Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Privacy Act & codes


When a health agency collects health information from the person the information is about, it has to take reasonable steps to make sure that person knows things like:

  • why it is being collected
  • who will get the information
  • whether the person has to give the information or whether this is voluntary
  • what will happen if the information isn’t provided.

Sometimes there are good reasons for not letting a person know about the collection, for example, if it would undermine the purpose of the collection, or it’s just not possible to tell the person.

Full rule

(1) Where a health agency collects health information directly from the individual concerned, or from the individual’s representative, the health agency must take such steps as are, in the circumstances, reasonable to ensure that the individual concerned (and the representative if collection is from the representative) is aware of:

(a) the fact that the information is being collected;

(b) the purpose for which the information is being collected;

(c) the intended recipients of the information;

(d) the name and address of:

(i) the health agency that is collecting the information; and

(ii) the agency that will hold the information;

(e) whether or not the supply of the information is voluntary or mandatory and if mandatory the particular law under which it is required;

(f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and

(g) the rights of access to, and correction of, health information provided by rules 6 and 7.

(2) The steps referred to in subrule (1) must be taken before the information is collected or, if that is not practicable, as soon as practicable after it is collected.

(3) A health agency is not required to take the steps referred to in subrule (1) in relation to the collection of information from an individual, or the individual’s representative, if that agency has taken those steps in relation to the collection, from that individual or that representative, of the same information or information of the same kind for the same or a related purpose, on a recent previous occasion.

(4) It is not necessary for a health agency to comply with subrule (1) if the agency believes on reasonable grounds:

(a) […]

Note: Subrule 3(4)(a) was revoked by Amendment No 4.

(b) that compliance would:

(i) prejudice the interests of the individual concerned; or

(ii) prejudice the purposes of collection;

(c) that compliance is not reasonably practicable in the circumstances of the particular case; or

(d) that non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences.

Note: An action is not in breach of this rule if it is authorised or required by or under law: Privacy Act, section 7(4).