Requirements for Information Communication (2007 Edition)

Openness and access

Page last updated: 14 January 2008


In accordance with privacy legislation, the laboratory must have a privacy policy that includes information on:
(a) management of health information
(b) the steps that an individual must take in order to obtain access to their health information.
This policy document must be made available to anyone who asks for it.


The laboratory’s privacy policy should include:
(a) the privacy legislation that the laboratory is bound by
(b) any exemptions that apply to the laboratory under the relevant legislation
(c) a statement explaining that an individual can obtain more information, upon request, about the way the laboratory manages personal information
(d) the reasons certain types of information are collected
(e) any routine procedures for collecting, holding and disclosing information, including services that are outsourced
(f) any laws that require the laboratory to disclose information to other organisations (e.g. notifiable diseases)
(g) information on how to handle requests for access to information
(h) the process for dealing with complaints about breaches of privacy
(i) the laboratory’s contact details.
Depending upon the size of the laboratory or laboratory network, it is recommended that the organisation appoint a designated privacy officer.


On request by an individual, the laboratory must take reasonable steps to let that individual know whether health information is held relating to them, and to let the individual know in general terms:
(a) the nature of the information
(b) how the laboratory collects, holds, uses and discloses the information.
If the laboratory holds health information about an individual, it must provide the individual with access to their own health information upon request. In certain circumstances access may be denied. A laboratory must provide reasons in writing to an individual for denying them access to their health information.


Within the laboratory’s privacy policy, it is recommended that laboratories should have an escalation procedure to deal with requests for health information. In most circumstances, it would be preferable that individuals obtain their records through their requesting medical practitioner.
Access to health information may be denied to an individual if:
(a) providing access would pose a threat to the life or health of any person
(b) providing access would have an unreasonable impact on the privacy of other individuals
(c) the information relates to existing or anticipated legal proceedings between the laboratory and the individual, and the information would not be accessible during those proceedings
(d) the information is otherwise subject to legal professional privilege
(e) providing access would reveal the intentions of the organisation in relation to negotiations (other than about the provision of a health service) with the individual, exposing the organisation unreasonably to disadvantage
(f) providing access would be unlawful
(g) denying access is required or authorised by or under law
(h) providing access would be likely to prejudice an investigation of possible unlawful activity
(i) providing access would be likely to prejudice a law enforcement function performed by, or on behalf of a law enforcement agency
(j) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or
(k) the individual has been able to access his or her health information and is making unreasonable and repeated requests for the same information in the same form.
None of the circumstances listed above compel a laboratory to refuse to provide an individual with access to his or her health information.