Guiding Partnerships – The Funding Managers’ Guide 28 | P a g e
IPP 3: collecting information generally - An organisation must take steps to ensure the personal
information it collects is relevant, up-to-date and complete and not collected in an unreasonably
intrusive way.
IPP 4: storage and security - Personal information must be stored securely to prevent its loss or misuse.
IPPs 5 - 7: access and amendment - These principles require organisations to take steps to record the
type of personal information that they hold and to give individuals access to personal information about
them. Personal information can be amended or corrected if it is wrong.
IPPs 8 - 10: information use - These principles outline the rules about keeping accurate, complete and
up-to-date personal information; using information for a relevant purpose; and only using the
information for another purpose in special circumstances, such as with the individual's consent or for
some health and safety or law enforcement reasons.
IPP 11: disclosure - This principle sets out when an organisation may disclose personal information to
someone else, for example another organisation. This can only be done in special circumstances, such as
with the individual's consent or for some health and safety or law enforcement reasons.
Source: http://www.privacy.gov.au/law/act/ipp.
An example of one of these principles in practice is the use of consent forms. Many organisations use a
Consent to Exchange and Release Information form. This form provides for a number of parties to be
specified with whom the client’s private information can be exchanged, informs the client how the
information may be used and advises them that they can revoke consent at any time. Once completed the
client signs the form. Consent may be received verbally and documented by staff, though written consent
is preferable.
Health Records (Privacy & Access) Act 1997
Due to the broad definition of a ‘health service’ in the Health Records (Privacy & Access) Act 1997 (the
Act), some community organisations in the ACT will be defined as ‘health service providers’ and will
therefore be obligated to comply with the Act. The definition of health service covers any activity to
assess, record, improve or maintain the physical, mental or emotional health of a consumer, and includes
a disability, palliative care or aged care service.
The Act provides 12 privacy principles and specifies how health records should be managed. It also gives
consumers of a health service a right to access information on their health records, subject to a number of
conditions and procedures.
Schedule 6, Item 5, of the standard Service Funding Agreement provides for requirements to be specified
relating to this legislation.
An example of the application of this may relate to records held by an organisation funded to provide
disability support. Under the Act, clients have the right to access their ‘health records’. If a client
requested access to their records, the support service would be required to provide those records (in a
format compliant with the Act).
Health Directorate provides a guide titled Health Records (Privacy & Access) Act 1997 - Information for
record keepers, which can be accessed from
http://www.health.act.gov.au/c/health?a=sendfile&ft=p&fid=1285829449&sid
Human Rights Act 2004
The Human Rights Act 2004 (HRA) is a bill of rights that provides protections to individuals in a range of
areas. Compliance with the HRA is mandatory for public authorities in the ACT, which includes all
government Directorates and a limited number of community organisations that are considered to be
“functional public authorities” due to their being government funded and having functions that are
uniquely public in nature.