The purpose of this policy is to define how Hunter Primary Care (HPC) handles personal information, in compliance with the Australian Privacy Principles and relevant legislation. The policy aims to:
- Describe our personal information handling practices and enhance the transparency of our operations;
- Give people a better and more complete understanding of the sort of personal information that we hold, and the way we handle that information; and
- Outline how people can complain or report a breach of our responsibilities in regard to privacy, and how we will handle such complaints.
This policy applies to all situations in which we collect, hold, use and disclose personal information. This includes (but is not limited to) the personal information we obtain and hold in relation to:
- Clients and patients to whom we provide health and related services,
- Health care providers who register as members of HPC under our constitution,
- Members of the public who utilise our websites, take part in surveys and/or participate in events we organise.
Statistical information that is used for service delivery reporting is de-identified and aggregated to a level that makes the identification of individuals impossible. It is therefore is not personal information as defined and is not covered by this policy.
In the following policy, ‘we’ refers to the organisation, staff and programs of HPC, ‘you’ refers to any person who engages with HPC, and ‘your information’ is any personal information we collect from or about you to provide you services.
At HPC, we respect your right to privacy, and uphold your right to have your personal information privacy maintained. Protecting privacy when handling personal information is very important to us and is fundamental to the way in which we operate.
When we collect or are given your personal information, it imposes a responsibility upon us to protect that information and maintain the trust that has been given. We do this in accordance with our legal obligations and in line with reasonable expectations.
We make sure that each person providing personal information is informed about and understands the purpose of collecting the information and how it will be used. Where information is provided by a third party, we ensure we have the informed consent of the person concerned.
We commit to collecting, holding and using personal information appropriately, for the use/s for which we hold it, and in accordance with the Privacy Act. Further, we take all reasonable steps to protect personal information from unauthorised disclosure, loss, misuse or alteration.
Unless it is noted expressly in this policy, we do not make distinction between the handling of personal information and sensitive information (including health information). We treat all information with the same levels of respect, and the same security protections.
1. Collection of Personal Information
At HPC, we collect, hold and use a range of personal information through our business.
1.1 What information we collect and hold
We collect personal information only for purposes that are directly related to the services and activities of HPC. For most people, we collect and hold names and contact details (phone, address, email). These details allow us to identify and communicate with you for our business purposes.
In addition, we collect and hold:
- If you are a patient or client, details such as date of birth and government identifiers to allow us to identify you and communicate with relevant agencies. We may also collect and hold certain health information and sensitive information to support the delivery of programs and services to you.
- If you are a member, details including occupation, role and employer, qualifications and accreditation, and professional memberships and affiliations. This allows us to involve you in the organisation, and communicate about relevant member benefits such as events, opportunities and services.
- If you participate in an HPC event or activity, we may record the services and activities you express an interest in.
We may also keep a record of our communication or interaction with you.
When you use our website, we also collect (via cookies) information about your website use and browser preferences to improve our website function and experience.
Anonymity: In circumstances where we will have no need to contact you in the future, you have the right to anonymity or to use a pseudonym when interacting with us; provided that:
- Personal information is not required to provide you with the service, and
- We are not restricted by law to deal with identified individuals.
1.2 How we collect information
We use methods for collecting personal information that are lawful and fair.
We obtain personal information in many ways including:
- In discussions with you (and/or your authorised representative/s),
- On forms you complete,
- At meetings and interviews,
- In written correspondence or by email,
- In conversations over the telephone or by email, and
- In reports and referrals from third parties.
We also collect some information about website users via cookies to allow us to monitor and improve our website; but we do not link this information to your personal record.
Wherever possible, we collect personal information directly from you, or from your authorised representative. This means we will usually ask you to provide the information we need. If somebody else needs to be involved, we will seek your consent to talk to them.
We will always explain to you why we are collecting the information and how we plan to use it. Where relevant, we will also ensure you understand the consequences (if any) of providing incomplete or inaccurate information.
Sometimes we collect your information from a third party; but usually only if we have your consent, or we believe you would reasonably expect us to collect your information in this way. We may also do this if it is necessary for a specific purpose, such as the investigation of a privacy complaint.
If we receive personal information unsolicited from a third party, we will determine whether the information could reasonably have been collected if we had asked. If so, we will retain it for use. If not, the information will be de-identified or destroyed (provided it is not unlawful to do so).
When you interact with us, we may ask you to confirm some of your personal details. This is so that we can ensure that our records are complete, accurate and up-to-date; and also so we can ensure that we are adding any new information we collect to the correct personal record.
2. Use and Storage of Personal Information
2.1 How we hold and protect personal information
We protect and secure the personal information we hold by methods that are lawful, secure and fit-for-purpose and we limit access to personal information to authorised individuals with a business need consistent with the reason the information was provided.
We hold your information in secure, individual records. Your information may be stored as:
- Electronic records of personal details
- Electronic records of consultation and session notes
- Where relevant, electronic records of referrals, and of pathology and imaging results
- Audio recordings of telephone conversations
- Hard copy (paper) files (where original documentation is required for any reason).
We have password-protected electronic systems for each of our programs and services, purpose-built and managed, and only available to authorised users; and we have secure physical storage for records that need to be retained in hard copy.
Where we collect information in hard copy, we enter the details from the form into our electronic record. We have processes in place to ensure as far as possible that the right personal information is being added to the right personal record in a timely manner. Once the record is updated:
- If we require a copy of an original form (for example, because it contains an authorised signature), we create a scanned copy to attach to the relevant personal record.
- If for legal or other reasons, we are required to maintain an original document, we hold it in a secure filing system, only accessed by relevant authorised personnel.
Once a hard copy record is no longer required, we securely dispose of the original form.
We keep your information only for as long as it is required for business purposes or by law.
2.2 How we use personal information
We only use personal information for the purpose(s) for which it was given to us, or for purposes that are directly related to one of its functions or activities. So, if you access a service from HPC, we use your information in order to provide you with healthcare or supports that meet your needs. We may use some of your information for related business activities, such as arranging a Medicare claim, or for clinical audits (where we measure and improve the quality of care that we provide).
All our staff members sign a confidentiality agreement, and we train, support and manage staff to ensure that the privacy of your personal information is protected at all times, and that information is only accessed, used and shared when it is required.
Direct Marketing: We may use your information to identify services or events that may be of interest to you. In this instance, we may then make contact with you. HPC will only do this with your consent and will give you the choice to opt-out of receiving such information in future.
3. Sharing of Personal Information (Disclosure)
Generally, personal information that is held by HPC is not shared with others. We will disclose it only:
- When it is necessary for a purpose related to the service that we are providing you, and
- With your understanding and prior consent.
If you are unable to provide consent and provided HPC is not aware that disclosure is against your wishes, we will share information where it is necessary in order to be able to provide care or treatment. In all circumstances, we aim to limit the amount of information disclosed to that which is necessary for the purpose of the disclosure.
3.1 When we disclose personal information
We share personal information only when it is necessary as part of the service we are providing to you. For example, we may disclose information to:
- Third parties involved in providing care or treatment (e.g. a carer who will need to administer medication or monitor symptoms).
- Other health service providers involved in care or treatment (e.g. treating specialists, allied health professionals, hospitals, community health services, pathology and diagnostic imaging services, pharmacies).
- Medicare, Veterans’ Affairs and other agencies that require evidence of treatment to pay for care, or to private health insurers.
- Other government entities that may support your health care (such as My Health Record).
- Contractors to whom HPC outsources certain functions.
- Auditors or other persons involved in accrediting HPC (for example, a person from an accreditation agency may need to review HPC’s information handling procedures which may involve accessing patient records).
- From time to time, medical researchers carrying out approved research (where permitted under the Privacy Act).
In other circumstances where HPC is expressly required or permitted to do so under the Privacy Act, we may also disclose personal information to other parties where we are legally required to do so, such as under a court order.
If you do not wish us to disclose information to a particular party, you can notify us of this; and we will advise you of any impact it may have to our ability to provide you with services.
Notifiable Data Breaches: We take every effort to protect the personal information we hold, and to ensure it is only used and shared appropriately. In the event that your personal information is accessed or disclosed inappropriately and we believe that this breach of your privacy may result in harm, we will manage this in accordance with the requirements of the Privacy Act, and will notify and update you accordingly.
3.2 How we disclose personal information
Personal information may be shared in various ways, including:
- Person to person (including over the phone, or by email to a direct email address)
- By direct entry into a secure web site that is only accessible to authorised users
- Via secure messaging when available
- In hard copy (in person, sent by mail, or delivered person-to-person)
- By facsimile
- Via password-protected attachment to an email (with the password shared separately).
We take steps to ensure that each time any personal information is being shared, it is being shared with the right person at the right time and for the agreed purpose, and that it is being transmitted securely.
We take particular precautions with the disclosure of identified information, and ensure that any information that could identify you is only ever disclosed in person or transmitted in a secure manner.
Overseas Transfers: Under normal circumstances, we will not transfer any personal information overseas. We only transfer your personal information overseas if the transfer is:
- To you, or to one of your authorised representatives; or
- With your express consent.
4. Rights and Choices with Your Personal Information
You have the right to request access to the personal information we hold about you, and to request updates and corrections. You can also change your preferences and consents as needed.
4.1 How to access your information
At any time, you can request to access the personal information we hold about you. This includes the details we have in our records that we have collected or created, as well as information about you that has been provided to us by other people, such as opinions provided by specialists.
You can request access by sending a written request to our Privacy Officer, at the details below. If you require assistance putting a request in writing, please contact us on (02) 4925 2259. We will aim to provide you with the requested information in an appropriate form within 30 days.
If providing access to the requested information requires a significant amount of time (such as to locate personal information or to collate or present it in an appropriate form), HPC may charge a fee for providing access. We will advise you if this is the case, before we start to act on your request.
Note that in rare circumstances, where it is permitted under the Privacy Act, it may not be possible to provide you with access to all, or parts of, the information from our records. If we are unable to provide access, we will advise why this is so.
4.2 How to update your information
If the information that we hold about you is out‑of‑date, inaccurate, incomplete, irrelevant or misleading, you can inform us of this and it will be corrected. If you have changed your mind about information provided, or about consents you have given or refused, you can also inform us of that and we will update your record.
Occasionally, we may ask you to provide certain information updates in writing (or to confirm them in writing or with a signature), as a way of ensuring that our records are accurate. In most instances, however, you are able to notify us verbally of changes required.
In the unlikely event that we disagree about the accuracy of certain information, we may require additional evidence before we make a change. In this case, you will be notified in writing.
Updating Health Information: We treat the updating of health information differently to other types of personal detail, and will usually add an update rather than deleting or amending the original record. This is because, when in the future we review our records, or need to provide a health service, we may need to access the (inaccurate) information we had at the time – for example, to see why a particular course of treatment was prescribed.
If the information you wish to update relates to your health, we will generally add the current or amended information to the record, and clearly associate it with the inaccurate information to ensure that all subsequent users of the information are aware of the amendment. We do not typically delete health information.
4.3 Rights over children’s information
We take particular care with determining who is able to exercise privacy rights regarding the personal information of children and young people (under 18 years old). We work to ensure that these rights are exercised by the young person wherever possible, and by the most appropriate person in each instance. We assess individually each case to determine whether a minor is able to exercise their privacy rights regarding personal information.
If you are under 18 years old, and you request access to or correction of your personal information, we would take into consideration:
- Any statutory obligations regarding whether you are able to consent, and
- Your maturity, and your ability to understand your rights and implications of exercising them.
If you are under 18 and another person requests access to your information, we will only disclose your information to them if we are permitted to do so under the Privacy Act, and:
- With your permission, or
- If they can demonstrate they have a legal right to it (e.g. evidence they are your parent or guardian).
If you are a person wishing to access or change information held about a child, you may need to provide evidence of your identity and your relationship to the young person (and/or decision-making capacity) before we can provide you any information or action your request.
We take complaints and concerns regarding privacy seriously. If you believe that there has been a breach of this policy, you should set out details of your complaint in writing and send it to HPC’s Privacy Officer at the details below.
- In person: via a Feedback Form available in our offices and clinics
- Online at: hunterprimarycare.com.au/contactus
- By mail to: Hunter Primary Care, PO Box 572, Newcastle NSW 2300
- By fax to: (02) 4925 2268
- By email to: firstname.lastname@example.org
Complaints that are received will be resolved in accordance with HPC’s Complaints Policy and associated management and response protocols. Complaints will normally be investigated and we aim to resolve them and communicate to the complainant within 35 days. We also have an internal review process if you are unhappy with the resolution.
It is a good idea to discuss any privacy concerns with us first, to see whether we can work together to resolve the issue; but if you do not feel your complaint has been adequately resolved or addressed, you can contact:
- Health Care Complaints Commission on 1800 043 149, or
- National Privacy Commissioner on the Privacy Hotline 1300 363 992 or at privacy.gov.au/complaints
You can contact us at any time:
- Online at: hunterprimarycare.com.au/contactus
- By mail to: Hunter Primary Care, PO Box 572, Newcastle NSW 2300
- By fax to: (02) 4925 2268
- By email to: email@example.com
- On telephone number (02) 4925 2259
The key contact for communication regarding personal information privacy is the HPC Privacy Officer.
- Feedback Policy (GEN 49)
- Privacy Management Procedures (GEN 12.1)
- Privacy Act 1988 (Cth)
- For more information about the Australian Privacy Principles, go to oaic.gov.au.
Consent means agreeing or giving permission for something to happen. It includes express consent and implied consent.
Health information, under the Privacy Act, is:
- information or an opinion about:
- other personal information collected to provide, or in providing, a health service; or
- other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
- genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Personal information, under the Privacy Act, means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Record is a document, database (hardcopy or electronic) or a photograph or other pictorial representation of a person.
Sensitive information, per the Privacy Act, is:
- information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or criminal record, that is also personal information
- health information about an individual;
- genetic information about an individual that is not otherwise health information;
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- biometric templates (which are generally digital representations of biometric features formulated using algorithms).
 HPC requires contractors that may have any access to personal information to sign non-disclosure agreements and comply with the Privacy Act, and does not permit them to subcontract their services.
 Unless a person specifically gives consent for identifiable personal information to be shared with medical researchers, we de-identify any such information before disclosing it.