- Clearly communicate how Hunter Primary Care Limited (HPC) complies with the Australian Privacy Principles and relevant legislation dealing with privacy in Australia;
- Describe the personal information handling practices of HPC and enhance the transparency of its operations;
- Give individuals a better and more complete understanding of the sort of personal information that HPC holds, and the way we handle that information; and
- Provide details of how individuals can complain or report a breach of our responsibilities in regard to privacy, and how we will handle such complaints.
This policy does not extend to personal information held as part of a HPC’s employee records.
Statistical information that is used for service delivery reporting and to support the review and improvement of services is de-identified and aggregated to a level that makes the identification of individuals impossible. Such information therefore is not personal information as defined and therefore is not covered by this policy.
We respect people’s personal information and their right to privacy. Protecting privacy when handling personal information is very important to HPC and is fundamental to the way that we operate. When we collect or are given personal information, it imposes a serious responsibility upon us to protect that information and maintain the trust that has been given to us. For the purposes of this Policy, no distinction has been made between the handling of personal information and sensitive information (including health information).
- How we collect and hold information?
We only collect personal information for purposes that are directly related to the services and activities of HPC.
Our methods for the collection of personal information are lawful and fair. It is our usual practice to collect personal information directly from the individual or their authorised representative. Sometimes we collect personal information from a third party or from a publicly available source, but only if the individual has consented to such collection or would reasonably expect us to collect their personal information in this way or, if it is necessary, for a specific purpose such as the investigation of a privacy complaint.
In circumstances where HPC will have no need to contact an individual in the future, and is not required or authorised by law to deal with identified individuals, they have the right to anonymity or pseudonymity when providing information.
HPC will take reasonable measures to ensure that each individual providing personal information is informed about and understands the purpose of collecting the information and the consequences (if any) of providing incomplete or inaccurate information. Privacy statements will reference this policy, set out the purposes for which we are capturing information and any intended disclosure to other parties.
At times, HPC may receive unsolicited information. If unsolicited information is received, HPC will determine whether the information could reasonably have been collected as if it had solicited the information. If not, the information will be de-identified or destroyed, provided it is not unlawful to do so.
- What types of information do we collect and hold
In the ordinary course of business, we collect and hold individual’s names, their occupation, role and employer, contact information (phone, address, email), qualifications and accreditation, special interests, attendance at events, access to and use of our services, communication history, professional memberships and affiliations.
Where we are providing direct health services, we also collect and hold records of health information as well as other sensitive information to support a biopsychosocial approach to health care delivery.
- How we use personal information
We only use personal information for the purposes for which it was given to us, or for purposes that are directly related to one of our functions or activities.
- How we disclose your information
Generally, we will only disclose personal information for a purpose that is related to the service that we are providing. This may include disclosures to other health service providers involved in care or treatment (e.g. treating specialists), Medicare and other government agencies that may require evidence of treatment to pay for care, private health insurers, pharmacies and governmental bodies. Other circumstances in which we may disclose personal information are set out below.
- To third parties to provide care or treatment. However, we will only do so with prior consent or, if a person is unable to provide consent and we are not aware that it is against their wishes, where it is necessary in order to be able to provide care or treatment. We may make such a disclosure, for example, to a carer to let them know how often to administer medication.
- To contractors to whom we outsource certain functions, such as electronic network administrators. However, where possible, we take contractual measures to ensure that they comply with the privacy standards set out in the Privacy Act. We require our contractors to sign nondisclosure agreements and do not permit them to subcontract their services.
- From time to time, to medical researchers where permitted under the Privacy Act. Where appropriate, we will de-identify information before we disclose it for research purposes.
- To persons involved in accrediting HPC. For example, a person from an accreditation agency may need to review our information handling procedures which may involve accessing patient records.
- In other circumstances where we are expressly permitted to do so under the Privacy Act; for example, where we are legally required to do so, such as under a court order.
In all circumstances, we aim to limit the amount of information disclosed to that which is necessary for the purpose of the disclosure. Further, where appropriate, we de identify information before disclosing it.
Identified information that is disclosed will only be transmitted in a secure manner. Secure messaging will be used when available and, if not, transmission will be by facsimile or as a password protected attachment to an email.
Disclosure and sharing of information may also occur by direct entry into a secure web site that is only accessible to authorised users.
- Direct Marketing
From time to time we may use the personal information we collect to identify particular services or events that we believe may be of interest to an individual. We may then make contact with the individual about how they may be of benefit. We will generally only do this with the individual’s consent and we will always give the choice to opt out of receiving such information in future.
Individuals may request access to personal information we hold about them by sending a written request to our Privacy Officer. The information to which an individual is entitled to obtain access to includes information that has been provided to us by other people, such as opinions provided by specialists. Access will generally be provided in an appropriate form within 30 days. We may charge a fee for providing access if it requires a significant amount of time to locate personal information or to collate or present it in an appropriate form.
In rare circumstances, and only where it is permitted under the Privacy Act, we may not be able to provide an individual with access to all, or parts of, their information; for example, where:
- it would pose a serious threat to the life, health or safety of any individual or to public health or public safety, or
- it would have an unreasonable impact upon the privacy of others; or
- the information relates to existing or anticipated legal proceedings between us through which it would not otherwise be available, or
- any other lawful reason contained in the Privacy Act.
If we are unable to provide access, we will state why this is so and consider whether the use of an intermediary would be appropriate to provide the individual with an explanation of the personal information.
- Overseas transfers
We will only transfer personal information overseas if the transfer is to the individual, or to one of the individual’s authorised representatives, or it is with the express consent of the individual.
We assess each case individually when determining whether a minor is able to exercise his or her privacy rights regarding personal information. Factors that we take into consideration include any statutory obligations that we have regarding whether a young person is able to consent and both the minor’s maturity and ability to understand the nature of his or her rights and implications of exercising them. We only disclose information about minors to parents or persons taking care of them if permitted to do so under the Privacy Act.
If the information that we hold about an individual is out of date, inaccurate, incomplete, irrelevant or misleading, the individual may inform us of this and we will correct it. If the relevant information relates to the individual’s health, we generally will not delete the inaccurate information but rather, will ensure that the amended information is clearly associated with the inaccurate information to ensure that all subsequent users of the information are aware of the amendment. This is because, when providing a health service in the future, we may need to review the inaccurate information; for example, to see why a particular course of treatment was prescribed.
In the unlikely event that we disagree about the accuracy of the information and refuse to correct the personal information, the individual will be notified in writing the reasons for the refusal, the mechanisms to complain and any other matter prescribed by the regulations. The individual may provide us with a statement that he or she disputes its accuracy and we will associate the statement with the information in the individual’s file in such a manner that it will be brought to the attention of each person who uses the information.
- Security of information held
HPC is committed to protecting and securing personal information. We employ appropriate technical, administrative and physical procedures to protect personal information from unauthorised disclosure, loss, misuse or alteration. We have policies and procedures to take all reasonable steps to manage personal information in accordance with the Privacy Act 1988 (Cth) (the Act). Additionally, in response to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act), a Notifiable Data Breach (IT 09) Policy is in place in the event of a breach of personal information including notification provisions.
We limit access to personal information to individuals with a business need consistent with the reason the information was provided. We keep personal information only for as long as it is required for business purposes or by the law.
If you believe that there has been a breach of this policy, you should set out details of your complaint and send it to HPC’s Privacy Officer at PO Box 572, Newcastle NSW 2300.
Complaints that are received will be resolved in accordance with HPC’s complaints handling procedures. Complaints will normally be investigated and either resolved or progress communicated to the complainant within 35 days.
Amendments to policy
We may amend this policy from time to time in order to ensure that it remains accurate in view of any alterations to our information handling practices due to new technologies and changed business practices. Any updated policy will be published on our website.
References/ Related Documents
For more information about the Australian Privacy Principles, go to www.oaic.gov.au.
- biopsychosocial approach to healthcare systematically considers biological, psychological and social factors and their complex interactions in understanding health, illness and health care delivery.
- consent means express consent or implied consent.
- health information is:
- other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
- genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
- personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
- Record is a document, database (hardcopy or electronic) or a photograph or other pictorial representation of a person.
- sensitive information is:
- information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or criminal record, that is also personal information
- health information about an individual;
- genetic information about an individual that is not otherwise health information;
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- biometric templates. “Biometric templates” are generally digital representations of biometric features formulated using algorithms. Many biometric recognition systems compare these to identify individuals.