1. Policy Statement
SNPHN Ltd (Sydney North Health Network – “SNHN”) is committed to protecting the privacy of the personal information and sensitive information which it collects and holds. We gather such information to allow us to meet our objectives of improving our community’s access to primary health care services.
SNHN must comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and other privacy laws which govern how organisations hold, use and disclose personal information (including sensitive information).
• the kinds of information which SNHN may collect about our clients, employees, contractors and others and how that information is collected and used
• how SNHN can disclose the information so collected
• how individuals can access the information held; and
• the processes by which SNHN protects the personal information held.
This policy applies to all activities conducted by SNHN and to the actions of its directors, employees, contractors and volunteers.
health information is:
• personal information or an opinion about:
– an individual’s physical or mental health or disability (at any time)
– an individual’s express wishes about the future provision of health services for themselves or
– a health service provided, or to be provided, to an individual
• other personal information collected to provide, or in providing a health service
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not
sensitive information means
• personal information or an opinion about an individual’s:
– racial or ethnic origins
– political opinions or political associations
– philosophical beliefs or religious beliefs or affiliations
– sexual orientation or practices
– criminal record
5. How SNHN Addresses the Australian Privacy Principles
SNHN handles all personal information and sensitive information in a manner which complies with the Australian Privacy Principles. We obtain consent (written or verbal) to collect, store, use and/or disclose this information. SNHN will only collect personal information:
• after a person has consented
• when any secondary use is related to the main reason for collection of personal information; or
• in circumstances in which collection is necessitated by the public interest such as law enforcement or public or individual health and safety.
SNHN takes reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date and to protect the personal information it holds against loss, unauthorised access, use, modification or disclosure and against other misuse.
The Australian Privacy Principles
Part 1 – Consideration of personal information privacy
APP1: Open and transparent management of personal information
SNHN will only collect personal information necessary to undertake our programs, activities or functions. This is managed in an open and transparent way by the maintenance of processes which
• make sure that each individual providing personal information is informed about and understands the purpose of collecting the information,
• disclose to whom and under what circumstances that personal information may be disclosed to another party; and
• allow and provide an individual access to the information held about that person.
This policy will be made available to any person upon request to the Privacy Officer. A general statement describing our approach to privacy is accessible to the public via the SNHN website.
APP2: Anonymity and pseudonimity
SNHN allows individuals the option of not identifying themselves when providing information except when:
• SNHN is required by law or court tribunal order to deal with persons who have identified themselves or
• it is impractical for SNHN to deal with individuals who have not identified themselves or have used a pseudonym.
Part 2 – Collection of personal information
APP3: Collection of solicited personal information
SNHN will only collect personal information that is reasonably necessary to provide a service.
SNHN will make sure that each individual who provides personal information is informed about and understands the purpose of collecting the information and its intended use/disclosure.
APP4: Dealing with unsolicited information
SNHN will not keep personal information received about an individual, unless that person has given permission.
SNHN will from time to time collect commercial information that is already available in the public domain. This includes operating details of primary healthcare providers in the region.
SNHN will seek to preserve the accuracy of this information.
APP5: Notification of the collection of personal information
When collecting personal information about an individual, SNHN will first inform the individual and proceed only if the individual consents.
Part 3 – Dealing with personal information
APP6: Use of and disclosure of personal information
SNHN will only use personal information for the purpose for which it was collected.
SNHN will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the individual’s or the public’s health and safety.
Individuals will be given the opportunity to refuse such use or disclosure. If an individual is physically or legally incapable of providing consent, a responsible person (as described under the Privacy Act 1988) may do so.
SNHN will keep records of any such use and disclosure. Information may only be disclosed to a responsible person (as described under the Privacy Act 1988).
Information sharing for continuity of health care shall be with authorised individuals and
organisations on a need to know basis, and, be directly relevant to the client’s continuity of health care.
If information is to be used for a secondary or unrelated purpose, such as service evaluation, further consent is not required provided that the data will be de-identified i.e. elements of the data will be removed or substituted to ensure that an individual’s identity cannot be readily determined or recognised.
APP7: Direct marketing
SNHN will not provide personal information to another person or organization for direct marketing except:
• with the express consent of the individual in circumstances where that specific use of the information is intended; or
• when the organisation is a contracted service provider to the Commonwealth and the disclosure of the information is necessarily required to meet an obligation under that contract.
APP8: Cross-border disclosure
SNHN will not provide personal information overseas unless legally required to do so
APP9: Adoption, use or disclosure of Government related identifiers
SNHN will not use any Government related identifier (eg Medicare or Veterans’ Affairs numbers or similar) as our identifier, nor will we disclose it.
Part 4 – Integrity of personal information
APP10: Quality of personal information
SNHN takes reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
APP11: Security of personal information
SNHN takes care to protect and hold securely personal information whether electronic or on paper.
All personal information held by SNHN will be:
• if in paper form, received and stored in a secure, lockable location,
• if in electronic form, password and firewall protected, and externally backed up with a provider contractually bound to confidentiality,
• accessible by staff only on a “need to know” basis, and
• not taken from the SNHN offices unless authorised and for a specified purpose.
SNHN destroys or permanently de-identifies personal information that is no longer required to be held.
Part 5 – Access to and correction of personal information
APP12: Access to personal information
Individuals may request access to their own personal information. Access will be provided unless there is a sound reason under the Privacy Act 1988 or other relevant law to withhold access.
Situations in which access to information may be withheld may include when:
• there is a threat to the life or health of an individual,
• access to information creates an unreasonable impact on the privacy of others,
• the request is clearly frivolous or vexatious or access to the information has been granted previously,
• there are existing or anticipated legal dispute resolution proceedings, and
• denial of access is required by legislation or law enforcement agencies.
• SNHN suspects unlawful activity or conduct of a serious nature.
• giving access would reveal evaluative information within SNHN in connection with a commercially sensitive decision-making process
SNHN responds to a request to access or amend information within 30 business days of receiving the request.
APP13: Correction of personal information
We will correct the personal information we hold about a person if it is inaccurate, out of date, incomplete or misleading.
Amendments may be made to personal information to make sure it is accurate, relevant, current, complete and not misleading, taking into account the purpose for which the information is collected and used. If the request to amend information does not meet these criteria, SNHN may refuse the request.
If the requested changes to personal information are not made, the individual may make a statement about the requested changes and the statement will be attached to the record.
SNHN will respond to queries and requests for access and amendment to personal information within 30 days by electronic means or by registered post correspondence.
7. Confidentiality of other Information
All information held by SNHN in the course of its activities is confidential. It is appropriate that a decision to release or make public (e.g. website content) gives due consideration to confidentiality of the information and the appropriateness of wider distribution.
If they are unsure whether information is confidential to SNHN or its clients, employees and stakeholders are to refer to the CEO or Privacy Officer before transferring or providing information to an external source.
8. Breach of privacy or confidentiality
Employees who are deemed to have breached privacy standards set out in this policy may be subject to disciplinary action as described in SNHN Code of Conduct.
If a client or stakeholder is dissatisfied with the conduct of a SNHN employee or director, this should be raised with the Privacy Officer.
Notifiable Data Breaches
Under the notifiable data breaches (NDB) scheme, which was established following the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, SNPHN is required to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm and the Australian Information Commissioner (Commissioner) in the case of ‘eligible data breaches’.
SNHN has put in place a Data Breach Response Plan which sets out the procedure to be followed by SNPHN employees in the event that SNHN experiences a data breach, or suspects that a data breach has occurred.
Chief Financial Officer
The CFO is SNHN’s Privacy Officer. The CFO is the contact point for all privacy and confidentiality related enquiries and issues (from both external and internal parties). Privacy enquiries can be made by:
• Phone – 02-9432-8250
• Email – firstname.lastname@example.org
• Website – https://sydneynorthhealthnetwork.org.au/
The CFO is responsible for the development and implementation of the policies, procedures and other governance tools required to comply with organisational and statutory privacy requirements. This will include ongoing enforcement, monitoring and evaluation of SNHN’s privacy processes. The CFO is accountable to the organization’s CEO for compliance.
Employees and directors
Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information.
Understand the organisation’s ethical standards regarding the treatment of other confidential information relating to SNHN, its clients, employees and stakeholders.
• Code of Conduct
• Information Management Policy
• Human Resources Management Policy
• Complaints Procedure
Privacy Act 1988 (Cth) (“Privacy Act”) incorporating Privacy Amendment (Notifiable Data Breaches) Act 2017
Australian Privacy Principles (Jan 2014)
Privacy and Personal Information Act 1998 (NSW)
Health Records and Information Privacy Act 2002 (NSW)
Freedom of Information Act 1989 (NSW)