Hunter Primary Care Privacy Policy

Purpose

The purpose of this privacy policy is to:

  • Clearly communicate how Hunter Primary Care Limited (HPC) complies with the Australian Privacy Principles and relevant legislation dealing with privacy in Australia
  • Describe the personal information handling practices of HPC and enhance the transparency of its operations
  • Give individuals a better and more complete understanding of the sort of personal information that HPC holds, and the way we handle that information
  • Provide details of how individuals can complain or report a breach of our responsibilities in regard to privacy, and how we will handle such complaints

Scope

This Privacy Policy applies to all situations in which HPC collects, holds, uses and discloses personal information in a record. This includes (but is not limited to) the direct provision or contracting of health services, websites, surveys and events.

This policy does not extend to personal information held as part of a HPC’s employee records.

Statistical information that is used for program reporting and to support the review and improvement of services is de-identified and aggregated to a level that makes the identification of individuals impossible. Such information therefore is not personal information as defined and therefore is not covered by this policy.

Policy Statement

We respect people’s personal information and their right to privacy.

Protecting privacy when handling personal information is very important to HPC and is fundamental to the way that we operate. When we collect or are given personal information, it imposes a serious responsibility upon us to protect that information and maintain the trust that has been given to us. For the purposes of this Policy, no distinction has been made between the handling of personal information and sensitive information (including health information).

We only collect personal information for purposes that are directly related to the services and activities of HPC.

Our methods for the collection of personal information are lawful and fair. It is our usual practice to collect personal information directly from the individual or their authorised representative. Sometimes we collect personal information from a third party or from a publicly available source, but only if the individual has consented to such collection or would reasonably expect us to collect their personal information in this way or, if it is necessary, for a specific purpose such as the investigation of a privacy complaint.

In limited circumstances we may receive personal information about third parties from individuals who contact us and supply us with the personal information of others in the documents they provide to us.
In circumstances where HPC will have no need to contact an individual in the future, and is not required or authorised by law to deal with identified individuals, they have the right to anonymity or pseudonymity when providing information.

HPC will take reasonable measures to ensure that each individual providing personal information is informed about and understands the purpose of collecting the information and the consequences (if any) of providing incomplete or inaccurate information. Privacy statements will reference this policy, set out the purposes for which we are capturing information and any intended disclosure to other parties.

At times, HPC may receive unsolicited information. If unsolicited information is received, HPC will determine whether the information could reasonably have been collected as if it had solicited the information. If not, the information will be de-identified or destroyed, provided it is not unlawful to do so.

In the ordinary course of business, we collect and hold individual’s names, their occupation, role and employer, contact information (phone, address, email), qualifications and accreditation, special interests, attendance at events, access to and use of our services, communication history, professional memberships and affiliations.

Where we are providing direct health services, we also collect and hold records of health information as well as other sensitive information to support a biopsychosocial approach to health care delivery.

We only use personal information for the purposes for which it was given to us, or for purposes that are directly related to one of our functions or activities.
Generally, we will only disclose personal information for a purpose that is related to the service that we are providing. This may include disclosures to other health service providers involved in care or treatment (e.g. treating specialists), Medicare and other government agencies that may require evidence of treatment to pay for care, private health insurers, pharmacies and governmental bodies.
Other circumstances in which we may disclose personal information are set out below.

  • To third parties to provide care or treatment. However, we will only do so with prior consent or, if a person is unable to provide consent and we are not aware that it is against their wishes, where it is necessary in order to be able to provide care or treatment. We may make such a disclosure, for example, to a carer to let them know how often to administer medication.
  • To contractors to whom we outsource certain functions, such as electronic network administrators. However, where possible, we take contractual measures to ensure that they comply with the privacy standards set out in the Privacy Act. We require our contractors to sign nondisclosure agreements and do not permit them to subcontract their services.
  • From time to time, to medical researchers where permitted under the Privacy Act. Where appropriate, we will de-identify information before we disclose it for research purposes.
  • To persons involved in accrediting HPC. For example, a person from an accreditation agency may need to review our information handling procedures which may involve accessing patient records.
  • In other circumstances where we are expressly permitted to do so under the Privacy Act; for example, where we are legally required to do so, such as under a court order.

In all circumstances, we aim to limit the amount of information disclosed to that which is necessary for the purpose of the disclosure. Further, where appropriate, we de identify information before disclosing it.

From time to time we may use the personal information we collect to identify particular services or events that we believe may be of interest to an individual. We may then make contact with the individual about how they may be of benefit. We will generally only do this with the individual’s consent and we will always give the choice to opt out of receiving such information in future.
Individuals may request access to personal information we hold about them by sending a written request to our Privacy Officer. The information to which an individual is entitled to obtain access to includes information that has been provided to us by other people, such as opinions provided by specialists. Access will generally be provided in an appropriate form within 30 days. We may charge a fee for providing access if it requires a significant amount of time to locate personal information or to collate or present it in an appropriate form.

In rare circumstances, and only where it is permitted under the Privacy Act, we may not be able to provide an individual with access to all, or parts of, their information; for example, where:

  • it would pose a serious threat to the life, health or safety of any individual or to public health or public safety
  • it would have an unreasonable impact upon the privacy of others
  • the information relates to existing or anticipated legal proceedings between us through which it would not otherwise be available
  • any other lawful reason contained in the Privacy Act

If we are unable to provide access, we will state why this is so and consider whether the use of an intermediary would be appropriate to provide the individual with an explanation of the personal information.

We will only transfer personal information overseas if the transfer is to the individual, or to one of the individual’s authorised representatives, or it is with the express consent of the individual.
We assess each case individually when determining whether a minor is able to exercise his or her privacy rights regarding personal information. Factors that we take into consideration include any statutory obligations that we have regarding whether a young person is able to consent and both the minor’s maturity and ability to understand the nature of his or her rights and implications of exercising them. We only disclose information about minors to parents or persons taking care of them if permitted to do so under the Privacy Act.
If the information that we hold about an individual is out of date, inaccurate, incomplete, irrelevant or misleading, the individual may inform us of this and we will correct it. If the relevant information relates to the individual’s health, we generally will not delete the inaccurate information but rather, will ensure that the amended information is clearly associated with the inaccurate information to ensure that all subsequent users of the information are aware of the amendment. This is because, when providing a health service in the future, we may need to review the inaccurate information; for example, to see why a particular course of treatment was prescribed.

In the unlikely event that we disagree about the accuracy of the information and refuse to correct the personal information, the individual will be notified in writing the reasons for the refusal, the mechanisms to complain and any other matter prescribed by the regulations. The individual may provide us with a statement that he or she disputes its accuracy and we will associate the statement with the information in the individual’s file in such a manner that it will be brought to the attention of each person who uses the information.

HPC is committed to protecting and securing personal information. We employ appropriate technical, administrative and physical procedures to protect personal information from unauthorised disclosure, loss, misuse or alteration.

We limit access to personal information to individuals with a business need consistent with the reason the information was provided. We keep personal information only for as long as it is required for business purposes or by the law.

Complaints

If you believe that there has been a breach of this policy, you should set out details of your complaint and send it to HPC’s Privacy Officer at PO Box 572, Newcastle NSW 2300.

Complaints that are received will be resolved in accordance with HPC’s complaints handling procedures. Complaints will normally be investigated and either resolved or progress communicated to the complainant within 35 days.

Amendments to policy

We may amend this policy from time to time in order to ensure that it remains accurate in view of any alterations to our information handling practices due to new technologies and changed business practices. Any updated policy will be published on our website.

References/ Related Documents

For more information about the Australian Privacy Principles visit www.oaic.gov.au.

Definitions

For a PDF copy of this Policy, including the Definitions click here for the Hunter Primary Care Privacy Policy.