A number of terms are used in this policy which have specific meanings as defined in the Privacy Act.
Personal information means “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.”
Some personal information is also classified as ‘sensitive information’. Sensitive information includes any personal information concerning a person’s race or ethnic origin, their political opinions, membership of political associations, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, biometric information used for automated biometric verification or biometric identification, biometric templates, health information and genetic information. Sensitive information is afforded a higher degree of privacy protection and is subject to additional standards under the Privacy Act in relation to its handling.
Health information is a subset of personal information and is also considered to be sensitive information. Health information means:
- information or an opinion about:
- the health, including an illness, disability or injury, (at any time) of an individual; or
- an individual’s expressed wishes about the future provision of health services to him or her; or
- a health service provided, or to be provided, to an individual; and other personal information collected to provide, or in providing, a health service to an individual;
- other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances; or
- genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Eligible Data Breach has the meaning set out in the Privacy Act and generally means when there has been or is likely to be unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and a reasonable person would conclude that the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates and no remedial action has been taken.
Information collected by SJGHC
SJGHC collects personal information about individuals including patients, their relatives, employees, job applicants, contractors, vendors and suppliers, health professionals, students, volunteers and Foundation supporters.
SJGHC will only collect and hold personal information that is reasonably necessary for the performance of its services or obligations as an employer or accreditor of health practitioners. As a patient, we may collect information about your health history, family history, lifestyle, cultural or ethnic background and test results to assist in providing health care to you.
If you are employed by SJGHC or if you have applied for a position at one of our facilities, we will often collect information about your work history, contact details, referees and any other information that you might submit in your job application.
We collect similar background information about contractors, vendors, suppliers and health professionals who provide services to SJGHC and also about students and volunteers that attend at our facilities. Where required, information from police checks, working with children checks and pre-employment medical screenings may also be collected.
SJGHC usually collects your personal information directly from you and with your consent. We will only collect your personal information from someone else if we have your consent, or if it is authorised or required by law, or if it is unreasonable or impracticable for us to collect that information from you, for example, where your life is at risk and you are unable to respond and we need your personal information in order to provide emergency treatment.
Use and Disclosure
SJGHC will only use or disclose your personal information for the primary purposes for which it was collected or for directly related secondary purposes which you would reasonably expect (or about which we have told you) or as permitted or required by law. If there is any doubt about this expectation then we will obtain your consent before using or disclosing your personal information for a secondary purpose. Apart from the uses listed in this policy or otherwise permitted under the Privacy Act, using or disclosing your personal information will only be done with your consent.
Sections 1-5 below identify the purposes for which we collect your personal information and sets out how we may use or disclose your personal information.
1. Provision of SJGHC services:
Personal information, including sensitive information, is collected by us for the primary purpose of ensuring patients and clients receive quality services whilst under our care. Accordingly, this information may need to be shared with other relevant people. Where necessary, your personal information, including your health information, may be collected from or disclosed to other health care providers, such as your general practitioner, home service provider or district health nurse or another hospital that may be involved in your ongoing care and/or services.
In addition, aspects of your personal information we collect may be used or disclosed for other purposes, including:
(a) Other health professionals: Some of the services provided within or by our facilities may be outsourced or provided by a contractor (i.e. physiotherapists or outpatient services). We may provide your personal information to them in order to assist in your care. Further, if you require certain medical devices or a prosthesis for your treatment, we may disclose your personal information to suppliers or manufacturers of those devices. We require all such health professionals and contractors to handle your personal information in accordance with the Privacy Act and this policy.
(b) Relatives, guardian or legal representative: Unless you have advised us not to disclose your health information, we may provide information about your condition to your next of kin, nominated relative, guardian or appointed legal representative.
(c) Quality assurance: From time to time, we may need to collect, use or disclose aspects of your personal information to monitor the standard of health services provided, through processes such as accreditation and evaluation, clinical audits, risk and claims management, education and training of staff, and quality assurance activities, including monitoring clinical outcomes. This may include obtaining information from other health service providers.
(d) Patient satisfaction: To ensure we are delivering our services to meet our patients’ needs, we monitor patient satisfaction. As a result, we, or someone we authorise, may contact you in the future to request your feedback on our services.
(e) Health service management: To aid the functioning of the health service, personal information of SJGHC patients may be used or disclosed to your health fund, Medicare and also to insurers, lawyers and your doctor for claims management. This may include providing your information to other advisers in the ordinary course of managing our business, to support administrative functions incidental to providing the health services.
(f) Billing: For billing and invoicing purposes, we may share relevant aspects of your personal information with third parties such as your other health care providers, Medicare, your private health insurance fund or external collection or account management agencies.
(g) Contractors: Depending on the requirements and resources available to SJGHC from time to time, we may engage third parties (such as IT suppliers, advisors and other professional service providers) to help us carry out our functions and activities and we may need to use and disclose your personal information in relation to these services. We require all such contractors to handle your personal information in accordance with the Privacy Act and where applicable this policy.
(h) Data required by law: We have legal obligations to provide information to various entities, for example if your medical record is subpoenaed or for compulsory reporting to State and Federal authorities. We may also provide your personal and health information to government agencies where we are providing health services under contracts with Government as required under those contracts. More information regarding these obligations is available on request.
(i) Direct marketing: We would like to use your personal information to contact you to provide marketing or promotional information in relation to other services we offer. We will always comply with the privacy law when using or disclosing information for marketing purposes. If you would prefer not to be contacted, you may indicate this at any time.
(j) St John of God Foundation (fundraising): As a not-for-profit group, SJGHC returns all profits to the community. The St John of God Foundation raises funds on behalf of SJGHC and relies on the generous support of the community to enable the delivery of better health outcomes, such as medical research, social outreach programs and major capital developments. Therefore, we use our patients’ personal information to allow the St John of God Foundation, or someone it authorises, to contact you to provide information related to fundraising or community projects. If you would prefer not to receive this information, you can indicate this.
(k) Research: SJGHC is committed to conducting research across a wide range of health fields with the aim of improving patient outcomes, public health and safety and teaching and otherwise as set out in the Privacy Act. SJGHC may use your health information for this purpose, which generally includes information contained in existing patient data, medical records and diagnoses by private specialists you have seen in the past. Only authorised persons will have access to your information. We will not disclose your identity to unauthorised persons.
(l) Religious Denomination: SJGHC values the religious beliefs of those for whom we care. Should you indicate on admission that you wish to be visited by a hospital endorsed representative of your religious denomination during your stay, your details will be given to the relevant chaplain, minister or cleric to enable this service to be provided. You may withdraw your consent at any time.
SJGHC collects, uses and discloses personal information about its staff in order to perform its obligations as an employer and as required by law. However, the handling of past and current employee records are exempt from the Privacy Act where there is a direct relationship between SJGHC and the past/current employee. SJGHC will retain your employee records confidentially and in accordance with the Fair Work Act 2009, which sets out your entitlements in relation to these documents.
3. Students, volunteers and job applicants:
We also collect personal information of job applicants, students and volunteers for the primary purpose of assessing their suitability for employment or undertaking work experience or clinical placement or providing other relevant assistance, as the case may be. Other purposes for which we may use personal information about those individuals include to contact them, for insurance purposes and to satisfy our legal obligations. We may store information provided by unsuccessful job applicants to send job alerts for future recruitment, where they have consented to this.
4. Health professionals, contractors and suppliers:
SJGHC collects personal information about contractors, suppliers and health professionals that provide services to SJGHC for the primary purpose of assessing, accrediting and engaging their services or expertise and for other purposes where legally required. Personal information about certain health professionals is also collected, used and disclosed for their accreditation under the credentialing process set out in SJGHC’s By-Laws for Health Professionals.
5. SJGHC’s website:
When you visit our website, we do not attempt to identify you and we do not store your personal information. We will only collect and store your personal information if you choose to provide this to us via an online form or by email, for example through our general enquiry or contacts page.
We note that our Internet Service Provider makes a record of your visit to our website and logs the following information for statistical purposes:
- Your server address;
- Your top level domain name (for example, .com, .gov, .au, .org);
- The date and time of your visit;
- The pages and documents you accessed; and
- The type of browser you are using.
This information is only used to evaluate the effectiveness of our website and, in the event of an investigation, a law enforcement agency or other government agency may exercise its authority to inspect the logs maintained by our Internet Service Provider.
Our website uses temporary cookies for security purposes. The cookies do not identify you as an individual user, but identifies your ISP and browser type. This means we do not store any personal information from visitors to our website.
SJGHC takes reasonable steps to ensure that the personal information that we collect and hold is accurate, complete and up-to-date. We maintain and update the personal information we hold as necessary or when you have advised us that your personal information has changed.
Data storage and security
SJGHC securely stores your information in a range of mediums including electronic systems, electronic instrumentation, paper files and images.
We take steps to protect the personal information we hold against interference, misuse, loss and unauthorised access, modification or disclosure. SJGHC has data protection and security measures including administrative, physical and technical access restrictions, with only authorised people able to access relevant data.
Usually, we will store your personal information within Australia. We may enter into arrangements with third parties to store data we collect or to access data to provide services and such data may include personal information, outside of Australia. Before doing so, we will take reasonable steps to ensure that the overseas recipient will handle your personal information in a manner that will not breach the APPs. We will usually enter into a written agreement with an overseas recipient which requires that recipient to comply with the APPs.
When your personal information is no longer required, as appropriate it will be destroyed, deleted or de-identified securely in line with our retention and destruction policy and document disposal schedules which comply with government regulatory controls.
Notification of Eligible Data Breaches
SJGHC is committed to ensuring the security of personal information that it holds. In the event that there is an Eligible Data Breach, we will, as soon as practicable, take reasonable steps to notify those individuals whose personal information is involved or take such other steps as are required by law.
The notification will include:
- the identity and contact details of the SJGHC entity;
- a description of the data breach;
- the kinds of information concerned; and
- recommendations about the steps individuals should take in response to the data breach.
Requests for Access and/or Correction
You have the right to access and/or correct personal information that we hold about you, subject to the limits in the Privacy Act. If you wish to access or correct your personal information, you should make your request in writing to the privacy officer or the Health Information Manager at the relevant hospital or service.
You may wish to complete and lodge an application form which is available on request or from our website at www.sjog.org.au/privacy. Requests for access and correction can be made by post or facsimile. Post and facsimile details are contained in the relevant application forms. Our full contact details can be found on our website at www.sjog.org.au/contactus. No fees are charged for correction of information.
Fees and charges for access to information
While we do not charge an application fee for making a request for access, you may be charged administration, photocopying, counter, courier and delivery fees. Information on our fees is contained in the application forms referred to above. Alternatively, you can contact the privacy officer or Health Information Manager at the relevant hospital or service.
Response to your application
We will respond to your request for access or correction within a reasonable period. We will provide access or make the correction requested unless otherwise required or where we are permitted by law to withhold the information or not make the correction. We will notify you of the basis of any denial of access or correction to your personal information.
Where we allow access, the relevant officer will arrange to give you access to your personal information in the manner you have requested, if it is reasonable or appropriate, and practicable to do so.
If we agree that the personal information requires correction, the relevant officer will make the alterations or notation. If we do not believe a correction is necessary, you may insert an addendum (noting your comments) into the record.
How to make a complaint
If you have any concerns about your privacy or wish to make a complaint about a privacy breach, please contact the relevant hospital or service listed at www.sjog.org.au/contactus.
Your complaint should be in writing addressed to the privacy officer or Health Information Manager of the relevant hospital or service and you should provide us with sufficient details together with any supporting material regarding your complaint.
On receipt of your complaint, we will take steps to investigate the issue and will notify you of the outcome. The relevant officer may contact you by telephone or arrange to meet with you. Alternatively, we may respond in writing depending on the complexity and the nature of the matters in dispute. We will endeavour to respond to your complaint within a reasonable period.
If you are not satisfied with our response, you can contact us to discuss your concerns further or complain to the Office of the Australian Information Commissioner (Cth): see www.oaic.gov.au
You can request access to your personal information by contacting the privacy officer or health information manager at the relevant hospital or service. While we do not charge an application fee, you may be charged administration, photocopying or counter fees.
Granting access and making amendments
Your request for access will normally be processed within 30 days (WA) or 45 days (Victoria and NSW) of receipt.
The relevant officer will arrange for you to view your records and photocopy documents if required. If, after your review, you consider the personal information requires correction or changes, the relevant officer may make arrangements for alterations to be made or noted. If we do not believe any changes are necessary, you may insert an addendum (noting your comments) into the record.
In a psychiatric setting, access can be refused if the treating doctor feels the information may be harmful to you or others.
The following documents may assist you in applying for access to your health information in Victoria, Western Australia or New South Wales. For forms relating to other states or New Zealand, please contact the hospital or service direct.
Applying to amend health records
The following documents may assist you in applying to amend your health records in Victoria and Western Australia. For forms relating to other states or New Zealand, please contact the hospital or service direct.