Personal Information Protection Act 2004

Personal Information Protection Act 2004

An Act to regulate the collection, maintenance, use, correction and disclosure of personal information relating to individuals

Be it enacted by His Excellency the Governor of Tasmania, by and with the advice and consent of the Legislative Council and House of Assembly, in Parliament assembled, as follows:

PART 1 - Preliminary

1.   Short title

This Act may be cited as the Personal Information Protection Act 2004 .

2.   Commencement

This Act commences on a day to be proclaimed.

3.   Interpretation

In this Act –

basic personal information means the name, residential address, postal address, date of birth and gender of an individual;

complaint means a complaint made under Part 4 ;

employee information includes personal information about an individual who is, was or applies to be an employee relating to –

(a) the selection, employment, training, discipline or resignation of the individual; or

(b) the termination of the employment of the individual; or

(c) the terms and conditions of employment of the individual; or

(d) the performance or conduct of the individual in carrying out the duties or functions of employment; or

(e) the suitability of the individual for appointment or for employment held by the individual; or

(f) the hours of employment of the individual; or

(g) the salary or wages of the individual; or

(h) the membership of the individual of a professional association, trade association or trade union; or

(i) the recreation leave, long service leave, sick leave, personal leave, maternity leave, paternity leave or other leave of the individual; or

(j) information that supports employment statistical reporting and personnel planning; or

(k) information in relation to employees as required by law;

employment includes appointment or engagement to an office or position;

health information means –

(a) personal information or opinion about –

(i) the physical, mental or psychological health at any time of an individual; or

(ii) a disability at any time of an individual; or

(iii) an individual's expressed wishes about the future provision of health services to him or her; or

(iv) a health service provided, or to be provided, to an individual; or

(b) other personal information collected to provide, or in providing, a health service; or

(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

(d) genetic information about an individual that is or may be predictive of the health at any time of the individual or any of his or her descendants –

other than prescribed information, a prescribed class of information or information contained in a prescribed class of documents;

health service means an activity, other than a prescribed activity, performed in relation to an individual that is intended or claimed by the individual or the person performing it –

(a) to assess, maintain or improve the individual's health; or

(b) to diagnose the individual's illness, injury or disability; or

(c) to treat the individual's illness, injury or disability or suspected illness, injury or disability; or

(d) to dispense on prescription a drug or medical preparation; or

(e) to provide a disability service, palliative care service or aged care service; or

(f) to provide a prescribed service or a prescribed class of service in conjunction with any activity referred to in paragraph (a) , (b) , (c) , (d) or (e) ;

identifier means anything assigned by a personal information custodian to identify an individual for its operations, other than a name or ABN as defined in the A New Tax System (Australian Business Number) Act 1999 of the Commonwealth;

law enforcement agency means any of the following:

(a) a police force or police service of –

(i) the Commonwealth; or

(ii) this State; or

(iii) any other State or a Territory of the Commonwealth; or

(iv) any country;

(b) the Australian Crime Commission;

(c) a commission established or appointed under any Act of this State or any other State or a Territory of the Commonwealth or of the Commonwealth to investigate matters relating to criminal activity generally or of a specified class;

(d) a personal information custodian responsible for the performance of functions relating to –

(i) the prevention, detection, investigation or prosecution of criminal offences or other offences that impose a penalty or sanction; or

(ii) the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime or the enforcement of such a law;

(e) an agency established under the Public Service Act 1999 of the Commonwealth responsible for the performance of functions relating to –

(i) the prevention, detection, investigation or prosecution of criminal offences or other offences that impose a penalty or sanction; or

(ii) the management of property seized or restrained under a law relating to the confiscation of the proceeds of crime or the enforcement of such a law;

(f) a personal information custodian or an individual or body contracted by a personal information custodian responsible for the execution or implementation of an order, decision or determination of a court or tribunal;

(g) a personal information custodian –

(i) responsible for the issue of warrants; or

(ii) that provides correctional services; or

(iii) responsible for decisions relating to the release of persons from custody;

(h) a personal information custodian responsible for the protection of public revenue under any Act;

(i) a personal information custodian responsible for the administration or performance of a function under a law that imposes a penalty or sanction;

(j) the Attorney-General;

(k) the Solicitor-General appointed and holding office under the Solicitor-General Act 1983 ;

(l) the Director of Public Prosecutions appointed and holding office under the Director of Public Prosecutions Act 1973 ;

(m) the Ombudsman;

(ma) [Section 3 Amended by No. 42 of 2013, s. 52, Applied:01 Jan 2014] the Anti-Discrimination Commissioner appointed under the Anti-Discrimination Act 1998 ;

(n) a prescribed organisation;

[Section 3 Amended by No. 71 of 2009, s. 5, Applied:15 Jul 2010] law enforcement information means information referred to in section 30 of the Right to Information Act 2009 ;

Ombudsman means the person appointed and holding office under the Ombudsman Act 1978 ;

personal information means any information or opinion in any recorded format about an individual –

(a) whose identity is apparent or is reasonably ascertainable from the information or opinion; and

(b) who is alive or has not been dead for more than 25 years;

personal information contract means a contract between a personal information custodian and another person (whether a personal information custodian or not) relating to the collection, use or storage of personal information;

[Section 3 Amended by No. 71 of 2009, s. 5, Applied:15 Jul 2010]

[Section 3 Amended by No. 71 of 2009, s. 5, Applied:15 Jul 2010] personal information custodian means any of the following:

(a) a public authority;

(b) any body, organisation or person who has entered into a personal information contract relating to personal information;

(c) a prescribed body;

personal information protection principles means the personal information protection principles referred to in section 16 ;

[Section 3 Amended by No. 71 of 2009, s. 5, Applied:15 Jul 2010] public authority has the same meaning as in the Right to Information Act 2009 ;

public information means any personal information that is –

(a) contained in a publicly available record or publication; or

(b) taken to be public information under any Act;

record means a record in any format;

sensitive information means –

(a) personal information or an opinion relating to personal information about an individual's –

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual preferences or practices; or

(ix) criminal record; and

(b) [Section 3 Amended by No. 71 of 2009, s. 5, Applied:15 Jul 2010] health information about an individual;

[Section 3 Amended by No. 71 of 2009, s. 5, Applied:15 Jul 2010] State Archivist has the same meaning as in the Archives Act 1983 .

3A.   Reference to personal information in Part 3A and Schedule 1

[Section 3A Inserted by No. 71 of 2009, s. 6, Applied:15 Jul 2010] In Part 3A and clause 6 of Schedule 1 , a reference to personal information of a person includes the personal information of a deceased person, and rights given by this Act in respect of the personal information of a person are, where the person is a deceased person, to be taken to be rights that may be exercised in respect of that personal information by the next-of-kin of that person.

3B.   Access to information of a medical or psychiatric nature

[Section 3B Inserted by No. 71 of 2009, s. 6, Applied:15 Jul 2010]

(1)  [Section 3B Subsection (1) amended by No. 3 of 2010, Sched. 1, Applied:15 Jul 2010] If –

(a) a request is made to a personal information custodian for access to information of a medical or psychiatric nature concerning the person making the request; and

(b) it appears to the personal information custodian that the provision to that person of access to the information might be prejudicial to the physical or mental health or wellbeing of that person –

the personal information custodian may direct that access to the information must not be provided to the person who made the request but must instead be provided to a medical practitioner nominated by that person.

(2)  [Section 3B Subsection (2) omitted by No. 3 of 2010, Sched. 1, Applied:15 Jul 2010] .  .  .  .  .  .  .  .  

4.   Relationship of Act to other laws

If a provision of this Act is inconsistent with a provision made by or under any other Act –

(a) that other provision prevails; and

(b) the provision of this Act has no effect to the extent of the inconsistency.

5.   Act binds Crown

(1)  This Act binds the Crown in right of Tasmania and, so far as the legislative power of Parliament permits, in all its other capacities.

(2)  The Crown in any of its capacities is not liable to be prosecuted for an offence under this Act.

PART 2 - Application and Exemptions

Division 1 - Application

6.   Application of personal information protection principles

(1)  Clauses 1 , 7 , 8 and 10 of Schedule 1 apply only in relation to information collected after the commencement of this Act.

(2)  Clauses 2 ,  3 , 4 , 5 , 6 and 9 of Schedule 1 apply in relation to information collected before or after the commencement of this Act.

Division 2 - Exemptions

7.   Courts and tribunals

The following are exempt from the provisions of this Act:

(a) a court or tribunal in the performance or exercise of judicial or quasi-judicial functions or powers;

(b) the holder of a judicial or quasi-judicial office or other office pertaining to a court or tribunal in the capacity of the holder of that office;

(c) the Solicitor-General appointed and holding office under the Solicitor-General Act 1983 ;

(d) any person employed in relation to the functions of the Solicitor-General;

(e) the Director of Public Prosecutions appointed and holding office under the Director of Public Prosecutions Act 1973 ;

(f) any person employed in relation to the functions of the Director of Public Prosecutions;

(g) the registry or other office of a court or tribunal in relation to any matter relating to the judicial or quasi-judicial functions of that court or tribunal;

(ga) [Section 7 Amended by No. 67 of 2009, s. 125, Applied:01 Oct 2010] the Integrity Commission;

(h) any person employed in such a registry or other office in relation to any such matter.

8.   Public information

This Act does not apply to public information.

9.   Law enforcement information

[Section 9 Amended by No. 37 of 2005, s. 4, Applied:05 Sep 2005] Clauses 1(3) , (4) and (5) , 2(1) , 5(3)(c) , 7 , 9 and 10(1) of Schedule 1 do not apply to any law enforcement information collected or held by a law enforcement agency if it considers that non-compliance is reasonably necessary –

(a) for the purpose of any of its functions or activities; or

(b) for the enforcement of laws relating to the confiscation of the proceeds of crime; or

(c) in connection with the conduct of proceedings in any court or tribunal.

10.   Employee information

Clauses 1(4) and (5) , 7 and 10 of Schedule 1 do not apply to any employee information.

11.   Unsolicited information

Clause 1 of Schedule 1 does not apply to unsolicited information received by a personal information custodian.

12.   Use of basic information

A personal information custodian may use or disclose personal information about an individual for a purpose other than the primary purpose of collection without the individual's consent if –

(a) [Section 12 Amended by No. 71 of 2009, s. 7, Applied:15 Jul 2010] it is a public authority; and

(b) the information is basic personal information; and

(c) the use or disclosure is reasonably necessary for the efficient storage and use of that information; and

(d) the information is only used by, or disclosed to, another public sector body.

12A.   Disclosure of information to Solicitor-General, &c.

[Section 12A Inserted by No. 29 of 2017, Sched. 1, Applied:05 Sep 2017] A personal information custodian may disclose to the following people personal information that is relevant for the purpose of obtaining legal advice:

(a) the Solicitor-General appointed and holding office under the Solicitor-General Act 1983 ;

(b) any person employed in relation to the functions or duties of the Solicitor-General;

(c) the Director of Public Prosecutions appointed and holding office under the Director of Public Prosecutions Act 1973 ;

(d) any person employed in relation to the functions or duties of the Director of Public Prosecutions;

(e) the Crown Solicitor for Tasmania appointed under the State Service Act 2000 ;

(f) any person employed in relation to the functions or duties of the Crown Solicitor.

13.   Application for exemptions

(1)  A personal information custodian may apply to the Minister for an exemption from compliance with any or all provisions of this Act.

(2)  An application is to –

(a) specify the provision or provisions to which the application relates; and

(b) specify the information or class or classes of information to which the application relates; and

(c) specify the personal information custodian or custodians or class or classes of personal information custodians to which the application applies; and

(d) specify the reasons for the exemption; and

(e) specify any public benefit involved; and

(f) specify any relevant law, code of practice or other instrument under which it proposes to operate; and

(g) include any other information the Minister determines.

14.   Determination of exemption

(1)  The Minister may determine to –

(a) approve an application if satisfied that the public benefit outweighs to a substantial degree the public benefit from compliance with the personal information protection principles; or

(b) refuse to approve the application if not so satisfied.

(2)  The Minister may approve an application subject to any conditions the Minister considers appropriate.

(3)  The Minister is to publish the determination and the details of the application in the Gazette.

15.   Revocation of exemption

(1)  The Minister may revoke a determination to approve an application for an exemption –

(a) if satisfied that –

(i) the reasons for granting that exemption no longer apply; or

(ii) section 14(1)(a) no longer applies; or

(b) at the request of the applicant.

(2)  The Minister is to publish the details of a revocation in the Gazette.

PART 3 - Personal Information protection principles

16.   Personal information protection principles

The personal information protection principles that apply in Tasmania are those specified in Schedule 1 .

17.   Compliance with personal information protection principles

(1)  A personal information custodian must comply with the personal information protection principles.

(2)  Subsection (1) does not apply to anything done by a personal information custodian before the second anniversary of the commencement of this Act that is necessary for the performance of a contract entered into by the personal information custodian before the commencement of this Act.

PART 3A - Amendment of Personal Information

17A.   Person may request amendment of information

[Section 17A Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] If information of a person is held or used by a personal information custodian, the person can request the amendment of any part of that information if it is incorrect, incomplete, out of date or misleading.

17B.   Form of request for amendment of information

[Section 17B Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] A request under section 17A is to –

(a) be in writing and addressed to the personal information custodian; and

(b) specify an address to which a notice under section 17F is to be sent; and

(c) give particulars of the information the person believes is incomplete, incorrect, out of date or misleading; and

(d) specify the amendments that the person wants made to that information.

17C.   Personal information custodian may amend information

[Section 17C Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] If, following receipt of a request made under section 17A , a personal information custodian decides to amend information, the personal information custodian may make the amendment by –

(a) altering the information; or

(b) adding an appropriate notation to it.

17D.   Notation to be added

[Section 17D Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] If a personal information custodian amends information by adding a notation to it, the notation must –

(a) specify the way in which the information is incomplete, incorrect, out of date or misleading; and

(b) if the information is claimed to be out of date, set out the information required to bring it up to date.

17E.   Time within which personal information custodian must notify claimant

[Section 17E Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] A personal information custodian must take all reasonable steps to enable a person to be notified of a decision on a request made under section 17A as soon as practicable, but in any case not later than 20 working days after the request was received by or on behalf of the personal information custodian.

17F.   Reasons to be given

[Section 17F Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010]

(1)  If, in relation to a request made under section 17A , a decision is made not to amend the information in the way requested, the personal information custodian that received the request must give the applicant written notice of the decision.

(2)  Notice given under subsection (1) is to –

(a) state the reasons for the decision; and

(b) state the name and designation of the person who made the decision; and

(c) inform the applicant –

(i) of the applicant's right to make a complaint about the decision; and

(ii) that the Ombudsman is the authority to whom a complaint can be made; and

(iii) of the time within which the complaint must be made.

17G.   Requirement for notation

[Section 17G Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] If a personal information custodian decides to refuse to amend information pursuant to a request made under section 17A , the person who made the request may, at any time, by written notice, require the personal information custodian to add to the information a notation –

(a) specifying the respects in which the information is claimed by the applicant to be incomplete, incorrect, out of date or misleading; and

(b) if the information is claimed to be out of date, setting out the information it is claimed is required to bring it up to date.

17H.   Notice to be added to information

[Section 17H Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] If a notice is given to a personal information custodian under section 17G , the personal information custodian must ensure –

(a) that a notation as required by the notice is added to the information; and

(b) that, if the information to which the notation relates is disclosed to a person (including another personal information custodian), there is also furnished to that person a statement –

(i) stating that the person to whom the information relates claims that it is incomplete, incorrect, out of date or misleading, as the case may be; and

(ii) giving particulars of the notation; and

(iii) if the personal information custodian considers it appropriate to do so, giving the reasons why the personal information custodian did not amend the information.

17I.   How amendments to be made

[Section 17I Inserted by No. 71 of 2009, s. 8, Applied:15 Jul 2010] If a personal information custodian agrees to amend information in accordance with a request made under section 17A , the amendment may take the form of a notation of the original document but no amendment is to be made that –

(a) deletes or expunges the information which has been amended; or

(b) destroys the document –

unless the State Archivist agrees.

PART 4 - Complaints and Investigations

18.   Making of complaints

(1)  A person may make a complaint to the Ombudsman in relation to a matter referred to in subsection (2) if the person –

(a) has raised the matter with the relevant personal information custodian; and

(b) is not satisfied with the response from the personal information custodian.

(2)  A complaint may be made by a person in relation to the alleged contravention by a personal information custodian of a personal information protection principle that applies to the person.

(3)  A complaint may be in writing or verbal, but the Ombudsman may require a verbal complaint to be put in writing.

(4)  The Ombudsman may –

(a) require information about a complaint to be provided by the complainant in a particular manner or form; and

(b) require a complaint to be verified by statutory declaration.

(5)  [Section 18 Subsection (5) amended by No. 71 of 2009, s. 9, Applied:15 Jul 2010] A complaint, other than a complaint about a decision to refuse a request to amend personal information made in accordance with Part 3A , must be made within 6 months or any further period the Ombudsman may allow from the time the complainant first became aware of the matter which is the subject of the complaint.

(5A)  [Section 18 Subsection (5A) inserted by No. 71 of 2009, s. 9, Applied:15 Jul 2010] A complaint about a decision to refuse a request to amend personal information made in accordance with Part 3A must be made within 20 working days of the date on which the notice of the decision is given under section 17F(1) .

(6)  A complainant may amend or withdraw a complaint.

19.   Preliminary assessment of complaints

(1)  The Ombudsman may conduct a preliminary assessment of a complaint for the purpose of deciding whether to deal with the complaint.

(1A)  [Section 19 Subsection (1A) inserted by No. 29 of 2017, Sched. 1, Applied:05 Sep 2017] If the Ombudsman has conducted a preliminary assessment under subsection (1) , the Ombudsman may resolve the complaint without investigating it if, having regard to the nature and seriousness of the complaint, the Ombudsman believes the complaint may be resolved expeditiously.

(2)  The Ombudsman may decide not to deal with a complaint if satisfied that –

(a) the complaint is frivolous, vexatious, lacking in substance or is not in good faith; or

(b) the subject matter of the complaint is trivial; or

(c) the subject matter of the complaint relates to a matter permitted or required under any law.

(3)  If the Ombudsman declines to deal with a complaint, the Ombudsman is to advise the complainant of the reasons for so declining.

20.   Referral to other authorities

(1)  [Section 20 Subsection (1) amended by No. 1 of 2016, Sched. 1, Applied:08 Apr 2016] The Ombudsman may refer a complaint for investigation or other action to any person, body or authority the Ombudsman considers appropriate in the circumstances.

(2)  The Ombudsman may only refer a complaint –

(a) after appropriate consultation with the complainant and the relevant person, body or authority; and

(b) after taking their views into consideration.

(3)  [Section 20 Subsection (3) omitted by No. 1 of 2016, Sched. 1, Applied:08 Apr 2016] .  .  .  .  .  .  .  .  

21.   Dealing with complaints

(1)  If the Ombudsman decides to deal with a complaint, the Ombudsman is to conduct any investigations in relation to the complaint in accordance with Division 3 of Part III of the Ombudsman Act 1978 .

(2)  The Ombudsman may conduct an investigation into any general issue or matter under this Act.

22.   Procedure on completion of investigation

(1)  If, on completion of an investigation of a complaint, the Ombudsman is of the opinion that a personal information custodian has contravened a personal information protection principle, the Ombudsman –

(a) is to advise the complainant and the personal information custodian in writing of that opinion and the reasons on which it is based; and

(b) may make any recommendations the Ombudsman considers appropriate in relation to the subject matter of the complaint.

(2)  The Ombudsman is to give the Minister a copy of the advice and any recommendations.

(3)  The Minister is to table the advice and any recommendations in both Houses of Parliament within 5 sitting days of its receipt.

PART 5 - Miscellaneous

23.   Regulations

The Governor may make regulations for the purpose of this Act.

24.   Administration of Act

Until provision is made in relation to this Act by order under section 4 of the Administrative Arrangements Act 1990  –

(a) the administration of this Act is assigned to the Minister for Justice and Industrial Relations; and

(b) the department responsible to that Minister in relation to the administration of this Act is the Department of Justice.

SCHEDULE 1 - Personal Information Protection Principles

Sections 6 , 9 , 10 , 11 and 16

1.   Collection

(1) A personal information custodian must not collect personal information unless the information is necessary for one or more of its functions or activities.

(2) A personal information custodian must collect personal information only by lawful means.

(3) Before collection, during collection or as soon as practicable after collection of personal information about an individual from the individual, the personal information custodian must take any reasonable steps necessary to ensure that the individual is aware of the following:

(a) its identity and how to contact it;

(b) the individual's right of access to the information;

(c) the purposes for which the information is collected;

(d) the intended recipients or class of recipients of the information;

(e) any law that requires the information to be collected;

(f) the main consequences for the individual if all or part of the information is not provided.

(4) If it is reasonable and practicable to do so, a personal information custodian must collect personal information about an individual only from that individual.

(5) If a personal information custodian collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is made aware of the matters referred to in subclause (3) unless doing so would pose a serious threat to the life, safety, health or welfare of any individual.

2.   Use and disclosure

(1) A personal information custodian must not use or disclose personal information about an individual for a purpose other than the purpose for which it was collected unless –

(a) both of the following apply:

(i) that purpose is related to the primary purpose and, if the personal information is sensitive information, that information is directly related to the primary purpose;

(ii) the individual would reasonably expect the personal information custodian to use or disclose the information for that purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the use or disclosure is necessary for research or the compilation or analysis of statistics in the public interest, other than for publication in a form that identifies any particular individual –

(i) it is impracticable for the personal information custodian to seek the individual's consent before the use or disclosure; or

(ii) the personal information custodian reasonably believes that the recipient of the information is not likely to disclose the information; or

(d) the personal information custodian reasonably believes that the use or disclosure is necessary to lessen or prevent –

(i) a serious threat to an individual's life, health, safety or welfare; or

(ii) a serious threat to public health or public safety; or

(e) the personal information custodian has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(f) the use or disclosure is required or authorised by or under law; or

(g) the personal information custodian reasonably believes that the use or disclosure is reasonably necessary for any of the following purposes by or on behalf of a law enforcement agency:

(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;

(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) the protection of the public revenue;

(iv) the prevention, detection, investigation or remedying of conduct that is in the opinion of the personal information custodian seriously improper conduct;

(v) the preparation for, or conduct of, proceedings before any court or tribunal or implementation of any order of a court or tribunal;

(vi) the investigation of missing persons;

(vii) the investigation of a matter under the Coroners Act 1995 ; or

(h) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its functions, has requested the personal information custodian to disclose the personal information and –

(i) the disclosure is made to an officer or employee of ASIO or ASIS appropriately authorised in writing to receive the disclosure; and

(ii) an officer or employee of ASIO or ASIS so authorised certifies that the disclosure is connected with the performance by ASIO or ASIS of its functions; or

(i) the personal information is to be used as employee information in relation to –

(i) the suitability of the individual for appointment; or

(ii) the suitability of the individual for employment held by the individual; or

(j) the personal information is employee information which is being transferred from one personal information custodian to another personal information custodian for use as employee information relating to the individual; or

(k) subclause (4) or section 12 applies.

(2) If a personal information custodian uses or discloses personal information under subclause (1)(g) , it must make a written note of the use or disclosure.

(3) Subclause (1) applies to personal information collected by a personal information custodian that is a body corporate from a related body corporate as if the primary purpose of that collection were the primary purpose for which the related body corporate collected the information.

(4) A personal information custodian that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if –

(a) the individual is –

(i) physically or legally incapable of giving consent to the disclosure; or

(ii) physically unable to communicate consent to the disclosure; and

(b) the natural person providing the health service for the personal information custodian is satisfied that the disclosure –

(i) is necessary to provide appropriate care or treatment of the individual; or

(ii) is made for compassionate reasons; and

(c) the disclosure is not contrary to any wish –

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the natural person is aware, or of which he or she could reasonably be expected to be aware; and

(d) the disclosure is limited to the extent reasonable and necessary for the purpose mentioned in paragraph (b) .

(5) A person is responsible for an individual if the person –

(a) is a parent of the individual; or

(b) is a child or sibling of the individual and at least 18 years of age; or

(c) is a spouse of the individual; or

(d) is in a personal relationship, within the meaning of the Relationships Act 2003 , with the individual; or

(e) is a relative of the individual, at least 18 years of age and a member of the individual's household; or

(f) is a guardian of the individual; or

(g) is exercising enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or

(h) is nominated by the individual to be contacted in case of emergency.

3.   Data quality

A personal information custodian must take reasonable steps to ensure that, having regard to the purpose for which the personal information is to be used, the personal information it collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to its functions or activities.

4.   Data security

(1) A personal information custodian must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure.

(2) A personal information custodian must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

(3) A personal information custodian, the records of which are subject to the Archives Act 1983 , must take the reasonable steps referred to in subclause (2) only with the approval of the State Archivist.

5.   Openness

(1) A personal information custodian must clearly set out in a document its policies on its management of personal information.

(2) A personal information custodian must make the document available to anyone who asks for it.

(3) On request by a person, a personal information custodian must take reasonable steps to advise the person, in general terms, of –

(a) the sort of personal information it holds; and

(b) the purposes for which it holds the information; and

(c) how it collects, holds, uses and discloses that information.

6.   Access and correction

(1) [Schedule 1 Amended by No. 71 of 2009, s. 10, Applied:15 Jul 2010] If a personal information custodian holds personal information about an individual, the personal information custodian –

(a) may provide that individual with access to his or her personal information on receipt of a written request from the individual for access to his or her personal information; or

(b) if the personal information custodian –

(i) notifies the individual of a decision to refuse a request under paragraph (a) ; or

(ii)  does not respond to a request under paragraph (a) within 20 working days –

the personal information custodian, on receipt of a further written request from the individual for access to his or her personal information, must provide the individual with access to his or her personal information as if –

(iii) the written request were an application for assessed disclosure of information under section 13 of the Right to Information Act 2009 ; and

(iv) the personal information custodian were subject to that Act; and

(v) a reference in that Act to a public authority or a Minister were a reference to a personal information custodian.

(2) [Schedule 1 Amended by No. 71 of 2009, s. 10, Applied:15 Jul 2010] An individual may request amendment of his or her personal information in accordance with Part 3A if that information is incorrect, incomplete, out of date or misleading.

7.   Unique identifiers

(1) A personal information custodian must not assign a unique identifier to an individual unless it is necessary for it to carry out any of its functions efficiently.

(2) A personal information custodian must not adopt as its own unique identifier of an individual a unique identifier that has been assigned to the individual by another personal information custodian unless –

(a) that adoption is necessary for it to carry out any of its functions efficiently; or

(b) it has obtained the consent of the individual to the use of the unique identifier; or

(c) it is a body, an organisation or an individual adopting the unique identifier created by a personal information custodian in the performance of its obligations to the personal information custodian under a personal information contract.

(3) A personal information custodian must not use or disclose a unique identifier assigned to an individual by another personal information custodian unless –

(a) the use or disclosure is necessary for it to fulfil its obligations to the other personal information custodian; or

(b) clause 2(1) applies.

(4) A personal information custodian must not require an individual to provide a unique identifier in order to obtain a service unless the provision –

(a) is required or authorised by law; or

(b) is in connection with the purpose, or a directly related purpose, for which the unique identifier was assigned.

8.   Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with a personal information custodian.

9.   Disclosure of information outside Tasmania

A personal information custodian may disclose personal information about an individual to another person or other body who is outside Tasmania only if –

(a) the personal information custodian reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that has principles for fair handling of the information that are substantially similar to the personal information protection principles; or

(b) the individual consents to the disclosure; or

(c) the disclosure is necessary for –

(i) the performance of a contract between the individual and the personal information custodian; or

(ii) the conclusion or performance of a contract concluded in the interest of the individual between the personal information custodian and a third party; or

(d) the personal information custodian has taken reasonable steps to ensure that the information which it has disclosed is not to be held, used or disclosed by the recipient of the information inconsistently with the personal information protection principles; or

(e) the disclosure is authorised or required by any other law.

10.   Sensitive information

(1) A personal information custodian must not collect sensitive information about an individual unless –

(a) the individual has consented; or

(b) the collection is required or permitted by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual and the individual to whom the information relates –

(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or

(iii) [Schedule 1 Amended by No. 69 of 2013, Sched. 1, Applied:17 Feb 2014] is subject to a guardianship order under the Guardianship and Administration Act 1995 or an assessment order or treatment order under the Mental Health Act 2013 ; or

(d) the information is collected in the course of the activities of a non-profit personal information custodian that has only racial, ethnic, political, religious, philosophical, professional, trade or trade union aims and –

(i) the information relates solely to the members of that personal information custodian or to individuals who have regular contact with it in connection with its activities; and

(ii) at or before the time of collection, the personal information custodian undertakes to the individual to whom the information relates that it will not disclose the information without the individual's consent; or

(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; or

(f) subclause (2) , (3) , (4) or (6) applies.

(2) A personal information custodian may collect sensitive information about an individual if –

(a) either of the following applies:

(i) the collection is necessary for research or the compilation or analysis of statistics in the public interest and any resulting publication does not identify the individual;

(ii) the information relates to an individual's racial or ethnic origin and is collected for the purpose of welfare or educational services funded by government; and

(b) there is no reasonably practicable alternative to collecting the information for a purpose referred to in paragraph (a) ; and

(c) it is impracticable for the personal information custodian to seek the individual's consent to the collection.

(3) A personal information custodian may collect sensitive information that is health information about an individual if –

(a) the information is necessary to provide a health service to the individual; and

(b) the information is collected –

(i) as required by law, other than this Act; or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian.

(4) A personal information custodian may collect sensitive information that is health information about an individual if –

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and

(c) it is impracticable for the personal information custodian to seek the individual's consent to the collection; and

(d) the information is collected –

(i) as required by law, other than this Act; or

(ii) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the personal information custodian.

(5) If a personal information custodian collects sensitive information that is health information about an individual in accordance with subclause (4) , it must take reasonable steps to permanently de-identify the information before disclosing it.

(6) [Schedule 1 Amended by No. 37 of 2005, s. 5, Applied:05 Sep 2005] A personal information custodian may collect sensitive information that is health information from an individual about another person without the consent of that other person, or without complying with clause 1(5) , if both the following apply:

(a) the collection is necessary for the provision of any health service provided to the individual;

(b) the information is relevant to the social or family history of the individual.