HIPC Rule 3A: Notification requirements for indirect collection of health information

Source: Privacy Commissioner

IPP3A is about an agency’s obligations when it collects personal information indirectly (collecting from someone other than the person themselves).

Under IPP3A, if an agency collects someone’s personal information indirectly, they are required to notify them, unless one of the listed exceptions applies.

We have general guidance on the requirements of IPP3A and how agencies can meet their obligations.

On this page:

How does this impact the Health Information Privacy Code (HIPC)?

The HIPC has been amended to include rule 3A. This reflects the IPP3A requirements from the Privacy Amendment Act 2025. Exceptions to new rule 3A have also been included and align to the existing rules 2 and 3 under the HIPC where relevant.

What are the requirements of Rule 3A?

Rule 3A does not apply to health information collected before 1 May 2026.

If a health agency collects health information about a person, which hasn’t come directly from that person or their representative, the health agency must take any steps that are, in the circumstances, reasonable (unless an exception applies) to make sure that the person concerned, or their representative, is aware of:

• the fact that the information has been collected
• the purpose of the collection
• the intended recipients of the information
• the name and address of the health agency that has collected the information and the health agency that is holding the information
• if the collection is authorised or required by law, which particular law
• their rights of access to, and correction of, health information provided by rules 6 and 7.

The collecting health agency is required to tell an individual (or their representative), as soon as reasonably practicable after the information has been collected, unless they’ve already taken the notification steps, or another agency has. 

What are the differences between the rule 3 and rule 3A requirements?

Rule 3 requires a health agency to explain the reason for collection (among other things) when they collect health information directly from someone. Rule 3A requires these things when a health agency collects health information indirectly.

It’s likely that a health agency could meet its rule 3A obligations in the same way it meets its rule 3 obligations, by using accessible privacy policies, statements, and notices.

It’s important that health agencies know what health information they collect directly from someone, and what health information they collect indirectly from someone else, and tailor their privacy policies, statements, and notices accordingly. Health agencies will also need to think about how they draw attention to these statements when they collect health information indirectly as they may not have a direct line of communication with the person.

As with rule 3, there are a number of exceptions to the notification requirement in rule 3A. These are explained in the ‘what are the exceptions?’ section of this guidance.

What are ‘reasonable steps’?

The reasonable steps for a health agency to take to ensure that an individual, or their representative, is aware of the rule 3A matters, will depend on its own specific circumstances. Some factors that may impact what is reasonable are:

• Whether the collection is routine and expected (for example, blood test results being sent to the patient’s GP), or whether it’s an atypical or one-off collection.
• The sensitivity of the health information collected. Health agencies may need to give a full notification including all the rule 3A matters directly to the individual when particularly intimate or sensitive information is collected or where it plans to use the information in an unexpected way.
• Possible negative impacts to the person because of the collection. If the risk of negative impacts is high, more rigorous steps may be required.
• Any specific needs of the person. In some circumstances there may be a legal obligation to provide an interpreter when explaining things to a person who, for instance, doesn’t understand spoken English or who has accessibility needs. For example, Right 5 under the Code of Health and Disability Services Consumers’ Rights (right to effective communication). 
• The practicality, including time, cost, and the volume of health information involved. 

As long as the information is communicated clearly, an agency can notify or make someone aware of the rule 3A matters using a variety of formats. Types of notification could include:

• an update to privacy statements and notices (such as on GP enrolment and pre-enrolment forms)
• automatic notifications sent via a patient portal, if the patient opts in for this
• posters displayed in the health agency’s premises
• explanatory brochures
• an oral explanation in appropriate language
• an explanatory letter
• an explanatory note on standard print or electronic forms used for capturing health information.

Layered privacy notices

Complex information flows can be difficult to communicate concisely and accurately, particularly in the limited time available in most clinical consultations. It may be helpful for health agencies to consider preparing a layered privacy notice, to help communicate effectively about how they handle health information. 

Layered notices can concisely summarise key information in the first ‘layer’, then provide more detailed information in the second layer. This accomplishes the goal of informing patients in general terms about the likely movements of their health information. For example, you may include brief privacy notices on forms or posters, supplemented by longer notices made available online or in brochures. 

The first layer can be thought of as the ‘highlights’ of the privacy notice. It should give an overview of how the agency handles health information, use clear and straightforward language, and provide the most important information first. Agencies may then link to more detailed information, either by a reference (e.g. “a copy of the full privacy policy is available on our website at…”) or by a direct web link.

The second layer is the full privacy policy, whether broken down by topics into selected units or listed in full. This format lends itself well to websites, but a similar approach is possible through linking of posters, brochures and detailed written policies.

Another example is to provide people with a full explanation initially, and then brief refreshers as people become more familiar with how that health agency handles personal information.

Repeat explanations

If people have regular interactions with a health agency (such as their GP), they will need a full explanation the first-time information is collected but not necessarily on every subsequent occasion, as long as the information and the purposes for which it will be used remain the same. This is a requirement under rule 3 when collecting information directly from the individual, so it may be a good opportunity to also inform individuals of any health information your agency collects about them indirectly, and the other matters under rule 3A.

Whether further steps are required may depend on how recently an explanation was given, the importance or sensitivity of the information and the individual’s circumstances. Unless the agency collecting the information is reasonably sure that the individual is aware of rule 3A matters, the agency should notify the individual whenever new or additional information is collected. When statements are available that explain in a generic way why information is being collected, it may be enough to draw these to an individual’s attention on subsequent occasions.

Example – reasonable steps

A patient has asked their GP to email them every time the GP collects health information about them indirectly. The GP’s practice uses a patient portal, and has offered this option to the patient, but the patient has decided they don’t want to use it. Because of the extensive time constraints and practicality of having to email the patient every time the GP receives information about them indirectly, the GP decides that this is not a reasonable step in the circumstances. They instead decide that drawing the patient’s attention to their privacy statement, which includes the rule 3A notification information, is a reasonable step in the circumstances. The GP does this by emailing the patient a link to the relevant privacy statement.

Example – reasonable steps and layered privacy notices

A patient is enrolled with a GP and has an ongoing care relationship with the practice. When enrolling, the patient was provided with a link to the practice’s privacy statement and given a brochure containing information about the practice’s health information privacy practices. Following an unplanned hospital admission, the GP receives a discharge summary from the hospital outlining the admission, investigations, medications, and recommended follow-up. The GP did not collect this information directly from the patient, so it’s an indirect collection.

Rule 3A requires the GP to take reasonable steps to make sure the patient is aware of the collection and how the information will be used. The GP decides to refer to the discharge summary during the patient’s next consultation, explain how it informs follow-up care, and answer any questions. Alternatively, a brief patient portal message acknowledging receipt of the hospital information may be sufficient, depending on the nature of the discharge summary and when the GP will next see the patient. The patient portal message also includes a link to the GP’s privacy statement, which has been updated to reflect the rule 3A matters.

Timing of notification

What does ‘as soon as reasonably practicable after the information has been collected’ mean?

What is a reasonably practicable timeframe for notification will depend on the circumstances of the collection. If you decide it’s not practicable to notify or make sure an individual is aware of the collection shortly after, then your agency needs to be able to justify that decision.

Agencies should be building options for providing notification or making people aware into their information collection processes and systems. For example, by including relevant information in standard forms and online collection mechanisms. 

Agencies may take into account any technical and resource considerations when deciding on a reasonable timeframe for notification. However, it’s an agency’s responsibility to be able to justify any delay in notification.

Documenting your rationale and decision-making will be important.

Example

A GP’s patient has had an unplanned hospital admission. Generally, after an unplanned hospital admission, the patient’s GP receives a discharge summary from the hospital outlining the admission, investigations, medications, and recommended follow-up. The GP doesn’t collect this information directly from the patient, so it’s an indirect collection.

Rule 3A requires the GP to take reasonable steps to make sure the patient is aware of the collection and how the information will be used, as soon as reasonably practicable after the information has been collected. The GP decides to wait until the patient’s next consultation to refer to the discharge summary from the hospital, explain how it informs follow-up care, and answer any questions. 

Notification requirements

What you need to tell people	Guidance or example
The fact that the health information has been collected.	Tell people you’re collecting their health information and specify the kind of health information you are collecting or have already collected.
The purpose of the collection.	Tell people why you’re collecting their health information. Collecting health information for care and treatment and the related routine administrative aspects is usually clear and may require only brief explanation.  A useful test is to consider whether there is a chance the person may be surprised at how you’re using their health information. The more likely it is that they could be surprised, the more detailed your explanation about the purpose should be.
The intended recipients of the health information.	Tell people who you will be sharing their health information with. The individual will not always be aware of the intended recipients of the information, particularly where health information is sought for training, research and monitoring purposes, or to meet administrative or funder requirements. If you know you will be sharing the health information, you should tell the individual who you’re sending it to. If you routinely share information with a particular health agency, group or person, they should be named, unless it would be impractical to do so. In that case, you may decide to describe the type, class or categories of health agencies you share information with instead. If you decide to provide the categories of health agencies, the information should be as specific as possible by indicating the type of health agency (e.g. by reference to the activities it carries out), sub-sector and the location of the health agency.
The name and address of the health agency that has collected the information and the health agency that is holding the information.	Tell people who has collected their health information. Individuals need this information so they can exercise their right to their own information. If your health agency is collecting the health information indirectly and making the notification, then it will need to include your agency’s name and either address, email, or website in its notification. For the avoidance of doubt, for the purposes of rule 3A, the ‘health agency that has collected the information’ and the ‘health agency that is holding the information’ is considered to be the same agency. That is, the agency collecting the information indirectly.
If the collection is authorised or required by law, which particular law.	Where health information is required under law, individuals must be made aware of which law authorises the collection. Health agencies should give enough detail to enable people to check their legal position if they wish.
Their right to access and correct their health information.	Tell people about their right to access the health information your agency holds about them, and their right to ask to correct it if they think it’s wrong. These rights are set out in rules 6 and 7.

What are the exceptions?

Exception to rule 3A You don’t need to take the notification steps if:	Guidance or example These are guiding examples and are not the only situations where these exceptions may apply:
Individual has already been made aware	Exception may apply: You know that the health agency you collected the information from has already told the person about all the matters. You have previously collected similar information about the person from the same health agency, and you let them know all the information already, and the purpose of collection hasn’t changed. For example, a GP routinely receiving blood test results from a lab. Exception would not apply: You assume that the person would probably already know, but you don’t have any evidence to confirm that.
The health information is already publicly available	Exception may apply: You are collecting health information from a publication such as a book, journal, newsletter or public register. You are collecting health information from a website or public social media page. Exception would not apply: You are collecting health information from a source that requires you to have additional permission to view (such as being a friend or follower of a private social media account).
It would prejudice the interests of the individual concerned	Exception may apply: If knowledge of the indirect collection may disrupt the process and compromise the care and treatment of the individual Exception would not apply: If making the individual aware of the indirect collection wouldn’t cause them to suffer detriment or compromise their care and treatment
It’s necessary to: Avoid prejudice to the maintenance of the law by any public sector agency, including prejudice to the prevention, detection, investigation, prosecution, and punishment of offences. Note: the exception may apply to health agencies that are not public sector agencies, but are participating in public sector agency processes, such as investigations or prosecutions.	Exception may apply: A public sector agency is investigating an offence and needs to collect health information about a person from someone else to adequately investigate the offence, and the agency has followed all other relevant laws that apply to gathering evidence. It’s important to note that collection must still be allowed under rule 2, even when relying on this exception.
It’s necessary for: The protection of public revenue	Exception may apply: A public sector health agency has indirectly collected a person’s health information, as part of its steps to recover a debt in respect of a health treatment which has been provided, but the person involved was not eligible for public funding. Notifying the person concerned would make it significantly more difficult to pursue steps to recover the debt. Exception would not apply: Notifying the person concerned wouldn’t impact the health agency’s ability to recover the debt.
It’s necessary for: The conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation).	Exception may apply: A health agency is involved in the conduct of proceedings, which have been commenced or are reasonably in contemplation. As part of this process, the agency has collected individuals’ health information indirectly, and notifying the individuals concerned would be highly likely to impact the proceedings. For example, a health practitioner is under investigation for provision of health services or medication to a family member. Notifying the family member that their health information has been indirectly collected may lead them to destroy relevant evidence. Exception would not apply: A health agency is involved in an investigation, and has indirectly collected individuals’ health information as part of this, but the investigation has not yet reached the stage where proceedings have been commenced or are reasonably in contemplation.
Telling the individual would prejudice the purposes of the collection	Exception may apply: You have collected individuals’ health information as part of an investigation into a health practitioner and notifying the people concerned would undermine the investigation. Exception would not apply: It is less practical for you to notify the people concerned, so you don’t want to. You’re worried about losing or upsetting customers or patients, so you don’t want to notify them.
Telling the individual is not reasonably practicable in the circumstances	Exception may apply: You don’t hold contact details for the relevant people. Exception would not apply: You have accurate contact details for the relevant people and a direct relationship with them but making them aware of the indirect collection would be time consuming. There will be some cost associated with notifying all relevant people, but it’s not excessive.
It would cause a serious threat to public health or safety, or to the health and safety of another individual	Exception may apply: You have collected health information about an individual from someone else, and notifying the individual concerned would make it clear who you have collected that information from, which may cause a serious threat to that person’s safety (e.g. a concerned friend, family member, or other individual). Your agency has collected health information from another agency about someone who has a contagious disease. Your agency needs to take immediate action to contain the spread of the disease and determine that any delay caused by notifying the individual would cause a serious threat to public health or safety. Exception would not apply: You have collected health information from another agency about a person who has a contagious disease, but no immediate action is required. You have assessed the three factors (likelihood, severity, and time) and determined that any delay caused by notifying the individual concerned would not cause a serious threat to public health or safety. Note: the contagious disease example is based on the generic example in the Amendment Act itself. However, an agency may decide that, in the specific circumstances, it is appropriate to rely on a delay to notification rather than using this exception to not notify at all. Read more guidance on assessing a serious threat.
The health information won’t be used in a way that identifies the individual	Exception may apply: You have removed any information that may identify the individual(s) before using it  Exception would not apply: You have removed someone’s name from their health information, but they can still be identified in other ways Note: Sometimes agencies may collect de-identified health information that, when combined with other health information it holds about that person, could re-identify them. This exception can be relied upon if, at the point of collection, the agency has no intention to combine the collected information with other information to re-identify the individual. Read more guidance on what makes a person identifiable.
The health information will be used for research (for which approval by an ethics committee, if required, has been given) or statistics, and publishing this will not identify the individual concerned	Exception may apply: You’re using the health information as part of a research study and only aggregated information that doesn’t identify anyone will be published. Exception would not apply: The audience of the publication may have additional knowledge to help them identify an individual in the research.
The health information was collected for the purpose of assembling a family or genetic history of an individual from that individual	Exception may apply: You’re taking a family history directly from an individual, which includes some health information about their parents. Your patient has undergone a genetic test, which has returned a positive result, meaning that the individual’s relatives will also have that genetic condition and you have collected that information as part of the individual’s test result. Exception would not apply: You have collected someone else’s health information from an individual, and it wasn’t for the purpose of assembling their family or genetic history.

Rule 3A(3): Individual has already been made aware

An agency collecting health information indirectly doesn’t have to take the notification steps if the person has already been made aware of the rule 3A notification matters.

We have further guidance on this exception in our general IPP3A guidance.

Example

A patient is enrolled with a GP and is referred for a specialist outpatient assessment. The referral letter states that the patient has been informed of the referral and that relevant health information is being shared to support further assessment and management. The patient has also received a copy of the referral letter.

The specialist sends a detailed report back to the GP, which is then added to the patient’s clinical record. Although the GP has indirectly collected new health information by receiving the specialist’s report, they have reason to believe that the patient is already aware that information has been shared with and returned from the specialist, and this information has been collected for the purpose of ongoing care. In this circumstance, the GP doesn’t provide additional notification to the patient, because the patient is already aware of the indirect collection.

Rule 3A(4)(a): Compliance would prejudice the interests of the individual concerned

What does ‘would prejudice’ mean?

Generally, this means that the person concerned would suffer detriment if they were notified of the indirect collection of their health information. What may be considered detrimental will often depend on the person concerned. For example, an agency might not disclose the fact that information has been collected indirectly if knowledge of the fact may disrupt the process and compromise care and treatment, as long as the indirect collection was taking place for proper medical reasons. 

Example

One of Joe’s secondary care providers contacts Joe’s GP because they are concerned Joe has stopped taking medication they are required to take and also tells the GP they are concerned about Joe’s mental health and wellbeing. The GP assesses the situation and decides not to tell Joe that they have collected this information about them, as it may compromise Joe continuing with the treatment plan that the GP has developed with them. The GP makes sure to record this assessment and decision, along with the information collected from Joe’s secondary care provider. 

Example

A GP has an established treating relationship with a patient who is in the early stages of exploring possible family harm and safety issues. A social worker involved with the patient’s family contacts the GP to share concerns raised by another family member, providing contextual information intended to help the GP approach future consultations safely and appropriately. The information is shared confidentially, without the patient’s knowledge, and is not yet verified or ready to be discussed directly with the patient.

The GP records the information in the clinical notes, meaning the information has been indirectly collected. The GP considers that notifying the patient at this stage would risk significant distress and may undermine the therapeutic relationship before the GP has had an opportunity to assess the situation and plan a safe, supportive approach. Notifying the patient may also risk damaging the therapeutic relationship between the family and social worker. The GP decides to rely on this exception and documents their decision. They keep it under review, with the intention of addressing the information with the patient later, if and when it’s appropriate and safe to do so.

Rule 3A(4)(b): Compliance would prejudice the purposes of the collection

In some cases, the purpose for collecting personal information indirectly may be undermined if the agency collecting it were to tell the person concerned.

For example, a health agency is conducting an internal investigation into a practitioner and has a legitimate purpose for collecting personal information about the practitioner from their colleague, to verify personal information collected from the practitioner themselves. If the agency’s purpose is to find out objectively the facts of the situation, because it’s part of an investigation, then letting the practitioner know of the indirect collection may undermine that. For example, notifying the practitioner may give them an opportunity to destroy evidence, or try and influence what information their colleague gives to the investigator.

It’s important to note that the agency must still have a proper basis under IPP2 for collecting this information from someone other than the person themselves. They must only collect information that is relevant to the investigation of the situation.

Take great care if your agency plans to rely on this exception and be sure to seek professional advice before doing so. OPC has previously undertaken an inquiry into (amongst other things) an agency collecting information about an individual indirectly without proper reason. Read about the inquiry here.

Rule 3A(4)(c): Compliance is not reasonably practicable in the circumstances

In some cases, notifying the individual of an indirect collection will not be practicable. However, it’s important to note that inconvenience, cost, or administrative burden doesn’t automatically mean notification is ‘not reasonably practicable’.

Cost may be a factor if notification would be so expensive that the cost would be disproportionate to the value provided to the person.

Generally, the threshold to assess whether it’s not reasonably practicable to notify will depend on the nature of the personal information that’s being collected indirectly. For example, if the information is sensitive, then the threshold of ‘not reasonably practicable’ will be higher.

Health agencies need to consider how rule 3A notification requirements will be met as part of any new or existing processes that involve routinely and repeatedly collecting health information indirectly. Having incompatible systems or processes is not a valid reason to rely on this exception.

For example, it may not be reasonably practicable for an agency to notify the person if they don’t hold any contact details for them. In this situation, the collecting agency isn’t expected to collect contact details solely for the purpose of notifying them.

Compliance may not be practicable where an individual is unconscious or in cases of emergency. Indirect collection of health information by ambulance staff in an emergency may sometimes fall within this exception, or exception 3A(4)(a) – compliance would prejudice the interests of the individual concerned.

Example

A regulatory authority in the health sector is investigating a practitioner who has been prescribing medication in a way that is concerning. The authority makes a request to the health agency that holds prescription information, asking for all prescriptions made for a certain medication within a specified date range. The scope of the information they receive back is much larger in volume than they anticipated, with 1000+ individual’s prescription information. As this is an indirect collection of health information, the authority needs to consider their obligations under rule 3A of the HIPC. The authority decides that notifying all the individuals concerned is not reasonably practicable, because of the volume of the information, and the fact that they don’t have contact details for the individuals concerned and have no direct relationship with them. However, the authority has taken some reasonable steps in the circumstances to ensure individuals are aware of the rule 3A matters by including these in their privacy policy, which is published on their website.

Rule 3A(4)(g): The health information was collected for the purpose of assembling a family or genetic history of an individual from that individual

Health agencies may rely on this exception if, as part of assembling a family or genetic history of an individual, they indirectly collect health information about the individual’s relatives from that individual. 

However, genetic information, and the use of information obtained from genetic tests, raises some important issues. Information obtained from a genetic test on an individual relates not only to the individual undergoing the test, but also to their relatives.

When carrying out a genetic test on behalf of an individual, agencies should carefully consider whether they have fulfilled their obligations under rules 3 and 3A. This is especially important if a positive result for any condition being tested for would have implications for the health of the individual’s relatives. Health agencies should have clearly communicated policies on what they will do when they receive information that may be vital to an individual’s relatives’ health.

Notifying an individual’s representative

Under rule 2 of the HIPC, it’s not necessary for a health agency to collect health information directly from the individual concerned, if the agency believes on reasonable grounds:

• That the individual concerned authorises collection of the information from someone else having been made aware of the matters set out in rule 3A(1), or
• That the individual is unable to give their authority and the health agency, having made the individual’s representative aware of the matters set out in rule 3(1), collects the information from the representative, or 
• That the individual is unable to give their authority and the health agency, having made the individual’s representative aware of the matters set out in rule 3A(1), is authorised by the representative to collect the individual’s health information from someone else.

It’s not always possible to collect information directly from the individual. For example, an individual may be unconscious or may not have capacity to understand because of their age or disability. In these circumstances, if health agencies collect information from the representative, they should give the representative the explanations that would otherwise have been given to the individual.

The only change that rule 3A makes to this process, is that when an individual or their representative authorises collection of the information from someone else, the agency needs to believe on reasonable grounds that the individual or representative has been made aware of the matters in rule 3A(1), rather than rule 3(1).

Health agencies should make sure any processes for communicating with individuals and their representatives are aligned with the Code of Health and Disability Services Consumers’ Rights.

MIL OSI