Protecting the Privacy of your Personal Information
For the purposes of this Policy, no distinction has been made between the handling of personal information and sensitive information (including health information)#, therefore all information will be referred to as “personal information” throughout this Policy.
Any complaints in relation to Gordon Medical Centre handling of personal information should be directed to the Privacy Officer.
Unless a complaint can be dealt with immediately to the satisfaction of both parties, the Gordon Medical Centre will provide a written response to the complainant within 30 days of it being received.
If an individual believes their complaint has not been appropriately handled by this Practice, they should contact the Office of the Federal Privacy Commissioner, Privacy Hotline 1300 363 992 (local call charge) or via www.privacy.gov.au.
Any enquiries regarding this Policy should, in the first instance, be directed to Gordon Medical Centre Privacy Officer:
The Practice Manager
Tel: M 0413 770807 W 02 9499 9999
The Gordon Medical Centre will provide a copy of this Policy to all members of staff and will train staff in the appropriate handling of personal information by this Practice.
This policy is a public document and access to it will be granted on request.
Collection of personal information must be fair, lawful and not intrusive. A person must be told the organisation’s name, the purpose of collection, that the person can get access to their personal information and what happens if the person does not give the information.
The Gordon Medical Centre will only collect personal information necessary to provide our patients with a quality health service.
1.1.Personal information about a patient will only be collected by lawful and fair means and directly from the patient wherever possible.
1.2.If information is collected about a patient from another party, the Gordon Medical Centre, will whenever possible, advise the patient of this.
1.3.Wherever practical the Gordon Medical Centre will only collect information directly from the patient. This may not be possible if the patient is unconscious or otherwise incapable of providing that information.
1.4.We will ensure that each patient providing personal information is informed about and understands the purpose of collecting the information. They will also be advised as to whom or under what circumstances their personal information may be disclosed to another party and how they can access the information held about them by the Gordon Medical Centre. This will be carried out via notices and/or brochures and/or verbally.
1.5.We will ensure that patients who are asked to provide personal information understand the consequences, if any, of providing incomplete or inaccurate information.
2.Use & Disclosure
An organisation should only use or disclose information for the purpose it was collected unless the person has consented, or the secondary purpose is related to the primary purpose and a person would reasonably expect such use or disclosure, or the use is for direct marketing in specified circumstances, or in circumstances related to public interest such as law enforcement and public or individual health and safety.
The Gordon Medical Centre will ensure that personal information will only be used for the purpose it was collected, or that would reasonably be expected by the patient providing the information.
2.1.If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, we will obtain informed consent from the patient.
2.1.1.Individuals will be given the opportunity to refuse such use or disclosure.
2.1.2.If a patient is physically or legally incapable of providing consent, a responsible person## (as described under the Act) may do so.
2.2.We will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the patient’s or the public’s health and safety.
2.2.1.We will keep records of any such use and disclosure.
2.2.2.Information may be disclosed to a responsible person (as described under the Act).
An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
The Gordon Medical Centre will take reasonable steps to ensure that personal information kept, used or disclosed by this Practice is accurate, complete, and as up to date as practicable.
An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access modification or disclosure.
4.1.All personal information held by the Gordon Medical Centre will be:
if in paper form, received and stored in a secure, lockable location;
if in electronic form, protected from theft, loss or corruption;
accessible by staff only on a “need to know” basis;
protected from viewing or access by unauthorised persons; and
not taken from the Gordon Medical Centre offices unless authorised and for a specified purpose.
4.2.We will destroy or permanently de-identify personal information that is no longer required by the Gordon Medical Centre.
4.3.We will ensure that all personal information transmitted electronically will be appropriately encrypted before transmission.
An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.
Gordon Medical Centre are committed to advising patients about its information handling practices.
5.2.A Privacy Statement describing our approach to privacy will be on public display.
5.3.Brochures detailing the Gordon Medical Centre personal information handling practices will be provided to any person requesting access to it.
6.Access & Correction
Generally speaking, an organisation must give an individual access to personal information it holds about that individual on request.
Under normal circumstances the Gordon Medical Centre will provide a patient with access to their personal information within 30 days of receiving a request for access.
6.1.All requests are asked to be provided in writing through use of the Patient Request for Access to Personal Information form supplied. Identification is also requested to ensure that a false application is not lodged.
6.2.There will be no fee associated with lodging a request for access, however, an administration fee may be charged as set out in the Request for Access application.
6.3.Patients will be provided with an opportunity to discuss their personal information with an appropriate member of staff when access is sought, however a fee for the doctor’s time may be charged.
6.4.Provision of access to a patient’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, e.g. use of interpreters, etc.
6.5.If a patient believes that information held by the Gordon Medical Centre is inaccurate or incomplete, the Gordon Medical Centre will take steps to amend or correct the information.
6.6.The Gordon Medical Centre may refuse access if it reasonably believes that:
6.6.1.A person’s health, safety or wellbeing may be compromised by releasing the information; or
6.6.2.Providing access would be unlawful or would prejudice a legal investigation.
6.6.3.Providing access would affect the privacy of others.
6.6.4.The request for access is frivolous and/or vexatious.
6.6.5.The information held in the patient’s medical record would be used against the doctor in a medico-legal matter.
6.7.Under circumstances other than those described in 6.6 where information is withheld, the Gordon Medical Centre will ensure that its practices are consistent with the provisions of NPP 6.
6.8.If information is withheld under NPP 6.4, the Gordon Medical Centre will provide an explanation to the patient as to the reasons why this was the case.
Generally speaking an organisation must not adopt, use or disclose, an identifier that has been assigned by a Commonwealth government ‘agency’.
Except where circumstances allow (NPP 7.2), the Gordon Medical Centre will not use Medicare or Veterans Affairs numbers or other identifiers assigned by a Commonwealth or State/Territory agency to identify personal information.
Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.
Where it is lawful and practicable to do so, the Gordon Medical Centre will allow patients to provide information anonymously.
8.1.A patient who chooses to access the services of the Gordon Medical Centre anonymously will be advised of any potential consequences resulting from their decision. For example where the lack of a contact name or address may jeopardise care in an emergency situation.
8.2.We will not automatically preclude a patient from participating in the activities of the Gordon Medical Centre because they request anonymity.
9.Transborder Data Flows
An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.
9.1.Gordon Medical Centre will only transfer personal information about a patient to someone who is in a foreign country if:
the patient consents to the transfer; or
the recipient is bound by legislation that is substantially similar to the NPPs; or
Gordon Medical Centre is reasonably sure that the information will not be held, used or disclosed inconsistently with the NPPs.
An organisation must not collect sensitive information unless the individual has consented, it is required by law – or in other special specified circumstances, for example, relating to health services provision and individual or public health or safety.
10.1.Gordon Medical Centre will only collect sensitive information# other than health information about a patient if:
the patient consents; or
the collection is required by law; or
such collection is consistent with the provisions of NPP 10
Definitions from the Privacy Act (1988)
(Guidelines on Privacy in the Private Health Sector, Office of the Privacy Commissioner)
# Health information means:
information or an opinion about:
the health or a disability (at any time) of an individual; or
an individual’s expressed wishes about the future provision of health services to him or her; or
a health service provided, or to be provided, to an individual; that is also personal information; or
other personal information collected to provide, or in providing, a health service; or
other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.
Health service means:
an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
to assess, record, maintain or improve the individual’s health; or
to diagnose the individual’s illness or disability; or
to treat the individual’s illness or disability or suspected illness or disability; or
the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
The term health service provider as used in these Guidelines means a provider of a health service. The term ‘health service provider’ is not separately defined in the Privacy Act.
Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Sensitive information means:
information or an opinion about an individual’s:
racial or ethnic origin; or
political opinions; or
membership of a political association; or
religious beliefs or affiliations; or
philosophical beliefs; or
membership of a professional or trade association; or
membership of a trade union; or
sexual preferences or practices; or
that is also personal information; or
health information about an individual.
## The Privacy Act defines a ‘responsible person’ as:
a child or sibling at least 18 years of age;
a spouse or de facto spouse;
a relative at least 18 years of age and a member of the individuals household;
a guardian or a person exercising enduring power of attorney that can be exercised in relation to the individuals health;
a person who has an intimate personal relationship with the individual; or
a person nominated by the individual to be contacted in an emergency.
Produced by Brisbane North Division of General Practice
Based on material published by Australian Divisions of General Practice