Privacy Policy

In compliance with the Privacy Amendment (Private Sector) Act 2000, GP Access has prepared this Privacy Policy to describe the way and circumstances under which personal information is collected, stored, used and disclosed by GP Access.  The Policy is intended as a guide to GP Access staff and members and for the advice of the broader community.

Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. (p 57 Guidelines on Privacy in the Private Health Sector, Office of the Federal Privacy Commissioner)

For the purposes of this Policy, no distinction has been made between the handling of personal information and sensitive information (including health information).

Any enquiries regarding this Policy should, in the first instance, be directed to the GP Access Privacy Officer:

Janelle White on Ph: (02) 4925 2259   Email: Janelle White

GP Access will provide a copy of this Policy to all members of staff and will train staff in the appropriate handling of personal information by GP Access.

This policy is a public document and access to it will be granted on request.

Complaints Handling

Any complaints in relation to GP Access’ handling of personal information should be directed to the Privacy Officer.  In most cases the complainant will be asked to lodge their complaint in writing.

Unless a complaint can be dealt with immediately to the satisfaction of both parties, GP Access will provide a written response to the complaint within 30 days of it being received.

If an individual believes their complaint has not been appropriately handled by GP Access, they should contact the Office of the Federal Privacy Commissioner, Privacy Hotline 1300 363 992 (local call charge) or via the Privacy website.

National Privacy Principles (NPP)

The Privacy Act 1988 contains ten National Privacy Principles that represent the minimum privacy standards for handling personal information.  An outline of these principals and GP Access’ commitment to meeting them is given below:

NPP 1 - Collection

Collection of personal information must be fair, lawful and not intrusive.  Collection must also be necessary for the business of the organisation.  A person must be told the organisation’s name, the purpose of collection, to whom it is usually disclosed, that they can get access to their personal information and what may happen if they choose not to give the information.

1. GP Access will only collect personal information necessary to undertake our programs, activities or functions.
2. Personal information about an individual will only be collected by lawful and fair means and directly from the individual wherever possible.
3. A contact name and telephone number for GP Access will be given to every individual who provides personal information.
4. We will ensure that each individual providing personal information is informed about and understands the purpose of GP Access collecting the information, to whom or under what circumstances their personal information may be disclosed to another party, and how they can access the information held about them by GP Access.
5. We will ensure that individuals providing personal information understand the consequences, if any, of providing incomplete or inaccurate information.
6. In providing services to general practices, GP Access will only collect personal information from general practices that have agreed in writing to participate in a quality improvement initiative aimed at improving the performance of the practice and/or health services to the practice patients.

NPP 2 - Use & Disclosure

An organisation should only use or disclose information for the purpose it was collected unless the person has consented, or the secondary purpose is directly related to the primary purpose and a person would reasonably expect such use or disclosure, or, for personal information that is not health information, for direct marketing in specified circumstances, or in circumstances related to public interest such as law enforcement and public or individual health and safety.

1. GP Access will ensure that personal information will only be used for the purpose it was collected, or a directly-related purpose, that would reasonably be expected by the individual providing the information.
2. If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, we will obtain informed consent from the individual.
3. Individuals will be given the opportunity to refuse such use or disclosure.
4. If an individual is physically or legally incapable of providing consent, a responsible person (as described under the Act) may do so, if this is necessary to ensure the treatment or care of the patient, or for compassionate reasons.  Providing consent under this clause does not mean the responsible person is given guardianship/power of attorney privileges.  Such privileges are covered by State/Territory Guardianship legislation.
5. We will only disclose personal information without consent where such disclosure is required by law, or, in some circumstances, for law enforcement, or in the interests of the individual’s or the public’s health and safety.
6. We will keep records of any such use and disclosure.
7. Information may be disclosed to a responsible person (as described under the Act).
8. No data collected from a general practice will be given to third parties without the written approval of the practice.
9. Aggregated practice data will be de-identified so it does not identify individual practices as the source of the data.
10. GP Access may use aggregated practice data for the purposes of promoting the benefits of participating in quality improvement initiatives and for further quality system and health service improvements.

NPP 3 - Data Quality

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

1. GP Access will update our databases or records as soon as possible after being advised by an individual of changes to their personal information held by GP Access.

NPP 4 - Data Security

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access modification or disclosure.

1. All personal information held by GP Access will be:
   

   a) if in paper form, received and stored in a secure, lockable location;

   b) if in electronic form, password and firewall protected;

   c) accessible by staff only on a “need to know” basis;

   d) not taken from GP Access offices unless authorised and for a specified purpose.
    

2. We will destroy or permanently de-identify personal information that is no longer required by GP Access.

NPP 5 - Openness

An organisation must have a policy document outlining its information handling practices and make this available to anyone who asks.

1. This policy will be made available to any person requesting access to it.
2. A general statement describing our approach to privacy will be on public display at GP Access.
3. If requested by an individual, we will provide more detail about our information-handling practices (i.e. what personal information of theirs is held and how it is handled by GP Access).

NPP 6 - Access & Correction

Generally speaking, an organisation must give an individual access to personal information it holds about that individual on request.

Under normal circumstances GP Access will provide an individual with access to their personal information within 30 days of receiving a request for access.

1. There will be no fee associated with lodging a request for access, however, a small but reasonable administration fee may be charged.
2. Provision of access to a person’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, e.g. use of interpreters etc.
3. If an individual believes that information held by GP Access is inaccurate or incomplete, GP Access will take steps to amend or correct the information.
4. Some exceptions where GP Access may refuse access include:
   

   a) If it reasonably believes that a person’s health or life may be seriously threatened or at risk by releasing the information; or

   b) If access would be unlawful or would prejudice a legal investigation; or

   c) If access would have an unreasonable impact on others’ privacy.

5. Under circumstances other than NPP 6, point 4 above where information is withheld, GP Access will ensure that its practices are consistent with the provisions of NPP 6.
6. If information is withheld under NPP 6, point 4 above, GP Access will provide an explanation to the individual as to the reasons why this was the case.

NPP 7 - Identifiers

Generally speaking an organisation must not adopt, use or disclose, an identifier that has been assigned by a Commonwealth government ‘agency’.

1. Except where circumstances allow (NPP 7.2), GP Access will not use Medicare or Veterans Affairs numbers or other identifiers assigned by a Commonwealth agency (or State/Territory body where this is prohibited under State/Territory law) to identify personal information.

NPP 8 - Anonymity

Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.

1. Where it is lawful and practicable to do so, GP Access will allow individuals to provide information anonymously.
2. An individual who chooses to access the services of GP Access anonymously will be advised of any potential consequences resulting from their decision e.g. where the lack of a contact name or address may jeopardise care in an emergency situation.
3. We will not automatically preclude an individual from participating in the activities of GP Access because they request anonymity.

NPP 9 - Transborder Data Flows

An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection.

1. GP Access will only transfer personal information about an individual to someone who is in a foreign country if:
   

   a) the individual consents to the transfer; or

   b) the recipient is bound by legislation that is substantially similar to the NPPs; or

   c) we have taken reasonable steps to ensure that the information will not be held, used or disclosed inconsistently with the NPPs.

NPP 10 - Sensitive Information

An organisation must not collect sensitive information unless the individual has consented, it is required by law – or in other special specified circumstances, for example, relating to health services provision and individual or public health or safety.

1. GP Access will only collect sensitive information (as defined under the Act) about an individual, if:
   

   a) the individual consents; or

   b) the collection is required by law; or

   c) such collection is consistent with the provisions of NPP 10
    

2. For example, GP Access will comply with this principle for the collection of sensitive information for the purposes of our member database.

Procedures

GP Access has implemented the privacy principals in the following ways:

1. GP Access will only collect personal information necessary to undertake our services, activities or functions.
   1.1 Personal information about an individual will only be collected by lawful and fair means and directly from the individual wherever possible.
   1.2 The name and telephone number of the appropriate member of staff will be provided to every individual who provides personal information.
   1.3 We will ensure that each individual providing personal information is informed about and understands the purpose of collecting the information, to whom or  under what circumstances their personal information may be disclosed to another party, and how they can access the information held about them by GP Access.
   1.4 We will ensure that individuals providing personal information understand the consequences, if any, of providing incomplete or inaccurate information.
    
2. GP Access will ensure that personal information will only be used for the purpose it was collected, or that would reasonably be expected by the individual providing the information.
   
   2.1 If the identified information is to be used for a secondary or unrelated purpose, such as data analysis or research, we will obtain informed consent from the individual. 
   
   
   • Individuals will be given the opportunity to refuse such use or disclosure.
   • If an individual is physically or legally incapable of providing consent, a responsible person (as described under the Act) may do so.
   
   2.2 GP Access will only disclose personal information without consent where such disclosure is required by law, or for law enforcement, or in the interests of the individual’s or the public’s health and safety as described under the Act.
   
   Subject to the exceptions listed below, personal health information held by GP Access can only be disclosed:
   
   
   • For the purpose for which it was collected; or
   • For another directly related purpose that is within the reasonable expectations of the patient.
   
   Personal health information can be used or disclosed to others for some other purpose if:  
   
   
   • The patient concerned has consented to the use or disclosure; or
   • The GP Access staff reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety, or a serious threat to public health or public safety; or
   • The use or disclosure is required or authorised by law (eg. statutory duties to notify certain infectious diseases or suspected child abuse, or compliance with a subpoena or court order); or
   • Where GP Access staff have reason to suspect unlawful activities or reasonably believes it is reasonably necessary for certain law enforcement purposes; or
   • The information concerns a patient who is incapable of giving consent, and is disclosed to a person responsible for the patient for compassionate reasons or to enable appropriate care or treatment to be provided to the patient; or
   • The use or disclosure is necessary for research or the compilation of statistics, is approved by a properly constituted Human Research Ethics Committee, and is conducted in accordance with that Committee’s requirements.
      
   
   Any disclosure should be limited to that which is either authorised or required in order to achieve the desired objective.  
   GP Access staff must not use or disclose a patient’s Medicare number, or any other identifier assigned by or on behalf of a Commonwealth agency, unless required to do so to fulfil their obligations to the agency, or unless the use or disclosure is to lessen or prevent a serious threat to life, health or safety or public health and safety, where required or authorised by law or for certain law enforcement purposes or investigations of suspected unlawful activities. 
   
   2.3 The Service will keep records of any such use and disclosure.
    
3. GP Access will take reasonable steps to ensure that personal information kept, used or disclosed is accurate, complete, and as up to date as practicable.
   
   
4. All personal information held by GP Access will be:
   • if in paper form, received and stored in a secure, lockable location;
   • if in electronic form, password and firewall protected;
   • accessible by staff only on a “need to know” basis;
   • not taken from GP Access unless authorised and for a specified purpose.
      
   4.1 We will destroy or permanently de-identify personal information that is no longer required by GP Access.
    
5. This policy will be made available to any person requesting access to it.
   5.1 A general statement describing our approach to privacy will be included in the service brochure.
    
6. Under normal circumstances GP Access will provide an individual with access to their personal information within 30 days of receiving a written request for access.
   6.1 There will be no fee associated with lodging a request for access, however, a small but reasonable administration fee may be charged.
   6.2 Provision of access to a person’s personal information will be undertaken in a way that is appropriate to the person’s particular circumstances, e.g. use of interpreters etc.
   6.3 If an individual believes that information held by GP Access is inaccurate or incomplete, steps will be taken to amend or correct the information.
   6.4 GP Access may refuse access if it reasonably believes that:
   
   • A person’s health, safety or wellbeing may be compromised by releasing the information; or
   • Providing access would be unlawful or would prejudice a legal investigation.
   6.5 Under circumstances other than 6.4 where information is withheld, GP Access will ensure that its practices are consistent with the provisions of NPP 6.
   6.6 If information is withheld under 6.4, GP Access will provide an explanation to the individual as to the reasons why this was the case.
    
7. Except in urgent circumstance, GP Access will provide information concerning individuals who contact or are treated by GP Access within 30days of the receipt of a written request for such information.
   7.1 The request must include details of the type of information required and the purpose for the request (as outlined in the Section 2.2 of this document and in the Privacy Act 1988).
   7.2 Requests shall be considered individually on a case by case basis.
   7.3 The Chief Executive Officer or their delegate is the designated person for authorising the release of any information.
   7.4 Information supplied is to be collected in person by the individual requesting such information.
   7.5 Under circumstances where information is withheld, GP Access will ensure that its practices are consistent with the provisions of NPP 6.
   7.6 If information is withheld, GP Access will provide an explanation to the individual as to the reasons why this was the case.
    
8. Except where circumstances allow (NPP7.2), GP Access will not use Medicare or Veterans Affairs numbers or other identifiers assigned by a Commonwealth or State/Territory agency to identify personal information.
   
   
9. Where it is lawful and practicable to do so, GP Access will allow individuals to provide information anonymously.
   9.1 An individual who chooses to access the services of GP Access anonymously will be advised of any potential consequences resulting from their decision (e.g. where the lack of a contact name or address may jeopardise care in an emergency situation).
   9.2 We will not automatically preclude an individual from participating in the activities of GP Access because they request anonymity.
    
10. GP Access will only transfer personal information about an individual to someone who is in a foreign country if:
    • the individual consents to the transfer; or
    • the recipient is bound by legislation that is substantially similar to the NPPs; or
    • we are reasonably sure that the information will not be held, used or disclosed inconsistently with the NPPs.
       
11. GP Access will only collect sensitive information (as defined under the Act) other than health information about an individual if:
    • the individual consents; or
    • the collection is required by law; or
    • such collection is consistent with the provisions of NPP 10.