Requirements for Information Communication (2007 Edition)

Inter-jurisdictional data flows

Page last updated: 14 January 2008

Standard

S1.19
An organisation in one jurisdiction must not transfer health information about an individual to someone in another jurisdiction (other than the organisation or the individual), except in the following circumstances:
(a) the organisation reasonably believes that the recipient of the information is subject to similar privacy principles;
(b) the individual consents to the transfer;
(c) the transfer is necessary for the performance of a contract between the individual and the organisation;
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party;
(e) the transfer is for the benefit of the individual, and it is impractical to obtain the individual’s consent to that transfer, and if it were practicable to obtain such consent, the individual would be likely to give it;
(f) the organisation has taken reasonable steps to ensure that the transferred information will not be used or disclosed inconsistently with National Privacy Principles;
(g) the transfer is authorised by any other law; or
(h) the organisation reasonably believes that the transfer is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health, safety or welfare, or a serious threat to public health or safety.