(1) For the purposes
of this section, a person is engaged in connection with the operation of this
Act if the person is—
(a) an
officer or employee of the Department, or an attached office attached to the
Department, engaged in the administration of this Act; or
(ab) a
member of the governing board for an incorporated hospital; or
(b) a
person employed by an employing authority under this Act; or
(c) a
member of the staff of SAAS; or
(d) a
person otherwise engaged to work at an incorporated hospital or in connection
with the activities of SAAS.
(2) Subject to
subsection (3), a person engaged or formerly engaged in connection with
the operation of this Act must not disclose personal information relating to a
person obtained while so engaged except to the extent that he or she may be
authorised or required to disclose that information—
(a) by
the Chief Executive or his or her employer; or
(b) in
the case of information obtained while working at an incorporated hospital or
SAAS—by the hospital or SAAS (as the case requires).
Maximum penalty: $10 000.
(3)
Subsection (2) does not prevent a person from—
(a)
disclosing information as required or authorised by or under law; or
(b)
disclosing information at the request, or with the consent, of—
(i)
the person to whom the information relates; or
(ii)
a guardian of the person to whom the information relates;
or
(iii)
a medical agent of the person to whom the information
relates; or
(iv)
a substitute decision-maker for the person to whom the
information relates (within the meaning of the Advance Care Directives
Act 2013 ); or
(c)
disclosing information to a relative, carer or friend of the person to whom
the information relates if—
(i)
the disclosure is reasonably required for the treatment,
care or rehabilitation of the person; and
(ii)
there is no reason to believe that the disclosure would
be contrary to the person's best interests; or
(d)
subject to the regulations (if any)—
(i)
disclosing information to a health or other service
provider if the disclosure is reasonably required for the treatment, care or
rehabilitation of the person to whom the information relates; or
(ii)
disclosing information by entering the information into
an electronic records system established for the purpose of enabling the
recording or sharing of information between persons or bodies involved in the
provision of health services; or
(iii)
disclosing information to such extent as is reasonably
required in connection with the management or administration of the
Department, an attached office attached to the Department, a hospital or SAAS
(including for the purposes of charging for a service);
(e)
disclosing information if the disclosure is reasonably required to lessen or
prevent a serious threat to the life, health or safety of a person, or a
serious threat to public health or safety; or
(f)
disclosing information for medical or social research purposes if the research
methodology had been approved by an ethics committee and there is no reason to
believe that the disclosure would be contrary to the person's best interests;
or
(g)
disclosing information in accordance with the regulations.
(4)
Subsection (3)(c) does not authorise the disclosure of
personal information in contravention of a direction given by the person to
whom the information relates.
(5) Subsection (4)
does not apply to a person who is subject to an order under the
Mental Health Act 2009 .
(6) In this
section—
"personal information" means information or an opinion, whether true or not,
relating to a natural person or the affairs of a natural person whose identity
is apparent, or can reasonably be ascertained, from the information or
opinion.