The policy refers to the collection and handling of personal and health information by Sunbury and Cobaw Community Health (SCCH) in a way that establishes a reasonable balance between an individual’s right to control the use of their personal information, with SCCH’s need to ensure that it can collect and use information with confidence in order to perform its functions.
SCCH must comply with relevant privacy laws. The Privacy Act 1988 contains ‘Australian Privacy Principles’, the Privacy & Data Protection Act 2014 (Victoria) outlines ‘Information Privacy Principles’ and the Health Records Act 2001 sets out ‘Health Privacy Principles.’ The Privacy Principles across all three sets are broadly similar in content and have been amended to refer to the Health Privacy Principles where relevant. Therefore this policy refers to and is guided by the Australian Privacy Principles that, as required by law, protect the rights of individuals who access a SCCH service.
To ensure that clients’ privacy and the right to confidentiality is respected, and maintained according to privacy laws.
SCCH provides confidential services to all clients. The above legislations require procedures in relation to the private and confidential collection, storage, usage and disclosure of personal information. All persons covered in the scope of this policy are required to comply with SCCH’s Code of Ethical Conduct and all staff are required to read this policy prior to commencing employment with SCCH and comply to this policy throughout their employment with SCCH.
The policy is binding on all SCCH staff, consultants, external contractors, volunteers and students who have access to personal information maintained by SCCH. The scope of this policy includes personal information of parties both internal and external to SCCH. Any personal information collected, regardless if it is from a service user, stakeholder or an employee of SCCH is considered health information and will be handled according to this policy.
Australian Privacy Principles
The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988, outline how organisations must handle, use and manage personal information.
These principles outline the requirement for:
- an individual having the option of transacting anonymously or using a pseudonym where practicable
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
- how personal information can be used and disclosed (including overseas)
- maintaining the quality of personal information
- keeping personal information secure at all times
- specific attention to the requirements that apply in any digital transmission process
- right for individuals to access and correct their personal.
Statement of Diversity
SCCH values diversity and will be responsive to the health needs of vulnerable people and may include promotion and advocacy. This includes but is not limited to Aboriginal and Torres Strait Islander people; people with dementia or disabilities; lesbian, gay, bisexual, trans and intersex people and culturally and linguistically diverse people.
When collecting personal or health information, SCCH will take reasonable steps to advise the person about what information is being sought, for what purpose, whether any law requires the collection of the information and the main consequences, if any, of not providing the information.
Personal information is information or an opinion that is recorded in any form, about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion, but not including health information. Health information is information that can be linked to an identifiable individual, including deceased individuals, which concerns that individual’s physical, mental or psychological health, disability or genetic make-up.
SCCH collects only personal and health information related to the delivery of the specific health and/or community service(s) being accessed by the person. SCCH is a community health service and is required to collect, manage and protect information related to the provision of health and wellbeing services from existing, prospective or previous service users.
Service provision activities can extend beyond service delivery and may include health promotion, consultation and advocacy. Through these activities sometimes SCCH invites involvement of the wider community and collects contact details from community members for the purpose of engaging in future consultations or responding to enquiries. Contact details are collected from individuals interested in being informed about and participating in programs and events. Similar details are also collected from individuals who wish to receive publications and those consulting on policy and legislative matters.
People can visit the SCCH website anonymously because the site does not collect or record personal information other than information someone chooses to provide via email or internet forms.
Use and Disclosure
SCCH staff only collect and are provided with the information necessary for them to carry out the functions and activities of their role. Staff members are required to handle all personal and health information with discretion and to comply with the secrecy provisions of the Privacy and Data Protection Act 2014.
Client consent must be obtained prior to sharing the client’s information with other parties such as internal and external referrers and must be documented on the Client Consent to Share Information form. Consent must be obtained for each new episode of care and must not be older than twelve months. In addition, if clients wish to receive information by email, staff must obtain specific client consent on the Client Consent to SMS/Email form prior to SMS/emailing client health information and staff must follow the procedure outlined below; SMS/Emailing Client Health Information.
Some de-identified personal information from enquiries and complaints is used in advocacy activities, public information and training, but never in a way that would compromise a person’s privacy. De-identified information may be shared with funding bodies and for awareness and reporting functions.
In certain circumstances, and in accordance with law, documents related to a complaint may be referred to appropriate complaints handling bodies such as the Health Complaints Commissioner, Aged Care Complaints Commissioner or the Disability Services Commissioner.
Specific disclosures will be made with consent or otherwise in accordance with the use and disclosure standards of the Privacy and Data Protection Act 2014 and the Health Records Act.
SMS/Emailing Client Health Information
Staff must follow this procedure at all times when sending client health information via SMS or email. Please note that other methods of delivery such as Connecting Care, fax, post and making client information available for pickup are preferred methods. Emailing client information is the last option and must only be used when all other options are not possible. Staff must explain to clients the risks associated in emailing client information and staff must ensure clients have completed the Client Consent to SMS/Email form.
SMS/emailing health information to the client:
- The Client Consent to SMS/Email form must be signed and uploaded to the Client’s Electronic File prior to any information being sent by SMS or email. There must be a new Client Consent to SMS/Email form for each episode of care and it must not be older than 12 months
- The SMS phone number and/or email address must be verified. A test SMS and/or email containing no personal identifying data should be sent and confirmed prior to any client health information being sent.
- The subject line of the email and the body of the SMS/email must not contain any identifying information. Only the client’s first name or initials can be used in the subject line or body of the email.
- All attached documents must be password protected or in an encrypted password protected zip file. The password must not be sent in the body of the email. The password must be exchanged via a different method such as phone or face to face.
- All sent and received emails must immediately be moved to the client’s electronic file and deleted from Outlook.
Staff may refer to the Information Management guide for further instructions about password protecting files and secure information management.
Emailing client information to an external service provider:
- Clients must consent to their information being shared on the Consent to Share Information form. They must tick the box consenting to their information being shared by emailed.
- Staff should attach a copy of SCCH’s Guidelines for the Use & Disclosure of Shared Client Information sheet when emailing client information to an external provider.
Information Sharing Scheme
The Family Violence Information Sharing Scheme (FVISS) commenced in February 2018. Under Part 5A of the Family Violence Protection Act 2008 program areas who are prescribed Information Sharing Entities (ISEs) may be authorised to share information with other ISEs for family violence risk assessment and risk management.
The Child Information Sharing Scheme (CISS) commenced in September 2018. Under Part 6A of the Child Wellbeing and Safety Act 2005, the scheme authorises prescribe professionals (ISEs) to share information to promote the safety and wellbeing of children.
Refer to the Information Sharing Scheme Policy and Procedure for detailed instructions in relation to the FVISS and CISS.
Data Quality and Security
SCCH takes reasonable steps to ensure the information it holds is accurate, complete and up-to-date. We will endeavor to check the accuracy of personal or health information with you before we use it.
We use a number of procedural, physical, software and hardware safeguards, together with access controls, secure methods of communication and back-up and disaster recovery systems to protect information from misuse and loss, unauthorised access, modification and disclosure. These have been outlined within this policy.
Generally, information is destroyed or permanently de-identified when it is no longer required. However, most client information held by SCCH is subject to the Public Records Act (1973) and is required to be disposed of under the relevant Retention & Disposal guidelines such as the Record retention guide for organisations funded under the Service Agreement.
The Information Privacy Principle 7 (IPP 7) restricts the assignment, adoption, use and disclosure of unique identifiers by Victorian public sector organisations, except in certain circumstances.
Circumstances in which this is permitted under IPP 7 include: where assignment or adoption of a unique identifier is necessary to enable the organisation to carry out any of its functions efficiently, or where the consent of the individual has been obtained.
Under Part 3 of the Healthcare Identifiers Regulations (2010), SCCH may collect, use and disclose an individual’s healthcare identifier used for My Health Record. This may be done for the purpose of communicating or managing health information as part of the provision of healthcare to a service user or the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare. Healthcare Identifiers can only be used for the purposes described in the Healthcare Identifiers Act 2010 and Healthcare Identifiers Regulations 2010, e.g. for communicating and managing healthcare, which covers documents and processes such as electronic referrals, discharge summaries and medication management.
Unique identifiers created by another organisation will not be requested unless required by law. Nor will we use or disclose a unique identifier unless there is a lawful basis for doing so.
When seeking general information from SCCH, people do not have to identify themselves. If they wish to make an enquiry, no personal information will be collected or recorded unless we need it to get back to them with an answer. However, if a person wishes to make a complaint under the Privacy and Data Protection Act identification is necessary.
Transfer of Information Outside Victoria
We will not send personal or health information outside Victoria without obtaining written client consent.
Generally, we will only collect sensitive information with client consent or where required by law.
SCCH is an organisation committed to improving the health and wellbeing outcomes for LGBTIQ+ service users and seeking accreditation against the Rainbow Tick Standards. With the service user’s consent, SCCH collects information about sexual preference and gender identity. Unidentified data is used by SCCH as research evidence to inform policy, support advocacy, and build capacity. It is recognised that disclosure of a person’s sex, gender identity or sexual orientation is a personal decision.
The Australian Privacy Principles (APPs) cover the collection, use, disclosure and storage of personal information. SCCH supports and abides by Principle 6: The Right to Privacy of the Yogyakarta Principles (2006) which states:
“Everyone, regardless of sexual orientation or gender identity, is entitled to the enjoyment of privacy without arbitrary or unlawful interference, including with regard to their family, home or correspondence as well as to protection from unlawful attacks on their honour and reputation. The right to privacy ordinarily includes the choice to disclose or not to disclose information relating to one’s sexual orientation or gender identity, as well as decisions and choices regarding both one’s own body and consensual sexual and other relations with others.”
Notifiable data Breaches
The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when:
- there is an unauthorized access to, or unauthorised disclosure of, the information; or there is loss of the information where unauthorized access or disclosure if likely;
- a data breach is likely to result in serious harm to any individuals whose personal information is involved in the
When a privacy breach occurs or there is reasonable grounds to believe an eligible data breach has occurred, staff must report the breach on an Incident Report Form and notify their own Manager, General Manager and CEO as soon as possible. The Manager and Executive will coordinate a response and are obligated to promptly notify individuals at likely risk of serious harm. The Office of the Australian Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach. Refer to the Incident Prevention and Reporting Policy and the Data Breach Response Flowchart.
Complaints in relation to privacy are treated seriously and attempts are always made to resolve them fairly and quickly. Complaints would be handled through the usual internal processes. If the person making the complaint is not satisfied with how it is dealt with, they can involve an appropriate complaints handling body such as; the Health Complaints Commissioner, Aged Care Complaints Commissioner or the Disability Services Commissioner.
Requests for Access to Information and Correction
All clients have a right to seek access to their client file and to make corrections to the information held in the record. Requests for access to and/or correction of documents containing personal information held by SCCH will be handled in accordance with the Australian Privacy Principle 12 – Access to personal information.
Requests to see or obtain a copy of health information may be received by the following parties:
- Clients – Requests can be in person, via phone, email or otherwise in writing. The Request for Access to Health Records form must be completed by a client before a release is made. They must provide proof of their identity and staff must make every effort to ensure information is given to the correct person. If a completed form is received via email or mail prior to verbal contact, staff must phone the client to confirm their request and verify the validity of the email or postal address.
- Minors (17 years and under)– A Request for Access to Health Records form is required. The form asks if the person is requesting on behalf of another person and whether they are the legal guardian. Non-custodial parents must not be given information without the authority of the custodial parent. Similarly, parents of a minor who is the subject of a child protection order must not be given information without the consent of the Child Protection Services.
- Third Parties – Requests must be in writing and a Request for Access to Health Records form may be required. Client consent is required in most circumstances and should be supplied by the party making the request. The Privacy Principles acknowledge that organisations will be asked to supply health or personal information of a person without first receiving that person’s consent and this is outlined below as Required Disclosures.
Recording the Request
Actions for staff receiving the request
All requests for access to health or personal information must be recorded in the Clients Electronic Record and must include the following:
- Details of the organisation and person making the request
- The identification supplied by the client or how their identify was verified
- Copies of written requests and consent forms
- The date of disclosure
- Details of any discussion or authorization between staff and managers
- Details of the information provided by SCCH and the form is was supplied. For example, DDMMYY: Summary medical report (shoulder injury) sent to lawyer X on USB via registered mail.
- The basis of any release that involved a missing person or the belief that a person or the public would otherwise be in serious danger.
Actions for Managers
Managers should check the information requested and make a judgement that:
- The release is not likely to harm of endanger the wellbeing of the client
- The release will not breach the privacy of another client
- Staff should ensure that file notes in the electronic health record are free from inappropriate or judgmental language before release of information to clients.
SCCH must respond to a Request for Access to Health Records within 30 days. It is important to contact the client or third party when the request is received to clarify what exactly is required, when SCCH expects to respond and to discuss any charges that will apply.
Information for Service Users