OBJECTIVE:

 

Protecting the Privacy of your Personal Information

In complying with the Privacy Amendment (Private Sector) Act 2000, the Otway Division of General Practice has developed a Privacy Policy that governs its handling of personal information.

 

Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

(p57 Guidelines on Privacy in the Private Health Sector, Office of the Federal Privacy Commissioner - October 2001)

 

Our Privacy Policy governs:

 

what personal information is being collected;

 

who is collecting personal information;

 

how personal information is used;

 

to whom and under what circumstances personal information is disclosed; and

 

how personal information is stored.

 

In most circumstances, Otway Division of General Practice will:

 

only collect personal information about you with your consent (unless legally required or authorised to do otherwise);

 

collect your personal information directly from you (where possible and practicable);

 

only collect personal information about you that is necessary and relevant to the functions and/or programs of the Division;

 

use staff to collect your information who are appropriately trained and have a specific role in the purpose for which your personal information is being collected;

 

only use your personal information for the purpose for which it is collected or for a directly related secondary purpose that you would expect your personal information to be used for (unless legally required or authorised to do otherwise);

 

provide you with access to your personal information (unless legally required or authorised to do otherwise).  

 

only disclose your personal information to a third party with your consent, or where you expect such disclosure, or where the Division are legally required or authorised to do so;

 

take reasonable steps to keep your personal information complete, current and accurate;

 

take reasonable steps to ensure personal information about you is kept secure.

1         Collection

Collection of personal information must be fair, lawful and not intrusive.  Collection must also be necessary for the business of the organisation.  A person must be told the organisation’s name, the purpose of collection, to whom it is usually disclosed, that they can get access to their personal information and what may happen if they choose not to give the information.

 

 

2         Use and Disclosure

An organisation should only use or disclose information for the purpose it was collected unless the person has consented, or the secondary purpose is directly related to the primary purpose and a person would reasonably expect such use or disclosure, or, for personal information that is not health information, for direct marketing in specified circumstances, or in circumstances related to public interest such as law enforcement and public or individual health and safety.

 

 

3         Data Quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

 

4         Data Security

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access modification or disclosure.

 

 

 

 

5         Openness

An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.

 

 

6         Access and Correction

Generally speaking, an organisation must give an individual access to personal information it holds about that individual on request.

 

 

 

 

7         Identifiers

Generally speaking an organisation must not adopt, use or disclose, an identifier that has been assigned by a Commonwealth government ‘agency’.

 

8         Anonymity

Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.

 

 

9         Transborder Data Flows

An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.

 

10         Sensitive Information

An organisation must not collect sensitive information unless the individual has consented, it is required by law  or in other special specified circumstances, for example, relating to health services provision and individual or public health or safety.

 

1.

This Division will only collect personal information necessary to undertake our programs, activities or functions.

 

1.1

Personal information about an individual will only be collected by lawful and fair means and directly from the individual wherever possible.

 

1.2

A contact name and telephone number for the Division will be given to every individual who provides personal information.

 

1.3

The Division will ensure that each individual providing personal information is informed about and understands the purpose of the Division collecting the information, to whom or under what circumstances their personal information may be disclosed to another party, and how they can access the information held about them by the Division.

 

1.4

The Division will endeavour that individuals providing personal information understand the consequences, if any, of providing incomplete or inaccurate information.

 

1.5

The Division will disclose on all invitations and registrations that photographs may be taken at these Divisional events.  These images may be used in Divisional publications.  The consumer has the right to deny permission.

3.

This Division will update our databases or records as soon as possible after being advised by an individual of changes to their personal information held by the Division.

 

4.1

All personal information held by this Division will be:

 

4.1.1

if in paper form, received and stored in a secure, lockable location .  (GP and staff contact lists are regularly carried by Division Staff and all reasonable steps will be taken to protect this information from misuse and loss and from unauthorised access modification or disclosure).

 

4.1.2

if in electronic form, password and firewall protected;

 

4.1.3

accessible by staff only on a “need to know”   basis;

 

4.1.4

not taken from the Division offices unless authorised and for a specified purpose. (See above regarding GP lists)

4.2

The Division will destroy or permanently de-identify personal information that is no longer required by the Division. Our Division has a policy on the storage and destruction of sensitive information.

5.

This policy will be made available to any person requesting access to it.

 

5.1

A general statement describing our approach to privacy will available at the Division, sent out with membership forms and displayed on our website.

 

5.2

If requested by an individual, the Division will provide more detail about our information-handling practices (i.e. what personal information is held and how it is handled by the Division).

6.

Under normal circumstances this Division will provide an individual with access to their personal information within 30 days of receiving a request for access.

 

6.1

There will be no fee associated with lodging a processing a request for access.

 

6.2

Provision of access to a person’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, e.g. use of interpreters etc.

 

6.3

If an individual believes that information held by the Division is inaccurate or incomplete, the Division will take steps to amend or correct the information.

 

6.4

Some exceptions where the Division may refuse access include:

 

 

6.4.1

If it reasonably believes that a person’s health or life may be seriously threatened or at risk by releasing the information; or

 

 

6.4.2

If access would be unlawful or would prejudice a legal investigation; or

 

 

6.4.3

If access would have an unreasonable impact on others’ privacy.

 

6.5

Under circumstances other than 6.4 where information is withheld, the Division will ensure that its practices are consistent with the provisions of NPP 6.

 

6.6

If information is withheld under 6.4, the Division will provide an explanation to the individual as to the reasons why this was the case.

7.

Except where circumstances allow (NPP7.2), this Division will not use Medicare or Veterans Affairs numbers or other identifiers assigned by a Commonwealth agency (or State/Territory body where this is prohibited under State/Territory law) to identify personal information.

 

8.

Where it is lawful and practicable to do so, the Division will allow individuals to provide information anonymously.

 

8.1

An individual who chooses to access the services of the Division anonymously will be advised of any potential consequences resulting from their decision e.g. where the lack of a contact name or address may jeopardise care in an emergency situation.

 

8.2

The Division will not automatically preclude an individual from participating in the activities of the Division because they request anonymity.

9.

This Division will only transfer personal information about an individual to someone who is in a foreign country if:

 

9.1

the individual consents to the transfer; or

 

9.2

the recipient is bound by legislation that is substantially similar to the NPPs; or

 

9.3

the Division has taken reasonable steps to ensure that the information will not be held, used or disclosed inconsistently with the NPPs.

10.

This Division will only collect sensitive information (as defined under the Act) about an individual, if:

 

the individual consents; or

 

the collection is required by law; or

 

such collection is consistent with the provisions of NPP 10

 

10.1

For example, the Division will comply with this principle for the collection of sensitive information for the purposes of our member database.

Otway Division of General Practice

“Promoting Better Healthcare and Lifestyle"

 

Privacy Policy

2

This Division will ensure that personal information will only be used for the purpose it was collected, or a directly related purpose, that would reasonably be expected by the individual providing the information.

 

2.1

If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, the Division will obtain informed consent from the individual.

 

 

2.1.1

Individuals will be given the opportunity to refuse such use or disclosure.

 

 

2.1.2

If an individual is physically or legally incapable of providing consent, a responsible person (as described under the Act) may do so, if this is necessary to ensure the treatment or care of the patient, or for compassionate reasons.  Providing consent under this clause does not mean the responsible person is given guardianship/power of attorney privileges.  Such privileges are covered by State/Territory Guardianship legislation.

 

2.2

The Division will only disclose personal information without consent where such disclosure is required by law, or, in some circumstances, for law enforcement, or in the interests of the individual’s or the public’s health and safety.

 

 

2.2.1

The Division will keep records of any such use and disclosure.

 

 

2.2.2

Information may be disclosed to a responsible person (as described under the Act).