This Standard establishes requirements for the protection of personal information in health care information systems. The Standard has been developed to apply to all forms of health information, including that held in computerized systems or hard copy records.The Standard recognizes that many organizations with personal information in health care information systems operate under the requirements of legislation or codes of practice or guidelines that have a legal basis. For these organizations these arrangements will take precedence over the requirements of the corresponding sections of this Standard.The Standard recognizes the requirement for properly authorized and conducted health research, quality assurance and clinical audit, and accepts that there needs to be a balance between the requirements of personal information privacy and the health benefits achievable through such recognized activities.The Standard outlines what a reasonable individual, whether health care provider or patient, might expect in relation to the protection of personal information by way of protection of data and systems security. Importantly, the Standard recognizes the balance required between the protection of personal privacy and the genuine, controlled and legitimate use of this information in providing and improving health care systems.The Standard also serves as a benchmark which may be used to audit performance and to determine whether a holder of personal information may be able to trust a third party with that information, based on their compliance with this Standard, in whole or in part.ApplicationEach organization is expected to develop its own information policy or code of practice, appropriate to its own operating environment, based on this Standard.Where an organization does not comply fully with the requirements of this Standard, it shall record in its policy the extent of noncompliance and the alternative measures taken to protect personal information. The policy, including noncompliance should be reviewed and approved by an appropriate independent body.The appropriate independent body which approves an organization's information policy should have the power to grant exemptions to particular requirements of this Standard, provided that such exemptions are recorded in the organization's information policy.An appropriate independent body which grants exemptions should adopt guidelines on when an exemption may be granted. Decisions to grant exemptions should be publicly available.