SNPHN Limited (Sydney North Primary Health Network – “SNPHN”) is committed to protecting the privacy of the personal information and sensitive information which it collects and holds. We gather such information to allow us to meet our objectives of improving our community’s access to primary health care services.
SNPHN must comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and other privacy laws which govern how organisations hold, use and disclose personal information (including sensitive information).
- the kinds of information which SNPHN may collect about our clients, employees, contractors and others and how that information is collected and used
- how SNPHN can disclose the information so collected
- how individuals can access the information held and
- the processes by which SNPHN protects the personal information held.
This policy applies to all activities conducted by SNPHN and to the actions of its directors, employees, contractors and volunteers.
health information is:
- personal information or an opinion about:
- an individual’s physical or mental health or disability (at any time)
- an individual’s express wishes about the future provision of health services for themselves or
- a health service provided, or to be provided, to an individual
- other personal information collected to provide, or in providing a health service
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not
sensitive information means
- personal information or an opinion about an individual’s:
- racial or ethnic origins
- political opinions or political associations
- philosophical beliefs or religious beliefs or affiliations
- sexual orientation or practices
- criminal record
- health information about an individual or
- genetic information about an individual that is not otherwise health information
5. How SNPHN Addresses the Australian Privacy Principles [APP]
SNPHN handles all personal information and sensitive information in a manner which complies with the Australian Privacy Principles. We obtain consent (written or verbal) to collect, store, use and/or disclose this information. SNPHN will only collect personal information:
- after a person has consented
- when any secondary use is related to the main reason for collection of personal information or
- in circumstances in which collection is necessitated by the public interest such as law enforcement or public or individual health and safety
SNPHN takes reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date and to protect the personal information it holds against loss, unauthorised access, use, modification or disclosure and against other misuse.
The Australian Privacy Principles
Part 1 – Consideration of personal information privacy
APP1: Open and transparent management of personal information
SNPHN will only collect personal information necessary to undertake our programs, activities or functions. This is managed in an open and transparent way by the maintenance of processes which
- make sure that each individual providing personal information is informed about and understands the purpose of collecting the information,
- disclose to whom and under what circumstances that personal information may be disclosed to another party; and
- allow and provide an individual access to the information held about that person.
This policy will be made available to any person upon request to the Privacy Officer. A general statement describing our approach to privacy is accessible to the public via the SNPHN website.
APP2: Anonymity and pseudonimity
SNPHN allows individuals the option of not identifying themselves when providing information except when:
- SNPHN is required by law or court tribunal order to deal with persons who have identified themselves or
- it is impractical for SNPHN to deal with individuals who have not identified themselves or have used a pseudonym.
Part 2 – Collection of personal information
APP3: Collection of solicited personal information
SNPHN will only collect personal information that is reasonably necessary to provide a service.
SNPHN will make sure that each individual who provides personal information is informed about and understands the purpose of collecting the information and its intended use/disclosure.
APP4: Dealing with unsolicited information
SNPHN will not keep personal information received about an individual, unless that person has given permission.
SNPHN will from time to time collect commercial information that is already available in the public domain. This includes operating details of primary healthcare providers in the region. SNPHN will seek to preserve the accuracy of this information.
APP5: Notification of the collection of personal information
When collecting personal information about an individual, SNPHN will first inform the individual and proceed only if the individual consents.
Part 3 – Dealing with personal information
APP6: Use of and disclosure of personal information
SNPHN will only use personal information for the purpose for which it was collected.
SNPHN will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the individual’s or the public’s health and safety.
Individuals will be given the opportunity to refuse such use or disclosure. If an individual is physically or legally incapable of providing consent, a responsible person (as described under the Privacy Act 1988) may do so.
SNPHN will keep records of any such use and disclosure. Information may only be disclosed to a responsible person (as described under the Privacy Act 1988).
Information sharing for continuity of health care shall be with authorised individuals and organisations on a need to know basis, and be directly relevant to the client’s continuity of health care.
If information is to be used for a secondary or unrelated purpose, such as service evaluation, further consent is not required provided that the data will be de-identified, i.e elements of the data will be removed or substituted so as to ensure that an individual’s identity cannot be readily determined or recognised.
APP7: Direct marketing
SNPHN will not provide personal information to another person or organization for direct marketing except:
- with the express consent of the individual in circumstances where that specific use of the information is intended; or
- when the organisation is a contracted service provider to the Commonwealth and the disclosure of the information is necessarily required to meet an obligation under that contract.
APP8: Cross-border disclosure
SNPHN will not provide personal information overseas unless legally required to do so.
APP9: Adoption, use or disclosure of Government related identifiers
SNPHN will not use any Government related identifier (eg Medicare or Veterans’ Affairs numbers or similar) as our identifier, nor will we disclose it.
Part 4 – Integrity of personal information
APP10: Quality of personal information
SNPHN takes reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
APP11: Security of personal information
SNPHN takes care to protect and hold securely personal information whether electronic or on paper.
All personal information held by SNPHN will be:
- if in paper form, received and stored in a secure, lockable location,
- if in electronic form, password and firewall protected, and externally backed up with a provider contractually bound to confidentiality,
- accessible by staff only on a “need to know” basis, and
- not taken from the SNPHN offices unless authorised and for a specified purpose.
SNPHN destroys or permanently de-identifies personal information that is no longer required to be held.
Part 5 – Access to and correction of personal information
APP12: Access to personal information
Individuals may request access to their own personal information. Access will be provided unless there is a sound reason under the Privacy Act 1988 or other relevant law to withhold access.
Situations in which access to information may be withheld may include when:
- there is a threat to the life or health of an individual,
- access to information creates an unreasonable impact on the privacy of others,
- the request is clearly frivolous or vexatious or access to the information has been granted previously,
- there are existing or anticipated legal dispute resolution proceedings, and
- denial of access is required by legislation or law enforcement agenci
- SNPHN suspects unlawful activity or conduct of a serious nature
- giving access would reveal evaluative information within SNPHN in connection with a commercially sensitive decision making process
SNPHN responds to a request to access or amend information within 30 business days of receiving the request.
APP13: Correction of personal information
We will correct the personal information we hold about a person if it is inaccurate, out of date, incomplete or misleading.
Amendments may be made to personal information to make sure it is accurate, relevant, current, complete and not misleading, taking into account the purpose for which the information is collected and used. If the request to amend information does not meet these criteria, SNPHN may refuse the request.
If the requested changes to personal information are not made, the individual may make a statement about the requested changes and the statement will be attached to the record.
SNPHN will respond to queries and requests for access and amendment to personal information within 30 days by electronic means or by registered post correspondence.
6. Confidentiality of other Information
All information held by SNPHN in the course of its activities is confidential. It is appropriate that a decision to release or make public (eg website content) gives due consideration to confidentiality of the information and the appropriateness of wider distribution.
If they are unsure whether information is confidential to SNPHN or its clients, employees and stakeholders are to refer to the CEO or Privacy Officer before transferring or providing information to an external source.
7. Breach of privacy or confidentiality
Employees who are deemed to have breached privacy standards set out in this policy may be subject to disciplinary action as described in SNPHN Code of Conduct.
If a client or stakeholder is dissatisfied with the conduct of a SNPHN employee or director, this should be raised with the Privacy Officer.
Chief Financial Officer (CFO)
The CFO is SNPHN’s Privacy Officer. The CFO is the contact point for all privacy and confidentiality related enquiries and issues (from both external and internal parties). Privacy enquiries can be made by:
- Phone – 02-9432-8250
- Email – firstname.lastname@example.org
- Website – http://www.sydneynorthhealthnetwork.org.au/
The CFO is responsible for the development and implementation of the policies, procedures and other governance tools required to comply with organisational and statutory privacy requirements. This will include ongoing enforcement, monitoring and evaluation of SNPHN’s privacy processes. The CFO is accountable to the organisation’s CEO for compliance.
Employees and directors
Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information.
Understand the organisation’s ethical standards regarding the treatment of other confidential information relating to SNPHN, its clients, employees and stakeholders.
- Code of Conduct
- Information Management Policy
- Human Resources Management Policy
- Complaints Procedure
- Privacy Act 1988 (Cth) (“Privacy Act”)
- Australian Privacy Principles (Jan 2014)
- Privacy and Personal Information Act 1998 (NSW)
- Health Records and Information Privacy Act 2002 (NSW)
- Freedom of Information Act 1989 (NSW)