You are here


Survey Answer:

Yes. Some Australian States and Territories have health privacy laws (and Health Privacy Principles (HPPs)) that specifically apply to health information, and to health service providers. The relevant laws are:
• Health Records and Information Privacy Act 2002 (New South Wales);
• Health Records Act 2001 (Victoria); and
• Health Records (Privacy and Access) Act 1997 (Australian Capital Territory).
There are also mandatory Prudential Standards in Australia that apply to banks, general insurers, and superannuation funds. Although these standards do not specifically relate to IT security, they include general risk management and governance obligations that may encompass IT security matters. The relevant standards include:
• CPS 220 and SPS 220 (Risk Management);
• CPS 231 and SPS 231 (Outsourcing);
• CPS 232 and SPS 232 (Business Continuity Management); and
• CPS 510 and SPS 510 (Governance).
There are also voluntary standards that apply to particular industries in Australia. These standards are generally not legal instruments, and compliance with them is not required (but is common practice in some industries). Again, these standards may not specifically relate to IT security, but may include general risk management obligations that encompass IT security matters. Examples of voluntary industry standards include:
• the Australian Government National eHealth Security and Access Framework; and
• the Royal Australian College of General Practitioners’ Computer and Information Security Standards.

Provided By:
Phil Catania: Corrs Chambers Westgarth