Privacy Policy PRIVACY POLICY 1.0 Policy StatementNorthern Australia Primary Health Limited (NAPHL) is committed to ensuring the privacy and confidentiality of personal/private information. This policy outlines how Northern Australia Primary Health Limited (NAPHL) collects and manages personal and sensitive information in accordance with the Australian Privacy Principles (APP). 2.0 Purpose and BackgroundNAPHL is required to adhere to the Privacy Act 1988, National Disability Insurance Scheme Act 2013, other relevant legislation and the APP.There are 13 APPs to which NAPHL must adhere. The APPs regulate how NAPHL may collect, use, disclose and store personal/privacy information and how individuals may access personnel.These are:1. An open and transparent management of personal information2. Anonymity and pseudonymity3. Collection of solicited personal information4. Dealing with unsolicited personal information5. Notification of the collection of personal information6. Use or disclosure of personal information7. Direct marketing8. Cross-border disclosure of personal information9. Adoption, use or disclosure of government related identifiers10. Quality of personal information11. Security of personal information12. Access to personal information13. Correction of personal informationA privacy policy is required to ensure that NAPHL’s collection and handling of private and sensitive information is consistent, and adheres to the APPs at all stages of the information lifecycle. (collection, use, disclosure, storage, destruction and de-identification). 3.0 Scope of PolicyThis policy applies to all employees, contractors, volunteers and students. 4.0 Policy DetailNAPHL collects and uses private and sensitive information necessary to undertake its functions to improve health outcomes.All business units of NAPHL are required to ensure that their processes for the collection, storage, use, disclosure and disposal of personal or sensitive information adheres to this policy.Collection of informationIn the course of providing services, NAPHL collects personal and sensitive information as required by law, or for NAPHL to conduct its functions and activities. Collection purposes include: Providing and facilitating healthcare Providing information and networking services to members Conducting research Human Resources management.Personal information collected by NAPHL may include: Contact details Complaint details Information regarding language preference and proficiency Employment status Current and prior education details. NAPHL will obtain written consent from consumers prior to collection of sensitive information, unless apermitted general situation exists as per the APP. NAPHL will provide notification at the point ofcollection of both sensitive information and personal information, as to the purpose for collection, andwhat the information will be used for. NAPHL only collects personal and sensitive information by lawful and fair means, and only collectspersonal or sensitive information about a consumer directly from that consumer unless it isunreasonable or impractical to do so. All information collected by NAPHL will be used for the primary purpose for which it was collected.NAPHL may use or disclose the information for a secondary purpose if subclause 6.2 of the APPsapplies:“6.2 This subclause applies in relation to the use or disclosure of personal information about anindividual if:(a) the individual would reasonably expect the APP entity to use or disclose the informationfor the secondary purpose and the secondary purpose is:(i) if the information is sensitive information — directly related to the primarypurpose; or(ii) if the information is not sensitive information — related to the primary purpose;or(b) the use or disclosure of the information is required or authorised by or under an Australianlaw or a court/tribunal order; or(c) a permitted general situation exists in relation to the use or disclosure of the informationby the APP entity; or(d) the APP entity is an organisation and a permitted health situation exists in relation to theuse or disclosure of the information by the entity; or(e) the APP entity reasonably believes that the use or disclosure of the information isreasonably necessary for one or more enforcement related activities conducted by, or onbehalf of, an enforcement body.” Collection of information at NAPHL allows for the use of anonymity or pseudonymity where possible.Consumers should note that certain business activities and functions of NAPHL will not allow foranonymity or pseudonymity when information is collected, as this may be unsafe or impractical. Collection of information from consumers under the age of 18NAPHL collects information from consumers that are under the age of 18 (referred to as a minor fromhereon). Consent to collect sensitive information will be obtained from the minor, or the minor’sparents or guardian, depending on the results of a case by case basis review by the collecting officerof whether the consumer is capable of making their own decisions. If the minor is considered to becapable of making their own decisions, the private information of the minor will be treated as that ofan adult, and will not be disclosed to third parties (including parents or guardians) unless the minorhas consented to this disclosure. Security and disclosure of informationNAPHL will take reasonable steps to protect personal information from misuse, interference, loss,unauthorised access, modification or disclosure. NAPHL use appropriate technologies and processessuch as access control procedures, network firewalls, encryption and physical security to protectprivacy.Personal and sensitive information collected by NAPHL will be held in an appropriately securemanner, depending on the information and method of collection, including: Online and offline databases Online file servers Locked drawers or filing cabinetsPersonal and sensitive information is only able to be accessed and used by consumers that require the information to undertake NAPHL activities for which the information was collected. Access to personal and sensitive information is granted to employee on a ‘needs to know’ basis. Attempts to access personal or sensitive information by an unauthorised employee, or use by an employee of personal or sensitive information for any other purpose than that which it was collected (except in permitted general situations) is forbidden, and may result in disciplinary action. Cross-border disclosure of personal informationOccasionally NAPHL may hold personal information offshore in order to utilise a service that is required to perform the primary purpose for which the information was collected. NAPHL takes reasonable steps to ensure the security and handling of the information adheres to the APPs, and that the recipient of the information is subject to a similar law or binding scheme to the Privacy Act 1988 and the APPs.Access to, and correction of, personal informationConsumers have a right to access their personal information. In order to access personal information, a consumer should contact their NAPHL service provider in the first instance. The service provider is required to verify the identity of the consumer, and to provide the consumer with access to the requested personal information within 30 days, unless an exception applies under the APP. If a consumer notifies the service provider that personal information held by NAPHL is inaccurate or incorrect, the service provider is to review the personal information, and correct the information within 30 days, unless the service provider is satisfied that the information held by NAPHL is correct. Consumers have a right to ensure that health information is confidential. Provided a consumer is competent to request access to information, no other person is entitled to access information without the patient’s authority. This includes partners/spouses/relatives and parents (where the minor is considered capable of making their own decisions). Online Security BreachOnline security breach can be split into two categories: Online Security Breach (cyber breach): includes physical breach e.g. someone steals a laptop or the loss of a USB stick with sensitive information stored on it. Data Breach: especially in a medical setting where you have multiple identifiers, private and confidential information. Disposal of informationNAPHL will destroy or permanently de-identify any personal information which is in its possession or control and which is no longer needed for the purpose for which it was collected provided NAPHL is not required under an Australian law or court/tribunal or otherwise to retain the information. If information is no longer required for the primary purpose for which it was collected, is must be disposed of in accordance with the NAPHL Retention and Disposal Schedule. Media consentNAPHL considers on a case by case basis whether media consent is required from consumers that may be exposed to the media. Generally this is required from employees or consumers that will directly interact with the media, or feature in NAPHL developed marketing or communication outputs. CCTV CamerasNAPHL does use camera surveillance systems (commonly referred to as CCTV), at its Townsville Mental Health facility (Riverway) for the purpose of maintaining the safety and security of its employees, consumers, visitors and other attendees to the facility. The format of this monitoring and recording system is a 24 hour motion detected visual surveillance (not including sound) and is considered “overt surveillance” i.e. clearly visible cameras and signage that will notify persons that the area they are in is under surveillance and the purpose for the surveillance.NAPHL will comply with the Information Privacy Act 2009, the Right to Information Act 2009, APPs and this Privacy Policy in respect of any information collected via its CCTV systems. Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply: Your data will be made available to our website provider The data that may be available to them include any of the data we collect as described in this privacy policy. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA. They will store your data for a maximum of 7 years. This processing does not affect your rights as detailed in this privacy policy.