Clause 39

A person who is not a user or an authorised individual of a user must not access or collect accessible health information about any individual for any purpose, unless the access or collection is required or permitted under this Act or any other written law, or by an order of court.

A person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 4 years or to both.

It is not a defence in any proceedings for an offence under subsection (1) that the accused accessed or collected accessible health information about an individual on the basis that the individual has consented or has given his or her consent in accordance with Part 4 of the Personal Data Protection Act 2012 or such consent is not required under that Part.