Disclosure to designated entity under order by judicial officer
(1) If an entity that is:
(a) an agency, or a State or Territory authority, within the meaning of the Privacy Act 1988 ; and
(b) not a court, tribunal or coroner;
(a designated entity ) presents to the System Operator an order made under this section, the System Operator must comply with the order.
(2) Except as mentioned in subsection (1) or in accordance with a law covered by subsection 65(3), a participant in the My Health Record system, or a healthcare recipient, cannot be required to disclose health information included in a healthcare recipient's My Health Record to a designated entity.
(3) This section does not authorise the System Operator to use or disclose healthcare recipient-only notes.
(4) If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.
Application for and making of order
(5) A designated entity may apply to any of the following judicial officers:
(a) a magistrate of a State or Territory;
(b) a judge who is eligible under subsection 69B(2);
for an order under this section in relation to the disclosure, to the entity, of health information included in a healthcare recipient's My Health Record.
(6) The judicial officer may make the order if:
(a) the designated entity satisfies the judicial officer, by information on oath or affirmation, that:
(i) the designated entity has powers or duties of the kind mentioned in subsection (7); and
(ii) if the designated entity has powers of the kind mentioned in paragraph (7)(a)--the designated entity has exercised or purported to exercise its power to require the System Operator to disclose information to which the order will relate; and
(iii) in all the circumstances, the particular disclosure of the particular information to the designated entity is reasonably necessary for the purposes of a thing done by, or on behalf of, the designated entity; and
(iv) there is no effective means for the designated entity to obtain the particular information, other than an order under this section; and
(b) the judicial officer is satisfied that, having regard to the matter mentioned in subparagraph (a)(iii) and the privacy of the healthcare recipient, the disclosure of the information would not, on balance, unreasonably interfere with the privacy of the healthcare recipient.
(7) A designated entity has powers or duties of the kind mentioned in this subsection if:
(a) the designated entity has power under a law of the Commonwealth or a State or Territory (other than a law covered by subsection 65(3)) to require persons to give information to the designated entity; or
(b) officers of the designated entity are, in the ordinary course of their duties, authorised to execute warrants to enter premises and seize things found, including documents.
(8) The judicial officer must not make the order unless the designated entity or some other person has given the judicial officer, either orally or by affidavit, such further information (if any) as the judicial officer requires concerning the grounds on which the order is being sought.
(9) The order must:
(a) identify the healthcare recipient; and
(b) specify the particular information to be disclosed; and
(c) authorise one or more officers of the designated entity (whether or not named in the order) to obtain the information from the System Operator and require the System Operator to disclose the information to the designated entity; and
(d) specify the day (not more than 6 months after the making of the order) on which the order ceases to have effect; and
(e) state the purpose for which the order is made.