Privacy policy

Protecting the Privacy of Your Personal Information

In compliance with the Privacy Amendment (Private Sector) Act 2000, Wamberal Surgery has prepared this Privacy Policy to describe the way and circumstances under which personal information is collected, stored, used and disclosed and also how complaints are handled by Wamberal Surgery.  The Policy is intended as a guide to staff and patients of this Practice and for the advice of the broader community.

For the purposes of this Policy, no distinction has been made between the handling of personal information and sensitive information (including health information)#, therefore all information will be referred to as “personal information” throughout this Policy.

Complaints Handling

Any complaints in relation to Wamberal Surgery handling of personal information should be directed to the Practice Manager.

Unless a complaint can be dealt with immediately to the satisfaction of both parties, Wamberal Surgery will provide a written response to the complainant within 30 days of it being received.

If an individual believes their complaint has not been appropriately handled by this Practice, they should contact the Office of the Federal Privacy Commissioner, Privacy Hotline 1300 363 992 (local call charge) or via www.privacy.gov.au.

Enquiries

Any enquiries regarding this Policy should, in the first instance, be directed to Wamberal Surgery Practice Manager:

Danielle Chalmers

Email:  danielle.chalmers@wamberalsurgery.com.au

Ph:  (02) 4384 2255

Wamberal Surgery will provide a copy of this Policy to all members of staff and will train staff in the appropriate handling of personal information by this Practice.

This policy is a public document and access to it will be granted on request.

1.               Collection

Collection of personal information must be fair, lawful and not intrusive.  A person must be told the organisation’s name, the purpose of collection that the person can get access to their personal information and what happens if the person does not give the information.

Wamberal Surgery will only collect personal information necessary to provide our patients with a quality health service.

1.1.           Personal information about a patient will only be collected by lawful and fair means and directly from the patient wherever possible.

1.2.           If information is collected about a patient from another party, Wamberal Surgery, will whenever possible, advise the patient of this.

1.3.           Wherever practical Wamberal Surgery will only collect information directly from the patient.  This may not be possible if the patient is unconscious or otherwise incapable of providing that information.

1.4.           We will ensure that each patient providing personal information is informed about and understands the purpose of collecting the information.  They will also be advised as to whom or under what circumstances their personal information may be disclosed to another party and how they can access the information held about them by Wamberal Surgery.  This will be carried out via notices and/or brochures and/or verbally.

1.5.           We will ensure that patients who are asked to provide personal information understand the consequences, if any, of providing incomplete or inaccurate information.

2.               Use & Disclosure

An organisation should only use or disclose information for the purpose it was collected unless the person has consented, or the secondary purpose is related to the primary purpose and a person would reasonably expect such use or disclosure, or the use is for direct marketing in specified circumstances, or in circumstances related to public interest such as law enforcement and public or individual health and safety.

Wamberal Surgery will ensure that personal information will only be used for the purpose it was collected, or that would reasonably be expected by the patient providing the information.

2.1.           If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, we will obtain informed consent from the patient.

2.1.1.       Individuals will be given the opportunity to refuse such use or disclosure.

2.1.2.       If a patient is physically or legally incapable of providing consent, a responsible person## (as described under the Act) may do so.

2.2.           We will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the patient’s or the public’s health and safety.

2.2.1.       We will keep records of any such use and disclosure.

2.2.2.       Information may be disclosed to a responsible person (as described under the Act).

3.               Data Quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Wamberal Surgery will take reasonable steps to ensure that personal information kept, used or disclosed by this Practice is accurate, complete, and as up to date as practicable.

4.               Data Security

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access modification or disclosure.

4.1.           All personal information held by Wamberal Surgery will be:

  • if in paper form, received and stored in a secure, lockable location;
  • if in electronic form, protected from theft, loss or corruption;
  • accessible by staff only on a “need to know” basis;
  • protected from viewing or access by unauthorised persons; and
  • not taken from Wamberal Surgery offices unless authorised and for a specified purpose.

4.2.           We will destroy or permanently de-identify personal information that is no longer required by Wamberal Surgery.

4.3.           We will ensure that all personal information transmitted electronically will be appropriately encrypted before transmission.

5.               Openness

An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.

Wamberal Surgery is committed to advising patients about its information handling practices.

5.1.           This Privacy Policy will be made available to any person requesting it.

5.2.           A Privacy Statement describing our approach to privacy will be on public display.

5.3.           Brochures detailing Wamberal Surgery’s personal information handling practices will be provided to any person requesting access to it.

6.               Access & Correction

Generally speaking, an organisation must give an individual access to personal information it holds about that individual on request.

Under normal circumstances Wamberal Surgery will provide a patient with access to their personal information within 30 days of receiving a request for access.

6.1.           All requests are asked to be provided in writing through use of the Patient Request for Access to Personal Information form supplied.  Identification is also requested to ensure that a false application is not lodged.

6.2.           There will be no fee associated with lodging a request for access, however, an administration fee may be charged as set out in the Request for Access application.

6.3.           Patients will be provided with an opportunity to discuss their personal information with an appropriate member of staff when access is sought, however a fee for the doctor’s time may be charged.

6.4.           Provision of access to a patient’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, e.g. use of interpreters, etc.

6.5.           If a patient believes that information held by Wamberal Surgery is inaccurate or incomplete, Wamberal Surgery will take steps to amend or correct the information.

6.6.           Wamberal Surgery may refuse access if it reasonably believes that:

6.6.1.       A person’s health, safety or wellbeing may be compromised by releasing the information; or

6.6.2.       Providing access would be unlawful or would prejudice a legal investigation.

6.6.3.       Providing access would affect the privacy of others.

6.6.4.       The request for access is frivolous and/or vexatious.

6.6.5.       The information held in the patient’s medical record would be used against the doctor in a medico-legal matter.

6.7.           Under circumstances other than those described in 6.6 where information is withheld, Wamberal Surgery will ensure that its practices are consistent with the provisions of NPP 6.

6.8.           If information is withheld under NPP 6.4, Wamberal Surgery will provide an explanation to the patient as to the reasons why this was the case.

7.               Identifiers

Generally speaking an organisation must not adopt, use or disclose, an identifier that has been assigned by a Commonwealth government ‘agency’.

Except where circumstances allow (NPP 7.2), Wamberal Surgery will not use Medicare or Veterans Affairs numbers or other identifiers assigned by a Commonwealth or State/Territory agency to identify personal information.

8.               Anonymity

Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.

Where it is lawful and practicable to do so, Wamberal Surgery will allow patients to provide information anonymously.

8.1.           A patient who chooses to access the services of Wamberal Surgery anonymously will be advised of any potential consequences resulting from their decision.  For example where the lack of a contact name or address may jeopardise care in an emergency situation.

8.2.           We will not automatically preclude a patient from participating in the activities of Wamberal Surgery because they request anonymity.

9.               Transborder Data Flows

An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.

9.1.           Wamberal Surgery will only transfer personal information about a patient to someone who is in a foreign country if:

  • the patient consents to the transfer; or
  • the recipient is bound by legislation that is substantially similar to the NPPs; or
  • Wamberal Surgery is reasonably sure that the information will not be held, used or disclosed inconsistently with the NPPs.

10.             Sensitive Information

An organisation must not collect sensitive information unless the individual has consented, it is required by law – or in other special specified circumstances, for example, relating to health services provision and individual or public health or safety.

10.1.        Wamberal Surgery will only collect sensitive information# other than health information about a patient if:

  • the patient consents; or
  • the collection is required by law; or
  • such collection is consistent with the provisions of NPP 10

Definitions from the Privacy Act (1988)

(Guidelines on Privacy in the Private Health Sector, Office of the Privacy Commissioner)

#  Health information means:

  • information or an opinion about:
    • the health or a disability (at any time) of an individual; or
    • an individual’s expressed wishes about the future provision of health services to him or her; or
    • a health service provided, or to be provided, to an individual; that is also personal information; or
  • other personal information collected to provide, or in providing, a health service; or
  • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

Health service means:

  • an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
    • to assess, record, maintain or improve the individual’s health; or
    • to diagnose the individual’s illness or disability; or
    • to treat the individual’s illness or disability or suspected illness or disability; or
  • the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

The term health service provider as used in these Guidelines means a provider of a health service. The term ‘health service provider’ is not separately defined in the Privacy Act.

Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Sensitive information means:

  • information or an opinion about an individual’s:
    • racial or ethnic origin; or
    • political opinions; or
    • membership of a political association; or
    • religious beliefs or affiliations; or
    • philosophical beliefs; or
    • membership of a professional or trade association; or
    • membership of a trade union; or
    • sexual preferences or practices; or
    • criminal record;

    that is also personal information; or

  •     health information about an individual.

##    The Privacy Act defines a ‘responsible person’ as:

  • a parent;
  • a child or sibling at least 18 years of age;
  • a spouse or de facto spouse;
  • a relative at least 18 years of age and a member of the individuals household;
  • a guardian or a person exercising enduring power of attorney that can be exercised in relation to the individuals health;
  • a person who has an intimate personal relationship with the individual; or
  • a person nominated by the individual to be contacted in an emergency.