The policy refers to the collection and handling of personal and health information by Sunbury and Cobaw Community Health (SCCH) in a way that establishes a reasonable balance between an individual’s right to control the use of their personal information, with SCCH’s need to ensure that it can collect and use information with confidence in order to perform its functions.
For an easy read version of this information, click here.
SCCH must comply with relevant privacy laws. The Privacy Act 1988 contains ‘Australian Privacy Principles’, the Privacy & Data Protection Act 2014 (Victoria) outlines ‘Information Privacy Principles’ and the Health Records Act 2001 sets out ‘Health Privacy Principles.’ The Privacy Principles across all three sets are broadly similar in content and have been amended to refer to the Health Privacy Principles where relevant. Therefore this policy refers to and is guided by the Australian Privacy Principles that, as required by law, protect the rights of individuals who access a SCCH service.
Purpose
To ensure that clients’ privacy and the right to confidentiality is respected, and maintained according to privacy laws.
Rationale
SCCH provides confidential services to all clients. The above legislations require procedures in relation to the private and confidential collection, storage, usage and disclosure of personal information. All persons covered in the scope of this policy are required to comply with SCCH’s Code of Ethical Conduct and all staff are required to read this policy prior to commencing employment with SCCH and comply to this policy throughout their employment with SCCH.
Scope
The policy is binding on all SCCH staff, consultants, external contractors, volunteers and students who have access to personal information maintained by SCCH. The scope of this policy includes personal information of parties both internal and external to SCCH. Any personal information collected, regardless if it is from a service user, stakeholder or an employee of SCCH is considered health information and will be handled according to this policy.
Australian Privacy Principles
The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988, outline how organisations must handle, use and manage personal information.
These principles outline the requirement for:
- the open and transparent management of personal information including having a privacy policy
- an individual having the option of transacting anonymously or using a pseudonym where practicable
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
- how personal information can be used and disclosed (including overseas)
- maintaining the quality of personal information
- keeping personal information secure at all times
- specific attention to the requirements that apply in any digital transmission process
- right for individuals to access and correct their personal.
Statement of Diversity
Sunbury and Cobaw Community Health is committed to improving the health of our community and being accessible to all, including people from culturally and linguistically diverse communities, those from Aboriginal and Torres Strait Islander background, people with a disability, lesbian, gay, bisexual, transgender, intersex and queer people, and other socially vulnerable groups, and supporting their communities across the lifespan from birth to older age.
Procedures
Collection Notice
When collecting personal or health information, SCCH will take reasonable steps to advise the person about what information is being sought, for what purpose, whether any law requires the collection of the information and the main consequences, if any, of not providing the information.
Information Collected
Personal information is information or an opinion that is recorded in any form, about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion, but not including health information. Health information is information that can be linked to an identifiable individual, including deceased individuals, which concerns that individual’s physical, mental or psychological health, disability or genetic make-up.
SCCH collects only personal and health information related to the delivery of the specific health and/or community service(s) being accessed by the person. SCCH is a community health service and is required to collect, manage and protect information related to the provision of health and wellbeing services from existing, prospective or previous service users.
Service provision activities can extend beyond service delivery and may include health promotion, consultation and advocacy. Through these activities sometimes SCCH invites involvement of the wider community and collects contact details from community members for the purpose of engaging in future consultations or responding to enquiries. Contact details are collected from individuals interested in being informed about and participating in programs and events. Similar details are also collected from individuals who wish to receive publications and those consulting on policy and legislative matters.
People can visit the SCCH website anonymously because the site does not collect or record personal information other than information someone chooses to provide via email or internet forms.
Use and Disclosure
SCCH staff only collect and are provided with the information necessary for them to carry out the functions and activities of their role. Staff members are required to handle all personal and health information with discretion and to comply with the secrecy provisions of the Privacy and Data Protection Act 2014.
Client consent must be obtained prior to sharing the client’s information with other parties such as internal and external referrers and must be documented on the Client Consent to Share Information form. Consent must be obtained for each new episode of care and must not be older than twelve months. In addition, if clients wish to receive information by email, staff must obtain specific client consent on the Client Consent to SMS/Email form prior to SMS/emailing client health information and staff must follow the procedure outlined below; SMS/Emailing Client Health Information.
Some de-identified personal information from enquiries and complaints is used in advocacy activities, public information and training, but never in a way that would compromise a person’s privacy. De-identified information may be shared with funding bodies and for awareness and reporting functions.
In certain circumstances, and in accordance with law, documents related to a complaint may be referred to appropriate complaints handling bodies such as the Health Complaints Commissioner, Aged Care Complaints Commissioner or the Disability Services Commissioner.
Specific disclosures will be made with consent or otherwise in accordance with the use and disclosure standards of the Privacy and Data Protection Act 2014 and the Health Records Act.
Consent to Treatment
- Consent is your agreement for one of our workers to give you treatment and care, including any tests, treatments or procedures.
- To give informed consent, you need to be given enough information by our workers about your options. This will help you to make the right decision for yourself and your health.
- You may withdraw your consent at any time by speaking with one of our workers.
- If you are not sure about giving consent, or you have questions, please speak to one of our workers.
SMS/Emailing Client Health Information
Staff must follow this procedure at all times when sending client health information via SMS or email. Please note that other methods of delivery such as Connecting Care, fax, post and making client information available for pickup are preferred methods. Emailing client information is the last option and must only be used when all other options are not possible. Staff must explain to clients the risks associated in emailing client information and staff must ensure clients have completed the Client Consent to SMS/Email form.
SMS/emailing health information to the client:
- The Client Consent to SMS/Email form must be signed and uploaded to the Client’s Electronic File prior to any information being sent by SMS or email. There must be a new Client Consent to SMS/Email form for each episode of care and it must not be older than 12 months
- The SMS phone number and/or email address must be verified. A test SMS and/or email containing no personal identifying data should be sent and confirmed prior to any client health information being sent.
- The subject line of the email and the body of the SMS/email must not contain any identifying information. Only the client’s first name or initials can be used in the subject line or body of the email.
- All attached documents must be password protected or in an encrypted password protected zip file. The password must not be sent in the body of the email. The password must be exchanged via a different method such as phone or face to face.
- All sent and received emails must immediately be moved to the client’s electronic file and deleted from Outlook.
Staff may refer to the Information Management guide for further instructions about password protecting files and secure information management.
Emailing client information to an external service provider:
- Clients must consent to their information being shared on the Consent to Share Information form. They must tick the box consenting to their information being shared by emailed.
- Staff should attach a copy of SCCH’s Guidelines for the Use & Disclosure of Shared Client Information sheet when emailing client information to an external provider.
Information Sharing Scheme
The Family Violence Information Sharing Scheme (FVISS) commenced in February 2018. Under Part 5A of the Family Violence Protection Act 2008 program areas who are prescribed Information Sharing Entities (ISEs) may be authorised to share information with other ISEs for family violence risk assessment and risk management.
The Child Information Sharing Scheme (CISS) commenced in September 2018. Under Part 6A of the Child Wellbeing and Safety Act 2005, the scheme authorises prescribe professionals (ISEs) to share information to promote the safety and wellbeing of children.
Refer to the Information Sharing Scheme Policy and Procedure for detailed instructions in relation to the FVISS and CISS.
Data Quality and Security
SCCH takes reasonable steps to ensure the information it holds is accurate, complete and up-to-date. We will endeavor to check the accuracy of personal or health information with you before we use it.
We use a number of procedural, physical, software and hardware safeguards, together with access controls, secure methods of communication and back-up and disaster recovery systems to protect information from misuse and loss, unauthorised access, modification and disclosure. These have been outlined within this policy.
Generally, information is destroyed or permanently de-identified when it is no longer required. However, most client information held by SCCH is subject to the Public Records Act (1973) and is required to be disposed of under the relevant Retention & Disposal guidelines such as the Record retention guide for organisations funded under the Service Agreement.
Unique Identifiers
The Information Privacy Principle 7 (IPP 7) restricts the assignment, adoption, use and disclosure of unique identifiers by Victorian public sector organisations, except in certain circumstances.
Circumstances in which this is permitted under IPP 7 include: where assignment or adoption of a unique identifier is necessary to enable the organisation to carry out any of its functions efficiently, or where the consent of the individual has been obtained.
Under Part 3 of the Healthcare Identifiers Regulations (2010), SCCH may collect, use and disclose an individual’s healthcare identifier used for My Health Record. This may be done for the purpose of communicating or managing health information as part of the provision of healthcare to a service user or the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare. Healthcare Identifiers can only be used for the purposes described in the Healthcare Identifiers Act 2010 and Healthcare Identifiers Regulations 2010, e.g. for communicating and managing healthcare, which covers documents and processes such as electronic referrals, discharge summaries and medication management.
Unique identifiers created by another organisation will not be requested unless required by law. Nor will we use or disclose a unique identifier unless there is a lawful basis for doing so.
Anonymity
When seeking general information from SCCH, people do not have to identify themselves. If they wish to make an enquiry, no personal information will be collected or recorded unless we need it to get back to them with an answer. However, if a person wishes to make a complaint under the Privacy and Data Protection Act identification is necessary.
Transfer of Information Outside Victoria
We will not send personal or health information outside Victoria without obtaining written client consent.
Sensitive Information
Generally, we will only collect sensitive information with client consent or where required by law.
SCCH is an organisation committed to improving the health and wellbeing outcomes for LGBTIQ+ service users and seeking accreditation against the Rainbow Tick Standards. With the service user’s consent, SCCH collects information about sexual preference and gender identity. Unidentified data is used by SCCH as research evidence to inform policy, support advocacy, and build capacity. It is recognised that disclosure of a person’s sex, gender identity or sexual orientation is a personal decision.
The Australian Privacy Principles (APPs) cover the collection, use, disclosure and storage of personal information. SCCH supports and abides by Principle 6: The Right to Privacy of the Yogyakarta Principles (2006) which states:
“Everyone, regardless of sexual orientation or gender identity, is entitled to the enjoyment of privacy without arbitrary or unlawful interference, including with regard to their family, home or correspondence as well as to protection from unlawful attacks on their honour and reputation. The right to privacy ordinarily includes the choice to disclose or not to disclose information relating to one’s sexual orientation or gender identity, as well as decisions and choices regarding both one’s own body and consensual sexual and other relations with others.”
Notifiable data Breaches
The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when:
- there is an unauthorized access to, or unauthorised disclosure of, the information; or there is loss of the information where unauthorized access or disclosure if likely;
and
- a data breach is likely to result in serious harm to any individuals whose personal information is involved in the
When a privacy breach occurs or there is reasonable grounds to believe an eligible data breach has occurred, staff must report the breach on an Incident Report Form and notify their own Manager, General Manager and CEO as soon as possible. The Manager and Executive will coordinate a response and are obligated to promptly notify individuals at likely risk of serious harm. The Office of the Australian Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach. Refer to the Incident Prevention and Reporting Policy and the Data Breach Response Flowchart.
Privacy Complaints
Complaints in relation to privacy are treated seriously and attempts are always made to resolve them fairly and quickly. Complaints would be handled through the usual internal processes. If the person making the complaint is not satisfied with how it is dealt with, they can involve an appropriate complaints handling body such as; the Health Complaints Commissioner, Aged Care Complaints Commissioner or the Disability Services Commissioner.
References:
- Privacy Act 1988 (Cth)
- My Health Records Act 2012 (Cth)
- My Health Records Rule 2016
- Privacy Amendment (Enhancing Privacy Protection) Act 2012
- Healthcare Identifiers Act 2010
- Healthcare Identifiers Regulations 2010
- Privacy and Data Protection Act 2014 (Vic)
- Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic)
- Information Privacy Act 2000 (Vic)
- Health Records Act 2001 (Vic)
- Health Insurance Act 1973 (Cth)
- Children, Youth and Families Act 2005 (Vic)
- Family Violence Information Sharing – Ministerial Guidelines
- Notifiable Data Breaches Scheme
- Office of the Victoria Information Commissioner (OVIC)
- Record retention guide for organisations funded under the Service Agreement
- Responding to Privacy Breaches (Officer of the Victorian Information Commissioner)
Information for Service Users
- Australian Privacy Principles – Summary
- Your information, your safety factsheet
- Your Privacy Rights
- Make a Privacy Complaint – Officer of the Victorian Information Commissioner
Enquiries about this privacy policy should be directed to the Privacy Officer, Sunbury and Cobaw Community Health, PO BOX 218 Sunbury, VIC, 3429 or via email to: privacyofficer@scchc.org.au.