The following principles must be considered when adhering to this policy:
- The collection and use of personal, health and sensitive information must relate directly to the legitimate purposes of CCPC.
- Individuals must be aware of, or informed of, the purposes for which personal and health information is obtained.
- CCPC will take all reasonable measures to ensure that the personal and health information it receives and holds is up-to-date.
- CCPC will take all reasonable measures to store personal and health information securely.
- Individuals are entitled to have access to their own records, unless prevented by law.
- Third party access to personal and health information may only be granted in accordance with the APPs and CCPC policy.
- CCPC will comply with the mandatory data breach notification scheme CCPC will amend records shown to be incorrect. CCPC will observe the APPs and the Privacy Act 1988
Information or an opinion about:
- The physical, mental or psychological health (at any time) of an individual; or
- A disability (at any time) of an individual;
An individual’s expressed wishes about the future provision of health services; or
- A health service provided, or to be provided, to an individual;
Personal information; or
- Other personal information collected to provide, or in providing, a health service; or
- Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of their body parts, organs or body substances; or
- Other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of their descendants.
Personal information – is information about an identified individual, or an individual who is reasonably identifiable. This includes information that is not about an individual on its own but can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
Sensitive information – Means information about an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Membership of a political association;
- Religious beliefs or affiliations;
- Philosophical beliefs;
- Membership of a professional or trade association;
- Membership of a trade union;
- Sexual preferences or practices;
- Criminal record; or
- That is also personal information.
Stakeholders – those with a vested interest in CCPC’s activities, including but not limited to, workforce, suppliers, members, clients and the broader community.
Workforce – individuals employed by CCPC, including full-time, part-time, continuing, fixed-term or casual, and individuals who contribute to or act on behalf of CCPC, including consultants, independent contractors and third party providers. This policy applies to personal, health and sensitive information collected by CCPC concerning workforce, patients and stakeholders.
This policy must be observed by all CCPC workforce and stakeholders who have access to personal, health and sensitive information held by CCPC. This policy does not apply to information that is already in the public domain, unless such information arrived by there by unauthorised means. This policy must be read in conjunction with CCPCs Information Management Policy.
Roles and Responsibilities
The following principles require mandatory compliance:
- Will collect personal information only if it is necessary for one or more of its functions or activities.
- Will collect personal and health information by only lawful and fair means, and not in an unreasonably intrusive way.
- Will collect health information only if it is necessary for one or more of its functions or activities and with consent.
- When collecting personal and health information about an individual from the individual, take reasonable steps to ensure that the individual is aware of:
- The identity of CCPC and how to contact the organisation;
- Ability to gain access to the information;
- The purpose(s) for which the information is collected;
- To whom CCPC usually discloses information of that kind;
- Any law that requires the particular information to be collected; and
- The main consequences (if any) for the individual if all or part of the information is not provided.
- If it is reasonable and practicable to do so, collect personal and health information about an individual only from that individual. However, there will be instances where CCPC will obtain such information from other sources, for example, references for employment purposes and information from other health practitioners/organisations to base clinical decisions. In such instances, CCPC will take reasonable steps to ensure that the individual is or has been made aware of the matters listed from points 1-6 above, except when making the individual aware of the matters would pose a serious threat to the life or health of any individual. • When you visit the CCPC website, our web server may download a cookie to your computer. A cookie is a small piece of information sent by our server to your browser. To protect your privacy, your browser only permits a web site to access the cookies it has already sent to you, not the cookies sent to you by other sites. If you do not wish to receive any cookies, you may set your browser to refuse them; go to the browser’s help menu for instructions. Cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by the CCPC website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website.
Use and disclosure
CCPC will not, without the prior consent of an individual, use or disclose personal or health information about that individual for any purpose other than the primary purpose of collection, with the following exceptions:
- The other purpose is directly related to the primary purpose, for example, communications between health professionals involved in the health care of the same individual;
- When the individual would reasonably expect CCPC to use or disclose the information for the other purpose;
- The information is de-identified. Health information is first encrypted using PKI (Public Key Infrastructure) encryption and then transmitted via a secure protocol (such as ARGUS Secure Messaging) so that the recipient agency is unable to identify data relating to any individual person.
- CCPC reasonably believes that the use or disclosure is necessary to lessen or prevent either:
- A serious and imminent threat to an individual’s life, health, safety or welfare; or
- A serious threat to public health, public safety or public welfare.
- CCPC has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
- The use or disclosure is required or authorised by or under law.
- Any disclosure under paragraph 4.i &.ii, 5 and 6 can only be made by the CEO or obtained legal counsel.
CCPC will take all reasonable steps to make sure that the personal and health information it collects, uses or discloses is accurate, complete, and up-to-date. This places an obligation on all CCPC workforce and stakeholders to provide relevant and accurate information to CCPC.
CCPC will take reasonable steps to protect the personal and health information it holds from misuse and loss, and from unauthorised access, modification or disclosure.
CCPC will take reasonable steps to destroy or permanently de-identify personal and health information if it is no longer required.
CCPC has incorporated the Privacy Amendment (Notifiable Data Breaches) Act 2017 into organisational policy and procedure.
A data breach occurs when personal information that the organisation holds is subject to unauthorised access or disclosure, or is lost. Where an ‘eligible data breach’ has occurred, CCPC will adhere to the NDB process as outlined in the NDB Policy and Procedure.
CCPC will make this policy available to anyone who requests it or alternatively it can be found on our website www.CCPC.com.au
On request by a person, CCPC will take reasonable steps to let the person know, generally, what sort of personal and health information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
Access and correction
If CCPC holds personal or health information about an individual, it will provide the individual with access to the information on request by the individual, except when:
- Providing access would pose a serious and imminent threat to the life or health of any individual;
- Providing access would have an unreasonable impact on the privacy of other individuals;
- The request for access is considered frivolous or trouble-making;
- The information relates to existing legal proceedings between CCPC and the individual, and the information would not be accessible by the process or discover or subpoena in those proceedings;
- Providing access would reveal the intentions of CCPC in relation to negotiations with the individual in such a way as to prejudice those negotiations;
- Providing access would be unlawful; • Denying access is required or authorised by or under law;
- Providing access would be likely to prejudice an investigation of possible unlawful activity; or
- Where providing access would reveal commercially sensitive information.
If CCPC holds personal or health information about an individual and the individual is able to establish to the satisfaction of CCPC that the information is not accurate, complete and/or up- to-date, CCPC will take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
If an individual requests access to, or the correction of, personal or health information held by CCPC, CCPC will as soon as practicable:
- Provide access, or reasons for the denial of access; and
- Correct the personal or health information, or provide reasons for the refusal to correct the information.
At any time you may ask to be removed from the CCPC mailing lists by contacting us at firstname.lastname@example.org
CCPC may assign unique identifiers to individuals when considered necessary to carry out its functions. CCPC will not adopt an individual’s unique identifier that has been assigned by another organisation as its own unique identifier. CCPC will not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law, or the provision is in connection with the purpose for which the unique identifier
Because of the nature of CCPC’s core business, it will usually be impractical for individuals transacting with CCPC to have the option of not identifying themselves. However, where it is lawful and practical to do so, CCPC will give the individual this option.
CCPC takes precautions, including administrative, technical and physical measures, to safeguard personal information against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction in conjunction with the Information Management Policy. CCPC’s website uses Secure Sockets Layer (SSL) encryption on all web pages where personal information is collected. To submit personal information to us, you must use an SSL-enabled browser such as Safari, Firefox or Internet Explorer. Doing so protects the confidentiality of your personal information while it’s transmitted over the Internet. All electronic information obtained is held on an in-house server that is securely maintained and stored.
Transborder Data Flow
CCPC will only transfer personal or health information about an individual to a third party who is outside New South Wales if:
- The individual consents to the transfer; or
- All of the following apply:
- The transfer is for the benefit of the individual;
- It is impracticable to obtain the consent of the individual to that transfer;
- If it were practicable to obtain that consent, the individual would be likely to give it
- CCPC has taken reasonable steps to ensure that the information which it has transferred will only be held, used or disclosed by the recipient of the information consistent with the principles set out in this policy.
CCPC will not collect sensitive information about an individual unless:
- The individual has consented; or
- The collection is required under law
Notwithstanding the above paragraph, CCPC may collect sensitive information about an individual if:
- The collection is necessary for research, or the compilation or analysis of statistics, relevant to government-funded health-related services; or
- The collection is related to an individual’s racial or ethnic origin and is collected for the purpose of providing targeted health-related services.
If someone believes their personal information has not been properly protected, or that there has been a breach or potential breach of this Policy or the privacy legislation, they should contact the CCPC CEO.
CCPC takes breach seriously and has procedures to help identify and resolve a breach, potential breach or compliant as quickly as possible. This includes notification and/or escalation to the appropriate management level. Complaints will be thoroughly investigated and a suitable resolution negotiated. If a suitable resolution cannot be reached, the Office of the Australian Information Commissioner (OAIC) can be contacted.