a. DOCUMENT REQUIREMENTS
This document is based on the Privacy Act 1988 and the Privacy Amendment Act 2012
b. THE POLICY AND PURPOSE
i. Privacy and Policy Statement
- HealthStrong Pty Ltd (HealthStrong) is bound to the Australian Privacy Principles (APPs) and the conditions protecting your personal information as set out in the Privacy Act 1988 and amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
- HealthStrong will only collect personal information for a lawful purpose which directly relates to our primary function and for obtaining feedback about the effectiveness of our services. HealthStrong will not collect any more information than is necessary for it to fulfil these functions.
- HealthStrong will collect personal information about an individual if it is reasonable to do. HealthStrong will not disclose your personal information to anyone without your consent unless legally required to do so.
- Anyone engaged to collect, store or use personal information for HealthStrong will be required to comply with the Mar 12, 2014 - Privacy Act 1988. No. 119, 1988 as amended. Compilation start date: 12 March 2014, Information Protection Principles of the Act as part of their engagement. The Policy applies to all staff, including contracted and or agency staff.
ii. Purpose of this policy
The purpose of this policy and procedure is to:
- Ensure personal information is managed in an open and transparent way;
- protect the privacy of personal information including information of clients, residents and staff;
- provide for the fair collection and handling of personal information;
- ensure that personal information we collect is used and disclosed for relevant purposes only;
- regulate the access to and correction of personal information; and
- ensure the confidentiality of personal information through appropriate storage and security.
i. The following definitions apply:
- Personal Information is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
- Sensitive Information includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, biometric information, biometric templates, health information about individual and genetic information.
- Unsolicited Information is all personal information received from an individual that we did not actively seek to collect. Receipts of the course to be submitted, along with Certificates.
- An Employee Record is a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are Health Information about the employee and personal information about all or any of the following:
a. the engagement, training, disciplining or resignation of the employee;
b. the termination of the employment of the employee;
c. the terms and conditions of employment of the employee;
d. the employee’s personal and emergency contact details;
e. the employee’s performance or conduct;
f. the employee’s hours of employment;
g. the employee’s salary or wages;
h. the employee’s membership of a professional or trade association;
i. the employee’s trade union membership;
j. the employee’s recreation, long service, sick, personal, maternity, paternity or other leave; and
k. the employee’s taxation, banking or superannuation affairs.
d. THE PROCEDURE
i. Collection of personal information
Where HealthStrong collects personal information it is collected for business purposes, which are detailed in the contract between the client and HealthStrong.
ii. Purpose of collection of Personal Information
- We will only collect Personal Information about an individual by fair and lawful means and only if the information is necessary for one or more of our functions as an aged care service provider and collection of the Personal Information is necessary to:
a. comply with the provisions of state or commonwealth law;
b. provide appropriate services and care;
c. lawfully liaise with a nominated representative and to contact family if requested or needed.
d. We will not collect your Sensitive Information (including Health Information) unless the collection of the information is reasonably necessary for or directly related to one or more of our functions and:
e. you have consented to the collection of this information; or
f. the collection of the information is required to authorised by or under an Australian law or a court/tribunal order; or
g. a permitted general situation exists to the collection of the information; or
h. a permitted health situation exists in relation to the collection of the information.
iii. Methods of Collection
- Personal Information and Sensitive Information (including Health Information), may be collected:
a. from a client or resident;
b. from any person or organisation that assesses health status or care requirements,
c. from the health practitioner of a client or resident;
d. We will collect Personal Information from the client or resident unless:
e. we have the consent of the client or resident to collect the information from someone else; or
f. we are required or authorised by law to collect the information from someone else; or
g. it is unreasonable or impractical to do so.
iv. Unsolicited Information
- If we receive Personal Information from an individual that we have not solicited and we could not have obtained the information by lawful means, we will destroy or de-identify the information as soon as practicable and in accordance with the law.
- We will at or before the time or as soon as practicable after we collect Personal Information from an individual or facility take all reasonable steps to ensure that the individual is notified or made aware of:
a. our identity and contact details;
b. the purpose for which we are collecting Personal Information;
c. the identity of other entities or persons to whom we usually disclose Personal Information to;
vi. Use and disclosure of information
- Permitted disclosure: HealthStrong may not use or disclose Personal Information for a purpose other than the primary purpose of collection, unless:
a. the secondary purpose is related to the primary purpose (and if Sensitive Information directly related) and the individual would reasonably expect disclosure of the information for the secondary purpose;
b. the individual has consented;
c. the information is Health Information and the collection, use or disclosure is necessary for research, the compilation or analysis of statistics, relevant to public health or public safety, it is impractical to obtain consent, the use or disclosure is conducted within the privacy principles and guidelines and we reasonably believe that the recipient will not disclose the Health Information;
d. we believe on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety;
e. we have reason to suspect unlawful activity and use or disclose the Personal Information as part of our investigation of the matter or in reporting our concerns to relevant persons or authorities;
f. we reasonably believe that the use or disclosure is reasonably necessary to allow an enforcement body to enforce laws, protect the public revenue, prevent seriously improper conduct or prepare or conduct legal proceedings; or
g. the use or disclosure is otherwise required or authorised by law.
h. If we receive Personal Information from an individual that we have not solicited, we will, if it is lawful and reasonable to do so, destroy or de-identify the information as soon as practicable.
vii. Cross border disclosure
- HealthStrong will not disclose an individual’s Personal Information to an overseas recipient. If we do, we will take all steps that are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles, unless:
a. the overseas recipient is subject to laws similar to the Australian Privacy Principles and the individual has mechanisms to take action against the overseas recipient;
b. we reasonably believe the disclosure is necessary or authorised by Australian Law; or
c. the individual has provided express consent to the disclosure.
viii. Disclosure of Health Information
- HealthStrong may disclose Health Information about an individual to a person who is responsible for the individual if:
a. the individual is incapable of giving consent or communicating consent;
b. the facility manager is satisfied that either the disclosure is necessary to provide appropriate care or treatment or is made for compassionate reasons or is necessary for the purposes of undertaking a quality review of our services (and the disclosure is limited to the extent reasonable and necessary for this purpose); and
c. the disclosure is not contrary to any wish previously expressed by the individual of which the facility manager is aware, or of which the service manager could reasonably be expected to be aware and the disclosure is limited to the extent reasonable and necessary for providing care or treatment.
d. A person responsible is a parent, a child or sibling, a spouse, a relative, a member of the individual’s household, a guardian, an enduring power of attorney, a person who has an intimate personal relationship with the individual, or a person nominated by the individual to be contacted in case of emergency, provided they are at least 18 years of age.
ix. Storage of Personal Information
- HealthStrong takes all reasonable steps to protect the security of any personal and company information held, be it stored in electronic or hard copy format.
- HealthStrong and employees will not remove copy or distribute unlawfully any personal or company information of the client. All correspondence and documents will be stored on site as per the client’s request and client contract with HealthStrong. All information gathered will only be used by HealthStrong to administer services and for billing purposes and will be held at HealthStrong’s head office in line with the Australian Privacy Principles as set out within this document.
- Except in the circumstances set out in the Act, you may request access to your personal information held by the department. Access can be arranged by contacting:
Human Resource Manager
Phone: +612 9007 7300
Fax: +612 9007 7301
x. Requesting access
- Requests for access to information can be made orally or in writing and addressed to the Human Resource Manager. We will respond to each request within a reasonable time.
xi. Declining access
- An individual’s identity should be established prior to allowing access to the requested information. If unsatisfied with the individual’s identity or access is requested from an unauthorised party, we can decline access to the information.
- We can also decline access to information if:
a. there is a serious threat to life or health of any individual;
b. the privacy of others may be affected;
c. the request is frivolous or vexatious;
d. the information relates to existing or anticipated legal proceedings; or
e. the access would be unlawful.
f. We will provide in writing the reasons for declining access to the requested information.
xii. Email addresses
- Email addresses are recorded when an email message is sent to HealthStrong or when a contract is initialised after signing.
- These email addresses are stored electronically in accordance with standards and authorities under the New South Wales State Records Act 1998. An email address is only used for the purpose for which it is provided and is not added to any unauthorised mailing list or disclosed to other organisations unless you request that this to be done.
xiii. Information received via feedback
- HealthStrong may provide feedback facilities on their sites to allow clients to comment on the provision of services. The provision of personal details on feedback is optional.
- Clients may provide personal details for the purpose of receiving a reply to their feedback. This information will only be used for the purpose for which it was provided. We will not add your email address or name to any mailing list.
xiv. Personal Information Security
- We are committed to keeping secure the Personal Information you provide to us. We will take all reasonable steps to ensure the Personal Information we hold is protected from misuse, interference, loss, from unauthorised access, modification or disclosure.
xv. Information of a Client or Resident
- We must keep the records of a client or resident in a secure storage area.
- If the records are being carried while providing care only the staff member carrying the records will have access to them.
- Records of previous clients and residents and earlier unused volumes of current clients or residents shall be archived and stored in a locked service away from general use.
- Only health professionals attending to the care of a client or resident are to have access to information of the client or resident. All records shall only be used for the purpose it was intended.
- A client or resident, or their representatives shall be provided access to records as requested and after consultation with the service manager. At these times, a qualified staff member is to remain with a client or resident or representative to facilitate the answering of any questions raised.
- Details of a client or resident are not to be provided over the phone, unless the staff member is sure of the person making the inquiry. If in doubt, consult the service manager.
- No staff shall make any statement about the condition or treatment of a client or resident to any person not involved in the care except to the immediate family or representative of the client or resident and then only after consultation with the service manager.
- All staff must be discrete with their comments at all times, protecting and respecting the privacy, dignity and confidentiality of all clients and residents.
- Handovers shall be conducted in a private and confidential manner.
xvi. Security measures
- Our security measures include, but are not limited to:
a. training our staff on their obligations with respect to your Personal Information;
b. use of passwords when accessing our data storage system; and
c. the use of firewalls and virus scanning tools to protect against unauthorised interference and access.
- This applies to staff (including contracted staff) who are required to have up-to-date virus protection software and firewalls installed on any device used to access documents containing Personal Information.
- Contractors working on our behalf are required to:
a. comply with the Australian Privacy Principles;
b. have up-to-date virus protection software and firewalls installed on any device used to access documents containing Personal Information;
c. notify us of any actual or potential breaches of security;
d. indemnify us in relation to any loss suffered by a breach.
- We will, as soon as practicable and in accordance with the law, destroy or de-identify any Personal Information that is no longer required for our functions.