This policy provides an outline of APMHA HealthCare Ltd. legal obligations and ethical expectations in relation to privacy and confidentiality.
This policy applies to General Managers, contractors, customers and employees. It also applies to consumers of APMHA HealthCare Ltd. services.
APMHA HealthCare Ltd. is committed to protecting the privacy and confidentiality of customers, consumers, employees and General Managers in the way information is collected, stored and used.
3.1. Collection Collection of personal information must be fair, lawful and not intrusive.
A person must be told:
- The name of the organisation collecting
- The purpose of collection
- How the person can get access to their personal information
- What happens if required information is not distributed
APMHA HealthCare Ltd. will only collect personal information necessary to undertake our programs, activities or functions.
Personal information about an individual will only be collected by lawful and fair means and directly from the individual wherever possible.
APMHA HealthCare Ltd. will ensure that each individual providing personal information is informed about and understands the purpose of collecting the information, to whom or under what circumstances their personal information may be disclosed to another party, and how they can access the information held about them by APMHA HealthCare Ltd.
APMHA HealthCare Ltd. will collect commercial information that is already available in the public domain. This includes operating details of primary healthcare providers in the region. APMHA HealthCare Ltd. will seek to preserve the accuracy of this information.
3.2. Use and disclosure APMHA HealthCare Ltd. only uses or discloses information for the purpose it was collected unless:
- The person has consented,
- The person is underage and requires carer involvement,
- The person is considered ‘at risk’ and requires carer involvement,
- The person has identified a carer to be involved in their recovery plan,
- The secondary purpose is related to the primary purpose and a person would reasonably expect such use,
- Disclosure or the use is for direct marketing in specified circumstances, or
- In circumstances related to public interest such as law enforcement and public or individual health and safety.
If information is to be used for a secondary or unrelated purpose, such as service evaluation, consent is not required as the data will be de-identified.
Individuals will be given the opportunity to refuse such use or disclosure. If an individual is physically or legally incapable of providing consent, a responsible person (as described under the Privacy Act 1988) may do so.
APMHA HealthCare Ltd. will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the individual’s or the public’s health and safety.
APMHA HealthCare Ltd. will keep records of any such use and disclosure. Information may only be disclosed to a responsible person (as described under the Privacy Act 1988).
3.3. Information quality and security
APMHA HealthCare Ltd. takes reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date.
APMHA HealthCare Ltd. takes steps to protect the personal information it holds against loss, unauthorised access, use, modification or disclosure and against other misuse.
All personal information held by APMHA HealthCare Ltd. will be:
- If in paper form, received and stored in a secure, lockable location,
- If in electronic form, password and firewall protected, and externally backed up with a provider contractually bound to confidentiality,
- Accessible by staff only on a “need to know” basis, and
- Not taken from the APMHA HealthCare Ltd. offices unless authorised and for a specified purpose.
APMHA HealthCare Ltd. destroys or permanently de-identifies personal information that is no longer required to be held by legislation and by the APMHA HealthCare Ltd.
APMHA HealthCare Ltd ensures that if it is necessary for the personal information to be given to a person in connection with the provision of a service, everything reasonably within the power of APMHA HealthCare Ltd. is done to prevent unauthorised use or disclosure of personal information.
This policy will be made available to any person upon request. A general statement describing our approach to privacy is accessible to the public via the APMHA HealthCare Ltd. website.
3.5. National Privacy Principle 6: Access and Correction
Individuals may request access to their own personal information. Access will be provided unless there is a sound reason under the Privacy Act 1988 or other relevant law to withhold access. Other situations in which access to information may be withheld may include when:
- There is a threat to the life or health of an individual,
- Access to information creates an unreasonable impact on the privacy of others,
- There are existing or anticipated legal dispute resolution proceedings, and
- Denial of access is required by legislation or law enforcement agencies.
APMHA HealthCare Ltd. responds to a request to access or amend information within 45 days of receiving the request.
Amendments may be made to personal information to ensure it is accurate, relevant, up to date, complete and not misleading, considering the purpose for which the information is collected and used.
If the request to amend information does not meet these criteria, APMHA HealthCare Ltd. may refuse this request. If the requested changes to personal information are not made, the individual may make a statement about the requested changes and the statement will be attached to the record.
APMHA HealthCare Ltd. is responsible for responding to queries and requests for access and amendment to personal information.
It is the policy of APMHA HealthCare Ltd., that an identifier assigned by a Commonwealth or State/ Territory government ‘agency’, for example Medicare or Veterans Affairs numbers, will not be used to identify personal information.
APMHA HealthCare Ltd. gives people the option to interact anonymously whenever it is lawful and practical to do so.
An individual who chooses to access the services of the APMHA HealthCare Ltd. anonymously will be advised of any potential consequences resulting from their decision (e.g. where the lack of a contact name, or address may jeopardise care in an emergency situation).
APMHA HealthCare Ltd. will not automatically preclude an individual from participating in the activities of APMHA HealthCare Ltd. because they request anonymity.
3.8. Trans border data flows
APMHA HealthCare Ltd. only transfers personal information about an individual to someone who is in a foreign country if:
- the individual consents to the transfer, or
- APMHA HealthCare Ltd. is reasonably sure that the information will not be held, used or disclosed inconsistently with the National Privacy Principles.
3.9. Sensitive information
APMHA HealthCare Ltd. considers all personal information as sensitive information and requires consent (written and verbal) to collect, store, use and/ or disclose this information. In other special specified circumstances relating to health services provision and individual or public health and safety, the consent process may vary. Information sharing for continuity of health care shall be with authorised individuals and organisations on a need to know basis and be directly relevant to the client’s continuity of health care.
APMHA HealthCare Ltd. only collects sensitive information (as defined under the Privacy Act 1988) other than health information about an individual if:
- The individual consents, or
- The collection is required by law and is consistent with the provisions of National Privacy Principles.
3.10. Collection, use and disclosure of confidential information
Other information held by APMHA HealthCare Ltd. may be regarded as confidential, pertaining either to an individual or an organisation. The most important factor to consider when determining whether information is confidential, is whether the information can be accessed by the general public. If they are unsure whether information is sensitive or confidential to APMHA HealthCare Ltd. or its clients, contractors, employees and stakeholders are to refer to the General Managers before transferring or providing information to an external source.
3.10.1. Organisational information
All employees, contractors and General Managers agree to adhere to their respective APMHA HealthCare Ltd. Code of Conduct when commencing employment, involvement or a placement. The Code of Conduct outlines the responsibilities to the organisation related to the use of information obtained through their employment, involvement or placement.
3.10.2. Stakeholder information
APMHA HealthCare Ltd. works with a variety of stakeholders. The organisation may collect confidential or sensitive information about its stakeholders as part of a working relationship. Employees and contractors at APMHA HealthCare Ltd. do not disclose information about its stakeholders that is not already in the public domain without stakeholder consent. The manner in which employees manage stakeholder information will be clearly articulated in any contractual agreements that the organisation enters into with a third party.
3.10.3. Consumer information
Detailed information regarding the collection, use and disclosure of client information can be found in the Consumer Health Records Policy and associated procedures.
3.11. Breach of privacy or confidentiality
If employees or contractors are dissatisfied with the conduct of a colleague regarding privacy and confidentiality of information, the matter should be raised with the employee’s direct line manager. If this is not possible or appropriate, follow the delegations indicated in the Grievance Policy. Employees or contractors who are deemed to have breached privacy and confidentiality standards set out in this policy may be subject to disciplinary action. If a client or stakeholder is dissatisfied with the conduct of a APMHA HealthCare Ltd. employee, contractor or General Manager, a complaint should be raised in accordance with the Feedback and Complaints Policy. Information about making a complaint will be made available to clients, stakeholders and can be found on the APMHA HealthCare Ltd. website.
Privacy provisions of the Privacy Act 1988 govern the collection, protection and disclosure of personal information provided to APMHA HealthCare Ltd. by clients, contractors, General Managers and employees.
Confidentiality applies to the relationship of confidence. Confidentiality ensures that information is accessible only to those authorised to have access and is protected throughout its lifecycle. Confidential information may be marked as such or deemed confidential by its nature; for example, it is information that is not available in the public domain.
Consent means voluntary agreement to some act, practice or purpose. Consent has two elements: knowledge of the matter agreed to, and voluntary agreement.
Individual means any person such as a client, employee, General Manager, contractor or a member of the public.
Organisational information includes publicly available, and some confidential, information about organisations. Organisational information is not covered in the Privacy Act 1988 but some organisational information may be deemed confidential.
Personal information means information or an opinion (including information or an opinion forming part of a database) about an individual (Office of the Federal Privacy Commissioner, 2001). It may include information such as names, addresses, bank account details and health conditions. The use of personal information is guided by the Privacy Act 1988.
The public domain in relation to confidentiality is “common knowledge”; that is, information that can be accessed by the general public.
General Manager Operations
The General Manager Operations is the APMHA HealthCare Ltd.’s Privacy Officer and is the contact point for all privacy and confidentiality related enquiries and issues (from both external and internal parties). Privacy enquiries can be made by:
- Phone – 1300 514 811
- Email – firstname.lastname@example.org
- Website – www.apmhahealthcare.com.au
The General Manager Operations is responsible for the development and implementation of the policies, procedures and other governance tools required to comply with organisational and statutory privacy requirements. This will include ongoing enforcement, monitoring and evaluation of APMHA HealthCare Ltd.’s privacy processes.
General Managers, sub-contractors and employees must:
- Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information.
- Understand the organisation’s ethical standards regarding the treatment of other confidential information relating to APMHA HealthCare Ltd., its clients, contractors, employees and stakeholders.
- Act in accordance with organisational systems in place to protect privacy and confidentiality.
6. References Internal interdependencies
- Code of Conduct
- Information Management Policy
- Feedback and Complaints Policy
- Privacy Statement External interdependencies
- Privacy Act 1988
- National standards for mental health services 2010
- ISO 9001:2016 – quality management systems
7. Version Control
Version Date Owner (title) Approver (title) Nature of change 01 06/01/2016 R Hayden (CEO) J Craggs (GMC) N/A 02 04/02/2017 R Hayden (CEO) J Craggs (GMC) Update 02 24/03/2018 R Hayden (CEO) T Le (GMSD) Update