Introduction

We are committed to protecting the privacy of patient information and to handling your personal information in a responsible manner in accordance with the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles and relevant State and Territory privacy legislation (referred to as privacy legislation).

This Privacy Policy explains how we collect, use and disclose your personal information, how you may access that information and how you may seek the correction of any information. It also explains how you may
make a complaint about a breach of privacy legislation.

This Privacy Policy is current from 27 September 2020 and is reviewed annually. From time to time, we may make changes to our policy, processes and systems in relation to how we handle your personal information.
We will update this Privacy Policy to reflect any changes. Those changes will be available on our website and in the practice.

When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.

Collection

Types of information to be collected

We collect information that is necessary and relevant to provide you with medical care and treatment, and manage our medical practice. This information may include your name, address, date of birth, gender, health information, medicare number (where available) (for identification and claiming purposes), healthcare
identifiers, medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history, health risk factors, diagnostic investigations, credit card and direct debit details and your contact details. Please advise us if your details have changed so that our information is accurate and up to date.

Other individuals we may collect personal information from include emergency contacts of patients, as well as job applications or referees for job applicants. The extent of the personal information we collect from these individuals will depend on the circumstances in which the individual is engaging with ICO Health Group.

How the information is collected

You information is collected in writing where practicable or through implied consent. We may need to collect information about you from third parties such as another health service provider, your insurer, a guardian or other sources. We will only do this with your consent and if it is necessary to enable us to facilitate to provision of health care services to you.

We collect information in various ways, such as over the phone, in writing, in person at our Practices and/or over the internet. This information may be collected by medical and non-medical staff.

In emergency situations we may also need to collect information from your relatives or friends.

How the information is stored

Your information stored by us may be held physically as paper records, or as electronic records, x-rays, CT scans, videos and photos and/or audio recordings.

To protect the information from misuse, interference and loss, from unauthorised access and from modification or disclosure we ensure that our administrative and clinical staff with access to your personal health information have signed privacy and confidentiality agreements.

Your electronic medical record information is password protected and accessed by authorised personnel. Where practicable, any other forms of information we hold is converted digitally and held in the password protected electronic medical record.

This information is backed up regularly on-site after encryption and stored securely. A backup of this encrypted information is kept off-site safely and securely. We use appropriate access authentication methods, antivirus software and the necessary firewall applications to prevent unauthorised access, modification or disclosure of your information.

Use and Disclosure

Our Practices only use and does not disclose your personal information for the purpose for which it was collected by us (primary purpose), unless there is another purpose (secondary purpose) which is directly related to the primary purpose, and you are aware the information will be used for that secondary purpose.

Health information may be disclosed if the disclosure is permitted by an Act other than the Health Records Act 2001. The Health Privacy Principles of the Health Records Act 2001 states that disclosure of personal information occurs when personal information is made accessible or visible to others outside the entity and a release of the subsequent handling of the personal information from an entity’s effective control occurs. Furthermore, Health Privacy Principles permits the disclosure of information if it is ‘necessary’ to lessen or prevent a threat person’s life, health, safety or welfare.

Data breach

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced the requirement for a Notifiable Data Breach (NDB) scheme. This required an assessment when an entity covered by the Australian Privacy Act 1988 (Cth) to notify individuals of suspected loss, unauthorised access to, or unauthorised disclosure of personal information.

This response plan is intended to enable ICO Health Group to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the NDB scheme that commenced on 22 February 2018. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.

Our response to a data breach plan takes into consideration and includes the following key principles:

• When should a data breach be escalated to ICO Health Group’s data breach response team?

• Who within our organisation uses the discretion in deciding whether to escalate to the response team?

Some data breaches may be comparatively minor, and able to be dealt with easily without action from the data breach response team. For example, a staff member may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled (only relates to internal emails), or if the staff member can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.

The following four key steps are considered when responding to a breach or suspected breach:

•Containing the breach

•Assessing the risks associated with the breach

•Considering breach notification

•Reviewing the incident and take action to prevent future breaches

Accessing and amending your personal information

We will take reasonable steps to provide you access to an/or correct your information within 30 days of your request. In certain circumstances, we reserve the right to refuse to allow you to access your personal information, where authorised by law. If this happens, we will give you a written notice explaining the reasoning behind the refusal and advise you on how you may make a complaint.

Your personal information may be accessed by you, your authorised representative, your lawyer and your insurance provider with prior written request by you or with authority to release your personal information to these third parties by yourself.

Exceptions to disclose without your consent is where the information is:

•Required by law

•Necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent

•To assist in locating a missing person

•To establish, exercise or defend a legal or equitable claim