Privacy Policy of Gordon Doctors
Protecting the Privacy of your Personal Information
In compliance with the Australian Privacy Act 1988 and the Australian Privacy Amendment Act 2022, Gordon Doctors has prepared this Privacy Policy to describe the way and circumstances under which personal information is collected, stored, used and disclosed and also how complaints are handled by Gordon Doctors. The Policy is intended as a guide to staff and patients of this Practice and for the advice of the broader community.
For the purposes of this Policy, no distinction has been made between the handling of personal information and sensitive information (including health information)#, therefore all information will be referred to as “personal information” throughout this Policy.
​​
Complaints Handling
We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have. We will then attempt to resolve it in accordance with the resolution procedure. Any complaints in relation to Gordon Doctors handling of personal information should be directed to the Privacy Officer.
Unless a complaint can be dealt with immediately to the satisfaction of both parties, the Gordon Doctors will provide a written response to the complainant within 30 days of it being received.
If an individual believes their complaint has not been appropriately handled by this Practice, they should contact the Office of the Federal Privacy Commissioner, Privacy Hotline 1300 363 992 (local call charge) or via www.privacy.gov.au.
​​
Enquiries
Any enquiries regarding this Policy should, in the first instance, be directed to Gordon Doctors Privacy Officer:
The Practice Manager
Tel: 02 9499 9999 Email: info@gordondoctors.com
The Gordon Doctors will provide a copy of this Policy to all members of staff and will train staff in the appropriate handling of personal information by this Practice.
This policy is a public document and access to it will be granted on request.
​
1.Collection
Collection of personal information must be fair, lawful and not intrusive. A person must be told the organisation’s name, the purpose of collection, that the person can get access to their personal information and what happens if the person does not give the information.
​​
When you register as a patient of this practice, you provide consent for the GPs and practice staff to access and use your personal information to facilitate the delivery of healthcare. The Gordon Doctors collects, uses, stores, and shares your personal information primarily to manage your health safely and effectively. This includes providing healthcare services, managing medical records, and ensuring accurate billing and payments. Additionally, we may utilise your information for internal quality and safety improvement processes such as practice audits, accreditation purposes, and staff training to maintain high-quality service standards.
1.1. Personal information about a patient will only be collected by lawful and fair means and directly from the patient wherever possible.
1.2. If information is collected about a patient from another party, the Gordon Doctors, will whenever possible, advise the patient of this.
1.3. Wherever practical the Gordon Doctors will only collect information directly from the patient. This may not be possible if the patient is unconscious or otherwise incapable of providing that information.
1.4. We will ensure that each patient providing personal information is informed about and understands the purpose of collecting the information. They will also be advised as to whom or under what circumstances their personal information may be disclosed to another party and how they can access the information held about them by the Gordon Doctors. This will be carried out via notices and/or brochures and/or verbally.
1.5. We will ensure that patients who are asked to provide personal information understand the consequences, if any, of providing incomplete or inaccurate information.
1.6. In some circumstances, personal information may also be collected from other sources, including:
-
Your guardian or responsible person.
-
Other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services, and pathology and diagnostic imaging services.
-
Your health fund, Medicare, or the Department of Veterans’ Affairs (if relevant).
-
While providing medical services, further personal information may be collected via:
-
​electronic prescribing
-
My Health Record
-
online appointments.
-
2.Use & Disclosure
An organisation should only use or disclose information for the purpose it was collected unless the person has consented, or the secondary purpose is related to the primary purpose and a person would reasonably expect such use or disclosure, or the use is for direct marketing in specified circumstances, or in circumstances related to public interest such as law enforcement and public or individual health and safety.
​
The Gordon Doctors will ensure that personal information will only be used for the purpose it was collected, or that would reasonably be expected by the patient providing the information.
2.1. If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, we will obtain informed consent from the patient.
2.1.1. Individuals will be given the opportunity to refuse such use or disclosure.
2.1.2. If a patient is physically or legally incapable of providing consent, a responsible person## (as described under the Act) may do so.
2.2. We will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the patient’s or the public’s health and safety.
2.2.1. We will keep records of any such use and disclosure.
2.2.2. Information may be disclosed to a responsible person (as described under the Act).
2.3. We sometimes share your personal information:
-
with third parties for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
-
with other healthcare providers (e.g. In referral letters)
-
when it is required or authorised by law (e.g. court subpoenas)
-
when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
-
to assist in locating a missing person
-
to establish, exercise or defend an equitable claim
-
for the purpose of confidential dispute resolution process
-
When it is a statutory requirement to share certain personal information (e.g. some diseases require mandatory notification)
-
When it is provision of medical services, through electronic prescribing, My Health Record (e.g. via Shared Health Summary, Event Summary).
2.4. Only people who need to access your personal information will be able to do so. Other than providing medical services or as otherwise described in this policy, the practice will not share personal information with any third party without your consent.
2.5. We do not share your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent.
2.6. The practice may use your personal information to improve the quality of the services offered to patients through research, analysis of patient data for quality improvement and for training activities with the practice team
We may provide de-identified data to other organisations to improve population health outcomes. The information is secure, patients cannot be identified, and the information is stored within Australia. You can let reception staff know if you do not want your information included.
2.7. The practice will not use your personal information for marketing any goods or services directly to you without your expressed consent. If you do consent, you may opt out of direct marketing at any time by notifying the practice in writing.
​
3.Data Quality
An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
​
The Gordon Doctors will take reasonable steps to ensure that personal information kept, used or disclosed by this Practice is accurate, complete, and as up to date as practicable.
4.Data Security
An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access modification or disclosure.
4.1. All personal information held by the Gordon Doctors will be:
-
if in paper form, received and stored in a secure, lockable location;
-
if in electronic form, protected from theft, loss or corruption; by complying with all principles of Gordon Doctors Data Security Policy;
-
accessible by staff only on a “need to know” basis;
-
authorised staff are legally bounded to abide by the Gordon Doctors Privacy Statement;
-
protected from viewing or access by unauthorised persons; and
-
not taken from the Gordon Doctors offices unless authorised and for a specified purpose.
4.2. We will destroy or permanently de-identify personal information that is no longer required by the Gordon Doctors.
4.3. We will ensure that all personal information transmitted electronically will be appropriately encrypted before transmission.
4.4. Partner organisation are carefully chosen for purposes the data is collected, will have access to personal information will satisfy stringent data security standards and this privacy policy, including NPP9 transborder data flow. Partner organisation will always seek consent from owner or responsible person of data collected before collecting data.
4.5. Only if requested by or consent is given by owner or responsible person of data collected, will suitably protected transmission be done over encrypted public networks e.g. email.
5.Openness
An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.
​
Gordon Doctors are committed to advising patients about its information handling practices.
5.1. This Privacy Policy will be made available to any person requesting it.
5.2. A Privacy Statement describing our approach to privacy will be on public display.
5.3. Brochures detailing the Gordon Doctors personal information handling practices will be provided to any person requesting access to it.
6.Access & Correction
Generally speaking, an organisation must give an individual access to personal information it holds about that individual on request.
​
Under normal circumstances the Gordon Doctors will provide a patient with access to their personal information within 30 days of receiving a request for access.
6.1. All requests are asked to be provided in writing through use of the Patient Request for Access to or Copy of Medical Records form supplied. Identification is also requested to ensure that a false application is not lodged.
6.2. There will be no fee associated with lodging a request for access, however, an administration fee may be charged as set out in the Request for Access application.
6.3. Patients will be provided with an opportunity to discuss their personal information with an appropriate member of staff when access is sought, however a fee for the doctor’s time may be charged.
6.4. Provision of access to a patient’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, e.g. use of interpreters, etc.
6.5. If a patient believes that information held by the Gordon Medical Centre is inaccurate or incomplete, the Gordon Doctors will take steps to amend or correct the information.
6.6. The Gordon Doctors may refuse access if it reasonably believes that:
6.6.1. A person’s health, safety or wellbeing may be compromised by releasing the information; or
6.6.2. Providing access would be unlawful or would prejudice a legal investigation.
6.6.3. Providing access would affect the privacy of others.
6.6.4. The request for access is frivolous and/or vexatious.
6.6.5. The information held in the patient’s medical record would be used against the doctor in a medico-legal matter.
6.7. Under circumstances other than those described in 6.6 where information is withheld, the Gordon Doctors will ensure that its practices are consistent with the provisions of NPP 6.
6.8. If information is withheld under NPP 6.4, the Gordon Doctors will provide an explanation to the patient as to the reasons why this was the case.
7.Identifiers
Generally speaking an organisation must not adopt, use or disclose, an identifier that has been assigned by a Commonwealth government ‘agency’ in our own systems (APP 9) to prevent data matching or usage as general identifier.
​
Except where circumstances allow (NPP7.1-7.5), the Gordon Doctors will not use Medicare or Veterans Affairs numbers or other identifiers assigned by a Commonwealth or State/Territory agency to identify personal information.
​
7.1. Verifying Identity
7.2. Preventing serious threats
7.3. Legal Claims
7.4. Alternative Dispute Resolution
7.5. Privacy
8.Anonymity
Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.
Where it is lawful and practicable to do so, the Gordon Doctors will allow patients to provide information anonymously.
8.1. A patient who chooses to access the services of the Gordon Doctors anonymously will be advised of any potential consequences resulting from their decision. For example where the lack of a contact name or address may jeopardise care in an emergency situation.
8.2. We will not automatically preclude a patient from participating in the activities of the Gordon Doctors because they request anonymity.
9.Transborder Data Flows
An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.
9.1. Gordon Doctors will only transfer personal information about a patient to someone who is in a foreign country if:
-
the patient consents to the transfer; or
-
the recipient is bound by legislation that is substantially similar to the NPPs; or
-
Gordon Doctors is reasonably sure that the information will not be held, used or disclosed inconsistently with the NPPs.
9.2 Gordon Doctors partners with organisation who are located in Australia and comply with the Australian Privacy Act.
​
10.Sensitive Information
An organisation must not collect sensitive information unless the individual has consented, it is required by law – or in other special specified circumstances, for example, relating to health services provision and individual or public health or safety.
10.1. Gordon Doctors will only collect sensitive information# other than health information about a patient if:
-
the patient consents; or
-
the collection is required by law; or
-
such collection is consistent with the provisions of NPP 10
​
​
Definitions from the Privacy Act (1988)
(Guidelines on Privacy in the Private Health Sector, Office of the Privacy Commissioner)
# Health information means:
-
information or an opinion about:
-
the health or a disability (at any time) of an individual; or
-
an individual’s expressed wishes about the future provision of health services to him or her; or
-
a health service provided, or to be provided, to an individual; that is also personal information; or
-
-
other personal information collected to provide, or in providing, a health service; or
-
other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.
Health service means:
-
an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
-
to assess, record, maintain or improve the individual’s health; or
-
to diagnose the individual’s illness or disability; or
-
to treat the individual’s illness or disability or suspected illness or disability; or
-
-
the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
The term health service provider as used in these Guidelines means a provider of a health service. The term ‘health service provider’ is not separately defined in the Privacy Act.
Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Sensitive information means:
-
information or an opinion about an individual’s:
-
racial or ethnic origin; or
-
political opinions; or
-
membership of a political association; or
-
religious beliefs or affiliations; or
-
philosophical beliefs; or
-
membership of a professional or trade association; or
-
membership of a trade union; or
-
sexual preferences or practices; or
-
criminal record;
-
that is also personal information; or
​
2. health information about an individual.
## The Privacy Act defines a ‘responsible person’ as:
-
a parent;
-
a child or sibling at least 18 years of age;
-
a spouse or de facto spouse;
-
a relative at least 18 years of age and a member of the individuals household;
-
a guardian or a person exercising enduring power of attorney that can be exercised in relation to the individuals health;
-
a person who has an intimate personal relationship with the individual; or
-
a person nominated by the individual to be contacted in an emergency.
Produced by Brisbane North Division of General Practice
Based on material published by Australian Divisions of General Practice