The practice
should aim to ensure that health and other sensitive personal information
collected during the course of a patient’s relationship with the practice and
its staff remains secure and is used and disclosed for any primary or
secondary purpose for which it was collected, save for any legally
permissible exemptions (see below).
All employees and contractors
should sign a confidentiality agreement with the practice to ensure they are
aware of their obligations around confidentiality and provide the practice
with protection should a breach occur.
A socail media policy should
be in place to protect the staff privacy and potential employment issues.
The Australian Privacy Principles should be included in the induction
program for all practitioners and staff in the practice.
You should
implement practices, procedures and systems that reflect the five parts
associated with the 13 APPs as outlined above.
This process should be
in accordance with Australian Privacy Principles and any applicable State
and Territory privacy legislation. Outlined below is a summary of the 13
APPs and how they may affect your medical practice. You should familiarise
yourself with the complete requirements and obligations that you may have
to your patients.
1 - The practice is required to
manage personal information in an open and transparent way and have a
clearly expressed and up-to-date policy (the APP privacy
policy) about the management of personal information by the
entity. The APP privacy policy must contain the following information:
- the kinds of personal information that the entity collects and holds
- how the entity collects and holds personal information
- the purposes for which the entity collects, holds, uses and discloses
personal information
- how an individual may access personal
information about the individual that is held by the entity and seek the
correction of such information
- how an individual may complain
about a breach of the Australian Privacy Principles, or a registered APP
code (if any) that binds the entity, and how the entity will deal with such
a complaint
- whether the entity is likely to disclose personal
information to overseas recipients
- if the entity is likely to
disclose personal information to overseas recipients—the countries in which
such recipients are likely to be located if it is practicable to specify
those countries in the policy.
2 -
Individuals must have the option of not identifying themselves, or
of using a pseudonym, when dealing with the practice in relation to a
particular matter. This does not apply if:
- it is impracticable
for the practice to deal with individuals who have not identified
themselves or who have used a pseudonym.
3 -
The practice must not collect personal information (other than
sensitive information) unless the information is reasonably necessary for
one or more of the entity's functions or activities and the individual
consents to the collection of the information.
4 -
If the practice receives personal information and the practice did
not solicit the information;the practice must, within a reasonable period
after receiving the information and within the scope of the APP requirements,
destroy the information or ensure that the information is de-identified.
5 - At or before the time or, if that is not practicable,
as soon as practicable after, the practice collects personal information
about an individual, the practice must take such steps (if any) as are
reasonable in the circumstances:
- to notify the individual of
such matters as are reasonable in the circumstances; or
- to
otherwise ensure that the individual is aware of any such matters.
- why information is
collected.
- how information may be accessed.
- if information
is to be disclosed.
- how the patient can complain about possible
breaches.
6 - If the practice
holds personal information about an individual that was collected for a
particular purpose (the primary purpose), the practice must not use or
disclose the information for another purpose (the secondary purpose) unless:
- the individual has consented to the use or disclosure of the
information
- the individual would reasonably expect the APP entity to
use or disclose the information for the secondary purpose and the secondary
purpose is:
- if the information is sensitive information — directly
related to the primary purpose
- if the information is not sensitive
information — related to the primary purpose.
7
- If an organisation holds personal information about an
individual, the organisation must not use or disclose the information for
the purpose of direct marketing.
8 - Before the
practice discloses personal information about an individual to an overseas
recipient):
- who is not in Australia or an external Territory;
and
- who is not the entity or the individual
the
practice must take such steps as are reasonable in the circumstances to
ensure that the overseas recipient does not breach the Australian Privacy
Principles (other than Australian Privacy Principle 1) in relation to the
information.
This would relate to the practice being aware of items
such as:
- where any off-site data back-up is maintained
- where SMS reminders are sent from/routed by any services outside
Australia.
If you are going to continue to use such
services, you should ensure that you acquire a legal document that includes
total indemnity for the practice to cover any breaches caused by or due to
the service providers.
9 - An organisation must not
adopt a government related identifier of an individual as its own identifier
of the individual unless:
- the adoption of the government
related identifier is required or authorised by or under an Australian law
or a court/tribunal order.
An organisation must not use
or disclose a government related identifier of an individual unless:
- the use or disclosure of the identifier is reasonably necessary for
the organisation to verify the identity of the individual for the purposes
of the organisation's activities or functions
- the use or
disclosure of the identifier is required or authorized by or under an
Australian law or a court/tribunal order.
10 -
The practice must take such steps (if any) as are reasonable in the
circumstances to ensure that the personal information the practice collects
is accurate, up to date and complete.
11 - . If
the practice holds personal information, the practice must take such steps
as are reasonable in the circumstances to protect the information:
- from misuse, interference and loss
- from unauthorized
access, modification or disclosure.
If the practice holds
personal information about an individual (including employees); and
- the practice no longer needs the information for any purpose for
which the information may be used or disclosed by the entity under this
schedule; and
- the information is not contained in a Commonwealth
record.
- the practice is not required by or under an Australian
law, or a court/tribunal order, to retain the information;
- the
practice must take such steps as are reasonable in the circumstances to
destroy the information or to ensure that the information is
de-identified.
12 - If the practice holds
personal information about an individual, the practice must, on request by
the individual, give the individual access to the information. There are
circumstance that would exempt a practice from providing access and these
would include:
- the practice reasonably believes that giving
access would pose a serious threat to the life, health or safety of any
individual, or to public health or public safety
- giving access
would have an unreasonable impact on the privacy of other individuals
- the request for access is frivolous or vexatious
- the
information relates to existing or anticipated legal proceedings between
the practice and the individual, and would not be accessible by the
process of discovery in those proceedings
- denying access is
required or authorized by or under an Australian law or a court/tribunal
order.
13 - If a practice holds
personal information about an individual; and either:
- the
practice is satisfied that, having regard to a purpose for which the
information is held, the information is inaccurate, out of date, incomplete,
irrelevant or misleading; or
- the individual requests the entity
to correct the information;
- the practice must take such steps
(if any) as are reasonable in the circumstances to correct that information
to ensure that, having regard to the purpose for which it is held, the
information is accurate, up to date, complete, relevant and not misleading.
Where practices receive requests in relation to the
above APPs, it is generally accepted that the practice will respond within
30 days of the request being received.
The Privacy Amendment
(Enhancing Privacy Protection) Act 2012 was passed in Parliament on 29
November 2012. The Act came into effect on 12 March 2014. The reforms
introduce a single set of privacy principles called the Australian Privacy
Principles (APPs) and a number of changes to how personal information is
handled, including when it can be used for direct marketing purposes and
sent overseas.
For more information, please read:
As well as the obligations under the Privacy Act, there are
practical elements that you can utilise in the practice to promote privacy
and confidentiality:
- physical layout of reception to provide sound
barriers and reduced view of computer screens ambient background noise or
walls to reduce sound and conversations between staff/patients being
overheard
- appropriate sound proofing between internal walls to
maintain privacy in consultation/treatment rooms
- staff awareness as
to volume and location of their conversations with patients. Especially when
on the telephone and using language that may identify the patient.
- access to private area to conduct sensitive conversations
- access to quiet area for upset/grieving patients.
If
you breach a patient’s privacy you should contact Avant’s Medico-Legal
Advisory Service on 1800 128 268 or the AAPM – AHIG advisory service on (03)
9280 8061 for advice.
State and Territory privacy
commissions/enforcement bodies
Office of the Information Commissioner – Queensland (for
the public sector institutions)
Office of the Information Commissioner – Western Australia
(for the public sector institutions)
Office
of the NSW Information and Privacy Commissioner
Office of the
Victorian Privacy Commissioner (for public sector institutions)
Office of the
Health Services Commission - Victoria
Office of the Information Commissioner -
Northern Territory (for the public sector institutions)
Tasmanian Ombudsman
(for the public sector institutions)
ACT Human Rights Commission (which
handles health record privacy complaints)
SA Privacy committee