Act which provides that nothing in IPP 1.3, 1.4 or 1.5, or any applicable code of practice modifying the application of IPP 1.3, 1.4 or 1.5 or prescribing how IPP 1.3, 1.4 or 1.5 is to be applied or complied with, applies to the collection of personal information by an authorised Hub entity for the purposes of Part 5B of the FVP Act.

If your organisation is required to comply with the IPP’s in the PDP Act and is an authorised Hub entity, your organisation should update its confidentiality and privacy policies to reflect that it is not necessary to comply with IPP’s 1.3, 1.4 or 1.5 when collecting personal information for the purposes of Part 5B of the FVP Act, (as set out in the VIC – Information Privacy Principles module).

Share this post

Ready to get in touch?