PURPOSE

This Policy outlines how Nillumbik Community Health Service Ltd trading as healthAbility collects, holds,manages, uses, discloses or transfers Personal and Health information and how individuals (including healthAbility employees) may access and correct Personal and Health Information held by healthAbility.

SCOPE

This policy applies to the entire organisation.

FUNCTIONS AND ACTIVITIES OF healthAbility

healthAbility collects and handles Personal Information and Health Information in the exercise of its functions and activities in accordance with the Privacy and Data Protection Act 2014 (Vic.) and the Health Records Act 2001 (Vic.). The following list broadly describes the functions and activities for which healthAbility collects, holds, uses and discloses Personal and Health Information:

1. Providing services to the public including health and community services.

2. Dealing with enquiries, feedback and complaints from the general public.

3. Managing healthAbility’s human resources and facilities, including employment and payroll related activities; and

4. Other administrative or incidental activities including procuring goods and services and complying with reporting requirements.

Collection of Personal and Health Information

healthAbility collects Personal and Health Information for the purpose of performing the functions and activities described above.

The types of Personal Information healthAbility routinely collects may include: name, date of birth, phone number, address, email address, gender, title, employment history, educational and professional qualifications, financial history, tax file number, salary and wage information, credit card and bank account information.

The types of Health Information healthAbility routinely collects may include: information such as symptoms or diagnosis and the treatment given, medical reports, specialist reports, test results, pharmaceutical prescriptions, certificates of capacity and clinical notes. The type of information healthAbility collects will depend on the individual’s interaction with healthAbility and the information that may be necessary to assist persons with their health or community needs.

Collection of Personal and Health Information directly from an Individual

healthAbility collects Personal and Health Information directly from the individual to whom the information relates. For example, when the individual:

1. Completes a registration form or medical history or attends to obtain services.

2. Provides feedback or makes an enquiry or information request to healthAbility.

3. Applies for a job with healthAbility.

Collection of Personal and Health Information from Third Parties

healthAbility also collects Personal and Health Information about an individual from other persons and sources including where:

1. This is required or authorised by or under an Australian law;

2. The individual has consented to the collection from someone other than the individual;

3. This is required or authorised by an Australian court or tribunal; or

4. It is not possible or is impractical to collect the information from the individual concerned.

healthAbility may collect documents or information about a person from for example other health providers or employers. In managing healthAbility human resources, healthAbilty may also collect Personal and Health Information about healthAbilty’s employees from third parties such as recruitment agencies and other healthAbility employees.

Collection of Sensitive Information

healthAbility’s functions and activities may also require healthAbility to collect Sensitive Information about an individual. healthAbility only collects Sensitive Information about an individual when:

1. The collection is required or authorised by or under an Australian law

2. The individual consents (including impliedly) to the collection and the information is reasonably necessary for, or directly related to, one or more of healthAbility’s functions or activities

3. The collection is required or authorised by or under an Australian court or tribunal order; or

4. The collection is necessary to prevent or lessen a serious threat to life, health or safety and the individual is incapable of giving consent to the collection.

Use and disclosure of Personal and Health Information

healthAbility uses and discloses Personal and Health Information to carry out its functions and activities.

Generally this means that healthAbility will not use or disclose information except for the primary purpose for which the information was collected. However, in some cases healthAbility may use or disclose information for a related secondary purpose, if the individual the information is about can reasonably expect healthAbility to do so or if the individual consents.

Generally, healthAbility uses and discloses Personal and Health Information for the following primary purposes:

1. To provide its services, including health and community services; or

2. For human resources purposes, including employment and payroll activities

healthAbility may also use and disclose Personal and Health information for secondary purposes related to its processes. For example, to improve its processes in the future.

In some cases, healthAbility may disclose an individual’s personal and health information to third parties, including:

1. A medical practitioner or a health services provider;

2. A legal practitioner or a representative;

3. A parent in the case of a child;

4. A family member (if nominated by that person to assist them with the services);

5. Courts or tribunals or police where they are authorised to obtain it; and

6. Other persons authorised by that individual or by law to receive it.

healthAbility will only disclose information to third parties to the extent it is necessary to carry out our functions. healthAbility will only disclose information to external service providers when they will also take reasonable steps to protect personal information.

Access to and Correction of Personal and Health Information

healthAbility will make any information it holds about an individual reasonably accessible to the individual and will provide the information to the individual on reasonable request. In some circumstances, healthAbility may ask that the request be made in writing to assist healthAbility in identifying the relevant information or documents. For example, if you are making a request to access your medical file, healthAbility may request that you put your request in writing to enable healthAbility to identify you. healthAbility will endeavour to maintain accurate records. healthAbility will use best endeavours to correct the information promptly when an error is identified (either internally or by an external party).

Following receipt of a request for access or correction, healthAbility will take steps to verify the identity of the individual before considering the request. Where appropriate, you may be asked to provide your name and address so that your identity can be verified. healthAbility will not release or provide access to information to a third party, unless:

1. It has been authorised to do so by the individual to whom the information relates;

2. It is permitted or required to do so by law; or

3. It is appropriate or required in the performance of a function of healthAbility.

Requests for access to and/or correction of documents containing personal information held by

healthAbility should be addressed in writing to:

The Privacy Officer

Post: 43 Carrington Rd, Box Hill VIC 3128

Email: Feedback@healthability.org.au

healthAbility may assign a unique identifier to a person if healthAbility believes it is necessary to enable healthAbility to carry out its functions efficiently. healthAbility will not use or disclose an identifier healthAbility assigns to a person unless it is necessary for healthAbility to fulfil its functions or its obligations to another organisation or where the disclosure is otherwise required or authorised by law.

Data Storage and Security

healthAbility has privacy and security measures in place to avoid misuse, loss, unauthorised access, modification or disclosure of Personal or Health Information. heathAbility Employees are bound by the applicable confidentiality clauses in the ‘Code of Conduct’ and relevant employment contracts.

Where appropriate, healthAbility will destroy or permanently de-identify Personal Information or Health Information if it is no longer required.

Anonymity

The nature of most of healthAbility’s functions and activities is such that individuals must provide their name and contact information.

However, wherever it is possible and lawful to do so, individuals can interact anonymously with healthAbility.

Transfer of Information outside Victoria

Generally, healthAbility will not transfer any Personal or Health Information outside of Victoria. In the rare case that this may be necessary, healthAbility will only send Personal or Health Information to a jurisdiction outside of Victoria if the recipient of the information is bound by a scheme that is substantially similar to the provisions in the Privacy and Data Protection Act 2014 (Vic.) and the Health Records Act 2001 (Vic.) or healthAbility has obtained your consent. In some cases, this consent may be implied. All transfers of information outside Victoria will be made in accordance with the provisions in the Privacy and Data Protection Act 2014 (Vic.).

Complaints

Any concerns or complaints regarding privacy should be made in writing to healthAbility using the contact details below:

Post: 43 Carrington Rd, Box Hill VIC 3128

Email: Feedback@healthability.org.au

If you are not satisfied with healthAbility’s response to your privacy complaint, you can make a complaint to the Office of the Victorian Information Commissioner (OVIC). Details of how to make an OVIC complaint can be found on their website.

If you wish to make a complaint against healthAbility’s for a breach of privacy in relation to health information, you should contact the Office of the Health Complaints Commissioner.

Privacy Breaches

The Privacy Officer will investigate any reported privacy breaches and (where relevant) consider the following:

  • Breach containment and preliminary assessment
  • Evaluate the risks associated with the breach
  • Notifying the affected parties (if appropriate)
  • Preventing future breaches

Where applicable, for example if there is a foreseeable risk of harm to individuals affected by a privacy breach, healthAbility may report the privacy breach to the Office of the Australian Information Commissioner or OVIC.

RESPONSIBILITIES

Who What

Board

  • Endorse Privacy and Confidentiality Policy.
  • Be familiar with the organisation’s legislative requirements regarding privacy and the collection, storage and use of personal information.
  • Comply with Privacy and Confidentiality Policy and associated procedures.

CEO and Executive Leadership Team

  • Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information.
  • Ensure systems are in place across the organisation to adequately protect the privacy of personal information and confidentiality of other sensitive information.
  • Act in accordance with organisational systems in place to protect privacy and confidentiality.
  • Comply with Privacy and Confidentiality Policy and associated
  • procedures.

Staff

  • Be familiar with the legislative requirements regarding privacy and the
  • collection, storage and use of personal information
  • Act in accordance with organisational systems in place to protect privacy
  • and confidentiality.
  • Comply with Privacy and Confidentiality Policy and associated
  • procedures.

DEFINITIONS

  • CEO - Chief Executive Officer
  • Health Information is defined in the Health Records Act 2001 (Vic.) and means information or an opinion about—the physical, mental or psychological health (at any time) of an individual; or a disability (at any time) of an individual; or an individual's expressed wishes about the future provision of health services to him or her; or a health service provided, or to be provided, to an individual— that is also personal information; or other personal information collected to provide, or in providing, a health service; or other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.
  • Personal Information is defined in the Privacy and Data Protection Act 2014 (Vic.) and means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  • Sensitive Information is defined in the Privacy and Data Protection Act 2014 (Vic.) and is a subset of personal information and includes information about a person’s racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences or practices and criminal record.
  • Unless otherwise stated, all references in this Policy to ‘Personal Information’ includes ‘Health Information and Sensitive Information’