Key messages
- Personal information may only be collected, disclosed and retained for performance of functions.
- Reasonable steps must be taken to ensure information is up to date and protected.
These rights and privacy principles come from two Victorian Acts: the Health Records Act 2001 and the Privacy and Data Protection Act 2014.
This material is intended for quick reference only. The full principles are set out in the Acts.
Collection
Collect only personal information that is necessary for performance of functions. Advise individuals that they can gain access to their personal information.
Use and disclosure
Only use or disclose health information for the primary purpose for which it was collected or a directly related secondary purpose the person would reasonably expect.
Otherwise, you generally need consent.
Data quality
Make sure personal information is accurate, complete and up to date.
Data security and retention
Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.
Openness
Document clearly expressed policies on management of personal information and provide the policies to anyone who asks.
Access and correction
Individuals have a right to access their personal information and make corrections. Access and correction will be handled mostly under the Victorian Freedom of Information Act.
Identifiers
Only assign a number to identify a person if this is reasonably necessary to carry out your functions efficiently. Sharing of unique identifiers must be limited, as they can facilitate data matching and diminish privacy.
Anonymity
Give individuals the option of not identifying themselves when entering transactions with organisations if it is lawful and feasible.
Transborder data flows
Only transfer health information outside Victoria if the organisation receiving it is subject to laws substantially similar to Victoria’s. If a person’s personal information travels, their privacy protection should travel with it.
Transfer/closure of a health service practice
If you are a health service provider, and your business or practice is being sold, transferred or closed down, without you continuing to provide services, you must give notice of the transfer or closure to past service users.
Sensitive information
The law restricts collection of sensitive information like an individual's racial or ethnic origin, political views, religious beliefs, sexual preferences, membership of groups or criminal record.
Making information available to another health service provider
If you are a health service provider you must make health information relating to an individual available to another health service provider if requested by the individual.
Reviewed 01 November 2022