Privacy Policy Northern Australia Primary Health Limited (‘NAPHL’) is committed to ensuring the privacy and confidentiality of your personal and sensitive information. This Privacy Policy outlines how NAPHL collects and manages personal, health and sensitive information in accordance with the Privacy Act 1988 (Cth) (‘Privacy Act’). In this Privacy Policy, the expressions “NAPHL”, "we", "us" and "our" are a reference to Northern Australia Primary Health Limited ABN 87 063 397 231 and its Related Bodies Corporate and Related Entities. NAPHL is required to adhere to the Privacy Act, National Disability Insurance Scheme Act 2013 (Cth) and Other Relevant Legislation. This Privacy Policy applies to all patients, next-of-kin, employees, contractors, Accredited Health Professionals, volunteers and students. All business units of NAPHL are required to ensure that their processes for the collection, storage, use, disclosure and disposal of adheres to this Privacy Policy. By using our Services you agree to the terms of this Privacy Policy and consent to us collecting, maintaining, using and disclosing your personal, health and sensitive information in the way described in this Privacy Policy. If you have any concerns or complaints about the manner in which your personal information has been collected, used or disclosed by us, or if you believe that we have failed to comply with our obligations contained in the Privacy Act we have put in place an effective mechanism and procedure for you to contact us so that we can attempt to resolve the issue or complaint. We can be e-mailed at [email protected], or write to us at PO Box 7780, Garbutt Qld 4814 and our Privacy Officer will then attempt to resolve the issue. We recommend that you keep this information for future reference. 1. Definitions 1.1 In this Privacy Policy: (a) “Health Information” has the same meaning as given under section 6FA of the Privacy Act and includes information or an opinion about: (i) the health, including an illness, disability or injury, (at any time) of an individual; or (ii) an individual’s expressed wishes about the future provision of health services to the individual; or (iii) a health service provided, or to be provided, to an individual; or (iv) that is also Personal Information. (b) “Other Relevant Legislation” means: (v) Information Privacy Act 2009 (QLD) (vi) Freedom of Information Act 1982 (Cth) (vii) Disability Services Act 2006 (Cth) (c) “Personal Information” has the same meaning as given under section 6 of the Privacy Act and means information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is reasonably identifiable, from the information or opinion. (d) “Primary Purpose” means Personal or Health Information about an individual that was collected for a particular purpose. Any use of disclosure of the information for another purpose is known as the “Secondary Purpose”; (e) "Related Body Corporate" or "Related Bodies Corporate" has the same meaning as under the Corporations Act 2001 (Cth); (f) "Related Entity" or "Related Entities" has the same meaning as under the Corporations Act 2001 (Cth); (g) "Services" means the services provided by us to you; (h) "Sensitive Information" has the same meaning as under section 6 of the Privacy Act and includes information or an opinion about an individual’s racial or ethnic origin and sexual orientation and practices; (i) "Website" means www.naphl.com.au or any other website we may establish or operate from time to time; (j) The meaning of any general language is not restricted by any accompanying example, and the words 'includes', 'including', 'such as', 'for example' or similar words are not words of limitation. 2. Collection of your personal information and sensitive information 2.1 NAPHL only collects personal information that is necessary for us to provide the Services to you. The type of information we may collect from you includes (but is not limited to) the following: (a) your contact information such as full name (first and last), e-mail address, current postal address, delivery address (if different to postal address) and phone numbers; (b) details relating to your employment (if applicable) or your previous employment; (c) your date of birth; (d) proof of your date of birth (including, but not limited to, driver’s licence, passport, birth certificate); (e) your employment status; (f) details relating to complaints; (g) current and prior education details; (h) information regarding language preference and proficiency; (i) your financial information (such as credit card or bank account numbers); (j) any additional information required to provide you with our Services; (k) your opinions, statements and endorsements collected personally or via surveys and questionnaires; and (l) if you are requesting products or services from us or we are purchasing goods or services from you, any relevant payment or billing information (including but not limited to bank account details, direct debit, credit card details, billing address, repayment information and invoice details). 2.2 NAPHL only collects personal information which is reasonably necessary for us to provide the Services to you. We will collect personal information directly from you unless it is unreasonable or impractical to do so. We may also collect personal information from your representatives, through our Website or other electronic communication channels, when sent to us via email or other communication from third parties, when required by law to do so, from publicly available sources of information, or when you enter into a competition or promotion or participate in a survey, from our suppliers or partners and from private vendors. We are not responsible for the conduct of third parties with respect to the handling of your personal information including any violations by third parties of its own privacy policy or applicable law/s. 2.3 NAPHL may collect Sensitive Information from you which is reasonably necessary for us to provide the Services to you. We will obtain written consent from you prior to collecting your sensitive information, unless a permitted general situation exists under the Privacy Act. NAPHL will provide notification at the point of collection of both sensitive information and personal information, as to the purpose for collection, and what the information will be used for. 2.4 The type of sensitive information we may collect from you or record about you is dependent on the Services provided to you by us and will be limited to those purposes reasonably necessary for our functions or activities. We do not use sensitive information to send you Direct Marketing Communications (as defined in paragraph 6 below) without your express consent. 2.5 Depending upon the reason for requiring the information, some of the information we ask you to provide may be identified as mandatory or voluntary. If you do not provide the mandatory data or any other information, we require in order for us to provide our Services to you, we may be unable to effectively provide our Services to you. 2.6 If you use our website, we may utilise "cookies" which enable us to monitor traffic patterns, help us facilitate any promotions, surveys or advertising materials that we provide and to serve you more efficiently if you revisit NAPHL’s Website. We may also use "cookies" as a tracking technology within promotional materials that we provide to you. Third parties may help us to track activity within our Website and may also use "cookies" as a tracking technology. A cookie does not identify you personally but may identify your internet service provider or computer. You can set your browser to notify you when you receive “a cookie” and this will provide you with an opportunity to either accept or reject it in each instance. 2.7 We may gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our Services. This information does not identify you personally. 3. Collection of Health Information 3.1 NAPHL may collect Personal Information and Health Information from you that is reasonably necessary for us to provide Services to you and for administrative and internal business purposes. In order to provide Services to you, we may collect the following information from you:- (a) Details of your health history; (b) Your family history; (c) Details of your current lifestyle. 3.2 NAPHL only collects Health Information by lawful and fair means. We will generally only collect Health Information directly from you with your consent. We may collect Health Information without your consent where the collection is required or authorised by or under an Australian Law or a court/tribunal order. 3.3 In some circumstances we may collect Health Information about you from third parties with your consent or when it is not reasonable or practical for us to collect the information directly from you. For example, we may collect Health Information about you from a third party without your consent in an emergency when we cannot collect the information directly from you. 3.4 Collection of information at NAPHL allows for the use of anonymity or pseudonymity where possible. Some of NAPHL’s business activities and functions will not allow for anonymity or pseudonymity as it may not be practical for us to deal with unidentified individuals or those using a pseudonym. 3.5 NAPHL may collect Health Information about you if you are under the age of 18 (referred to as a ‘minor’ from hereon). If you are a minor, we will collect your Health Information either with your consent or from your parent(s)/guardian, depending on the results of a case by case basis review by the collecting officer as to whether you are capable of making their own decisions. If the minor is considered to be capable of making their own decisions, the information of the minor will be treated as that of an adult and will not be disclosed to third parties (including parents or guardians) unless the minor has consented to the disclosure of their information. 4. How we may use and disclose your health, personal and sensitive information 4.1 We will only use or disclose your Health Information and Sensitive Information for the primary purposes for which it was collected, unless one of the following applies: (a) the secondary purpose is related (or for sensitive information, directly related) the primary purpose for which you have given NAPHL the information and you reasonably expect, or we have told you, that your information is usually disclosed for another purpose or to other individuals, organisations or agencies; (b) you have given your consent for us to use the information for another purpose; (c) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; (d) where it is unreasonable or impracticable to obtain consent to the use or disclosure, and we reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. (e) where we reasonably believe that the use or disclosure is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body. 4.2 We will only use or disclose your personal information for the primary purposes for which it was collected or as consented to and/or as set out below. 4.3 You consent to us using and disclosing your personal information to facilitate a purpose in connection with: (a) providing and facilitating healthcare; (b) providing information and networking services to members; (c) conducting research; (d) human resources management; (e) if required, the verification of your identity and the verification of your date of birth; (f) the provision of our Services to you, including sharing information with companies acting as our agents to provide our Services; (g) to communicate with you in order to provide you with our Services through various mediums such as email, SMS, social media, search engines and webpages; (h) to facilitate the administration and management of our Services; (i) the improvement, development and delivery of our Services (including to contact you about improvements and asking you to participate in surveys about our Services); (j) the maintenance, development and analysis of our Services, business systems and infrastructure; (k) marketing and promotional activities by us and our related bodies (including direct marketing by direct mail, telemarketing, email, SMS and MMS messages) such as our customer loyalty programs, promotional offers and newsletters; (l) to provide customer service functions, including handling enquiries and complaints; (m) to offer you updates, or other content or products or Services that may be of interest to you; (n) our compliance with applicable laws (including bankruptcy laws) and legal obligations, in response to a law enforcement agency's request, or where we have reason to believe that disclosing your personal information is necessary to identify, contact or commence legal action against a third party who may be causing injury or interference with our rights, property, Services or business; (o) the sale, and matters in connection with a potential sale, of our business or company to a third party, including mergers and transfers of the business or part thereof to a third party; and (p) any other matters reasonably necessary to continue to provide our Services to you 4.4 We may also use or disclose your personal information and in doing so we are not required to seek your additional consent: (a) when it is disclosed or used for a purpose directly related to the primary purposes of collection detailed above and you would reasonably expect your personal information to be used or disclosed for such a purpose; (b) if it is required or authorised by law. 4.5 In the event we propose to use or disclose such personal information other than for reasons in 4.2 and 4.3 above, we will first seek your consent prior to such disclosure or use. 4.6 If you have received communications from us and you no longer wish to receive those sorts of communications, you should contact our privacy officer who will then attempt to resolve the issue and we will ensure the relevant communication ceases. Any other use or disclosure we make of your personal information will only be as required by law or as permitted by the Privacy Act 1988 or by this privacy policy or otherwise with your consent. 5. The types of organisations to which we may disclose your personal information 5.1 We may disclose your personal information to organisations outside of NAPHL for a purpose directly related to the primary purpose of collection detailed in this Privacy Policy. 5.2 Your personal information is disclosed to these organisations and/or parties only in relation to the Services we provide to you or for a purpose permitted by this privacy policy however we are not responsible for the conduct of third parties with respect to the handling of your personal information. 6. Direct Marketing 6.1 You expressly consent to us using your personal information, including any email address you give to us, to provide you with information and to tell you about our products, Services or events or any other direct marketing activity (including third party products, services, and events) (Direct Marketing Communications) which we consider may be of interest to you. 6.2 Without limitation to clause 6.1, if it is within your reasonable expectations that we send you Direct Marketing Communications given the transaction or communication you have had with us, then we may also use your personal information for the purpose of sending you Direct Marketing Communications which we consider may be of interest to you. 6.3 If at any time you do not wish to receive any further Direct Marketing Communications from us, you may ask us not to send you any further information about products and Services and not to disclose your information to other organisations for that purpose. You may do this at any time by using the “unsubscribe” facility included in the email or by contacting our Privacy Officer. 7. Cross Border Disclosure 7.1 Any personal information provided to us may be transferred to, and stored at, a destination outside Australia, including Canada, Chile, China, Hong Kong, countries within the European Union, India, Japan, Malaysia, New Zealand, Philippines, Russia, Singapore, South Africa, South Korea, Sri Lanka, Taiwan and the United States of America, where we may utilise overseas data and website hosting facilities or where we have entered into contractual arrangements with third party service providers to assist us with providing our Services to you. Personal information may also be processed by staff or by other third parties operating outside Australia who work for us or for any suppliers, agents, partners or related companies of NAPHL. 7.2 The Privacy Act 1988 requires us to take such steps as are reasonable in the circumstances to ensure that any recipients of your personal information outside of Australia do not breach the privacy principles contained within the Privacy Act 1988. By providing your consent, under the Privacy Act 1988, we are not required to take such steps as may be reasonable in the circumstances. 7.3 By submitting your personal information to NAPHL, you expressly agree and consent to the disclosure, transfer, storing or processing of your personal information outside of Australia. In providing this consent, you understand and acknowledge that countries outside Australia do not always have the same privacy protection obligations as Australia in relation to personal information and you may not be able to seek redress in the overseas jurisdiction. 7.4 If you do not agree to the transfer of your personal information outside Australia, please contact our Privacy Officer. 8. Data quality and security 8.1 NAPHL uses appropriate technologies and processes such as access control procedures, network firewalls, and physical security to protect personal information, Sensitive Information and Healthcare Information. 8.2 Information collected by NAPHL will be held in an appropriately secure manner, depending on the information and method of collection, including: (a) Online and offline databases; (b) Online file servers; (c) Locked drawers or filing cabinets. 8.3 Personal, Sensitive and Health information is only able to be accessed and used by employees that require the information to provide the Services to you. Access to your information is granted to employees on a ‘needs to know’ basis. Attempts to access personal or sensitive information by an unauthorised employee or use by an employee of personal or sensitive information for any other purpose than that which it was collected (except in permitted general situations) is forbidden and may result in disciplinary action. 8.4 We will take reasonable steps to help ensure your personal information is safe. However, that we cannot guarantee the security of all transmissions or personal information, especially where the Internet is involved. 8.5 You acknowledge that we are not liable for the safety of your personal information where you provide or allow access to such information by parties other than us. 8.6 Notwithstanding the above, we will take reasonable steps to: (a) make sure that the personal information we collect, use or disclose is accurate, complete and up to date; (b) protect your personal information from misuse, loss, unauthorised access, modification or disclosure both physically and through computer security methods; and (c) destroy or permanently de-identify any information if it is no longer needed for its purpose of collection provided NAPHL is not required under an Australian law or court/tribunal or otherwise to retain the information. 8.7 If information is no longer required for the primary purpose for which it was collected, it must be disposed of in accordance with the NAPHL Retention and Disposal Schedule. 8.8 However, the accuracy of personal information depends largely on the information you provide to us, so we recommend that you: (a) let us know if there are any errors in your personal information; and (b) keep us updated with changes to your personal information (such as your name or address). 9. Access to and correction of your personal information 9.1 You are entitled to have access to any personal information, Sensitive Information and Health Information relating to you which we possess, except in some exceptional circumstances provided by law. You are entitled to edit such information unless we are required by law to retain it or permitted to retain it in accordance with this Privacy Policy. However, we may keep track of past transactions for our accounting and audit requirements. Furthermore, it may be impossible to completely delete your information because some information may remain as backups. 9.2 In order to access your personal information, Sensitive Information and Health Information, you should contact your NAPHL service provider in the first instance. The service provider is required to verify your identity and provide you with access to the requested personal information within 30 days, unless an exception applies under the Privacy Act 9.3 If you notify the service provider that information held by NAPHL is inaccurate or incorrect, the service provider is required to review the information, and correct the information within 30 days, unless the service provider is satisfied that the information held by NAPHL is correct. 9.4 You have a right to ensure that your Health Information is confidential. Provided you are competent to request access to information, no other person is entitled to access your Health Information without your consent. This includes partners/spouses/relatives and parents (where the minor is considered capable of making their own decisions). NAPHL may charge a reasonable fee for giving you access to your information. 10. Media Consent 10.1 NAPHL considers on a case by case basis whether we are required to obtain media from you if you are exposed to the media. Generally, we are required to obtain media consent from you where you directly interact with the media, or feature in NAPHL developed marketing or communication outputs. 11. CCTV Cameras 11.1 NAPHL uses camera surveillance systems (commonly referred to as CCTV), at its Townsville Mental Health facility (Riverway) for the purpose of maintaining the safety and security of its employees, users of our Services, visitors and other attendees to the facility. The format of this monitoring and recording system is a 24-hour motion detected visual surveillance (not including sound) and is considered “overt surveillance”. Clearly visible cameras and signage will notify persons that the area they are in is under surveillance and the purpose for the surveillance. 11.2 NAPHL will comply with the Information Privacy Act 2009, the Right to Information Act 2009, APPs and this Privacy Policy in respect of any information collected via its CCTV systems. 12. Online Security 12.1 Online security breaches can be split into the following two categories: (a) online security breaches (cyber breach). This includes physical breaches such as the theft of a laptop or the loss of a USB stick containing personal or sensitive information; and (b) data breaches: particularly in a medical setting where you have multiple identifiers, personal and confidential information. 12.2 In accordance with the Notifiable Data Breaches Scheme, under Part IIIC of the Privacy Act, NAPHL is required to adequately respond to, assess and notify any person/s or entity/s that have been involved in a data breach. See appendix (a) for further information, including the OAIC approved process for responding, containing, assessing and notifying in the event of a data breach. 12.3 NAPHL’s Privacy Officer is responsible for coordinating a response and notification to a data breach. 13. Third Party Sites 13.1 Our site may from time to time have links to other websites not owned or controlled by us. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval of these websites. Please be aware that Northern Australia Primary Health Limited is not responsible for the privacy practises of other such websites. We encourage our users to be aware, when they leave our website, to read the privacy statements of each and every website that collects personal identifiable information. 14. Consent 14.1 By using our Website (as may be applicable), engaging us to perform or using our Services or by accepting the terms of one of our terms and conditions which refer to this Privacy Policy, you are agreeing to the terms of this Privacy Policy. 14.2 If you do not agree to the terms and conditions of this Privacy Policy, please do not use our Website and contact our Privacy Officer. 14.3 We reserve the right to modify our Privacy Policy as our business needs require. We will notify you of such changes (whether by direct communication or by posting a notice on our Website), after which, your continued use of our products, Services or Website or your continued dealings with us shall be deemed to be your agreement to the modified terms. If you do not agree to our continued use of your personal information due to the changes in our privacy policy, please contact our Privacy Officer at: Postal Address: PO Box 7780, Garbutt Qld 4814 Telephone: (07) 4421 7700 Email: [email protected] Appendix A. Notifiable data breaches A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm. When to report a data breach Under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach. An eligible data breach occurs when: there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds this is likely to result in serious harm to one or more individuals, and the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual. A data breach that occurred before 22 February 2018 is not an eligible data breach for the purposes of the NDB scheme. However, certain data breaches occur over a period of time. While a system may have been compromised before 22 February 2018, data may have been accessed after that date. While the circumstances will need to be assessed, we suggest that an organisation or agency in this situation should assume the data breach is subject to the NDB scheme. Report a data breach When an organisation or agency the Privacy Act 1988 covers has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any individual at risk of serious harm. They must also notify us. An eligible data breach occurs when the following criteria are met: There is unauthorised access to or disclosure of personal informationheld by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur). This is likely to result in serious harm to any of the individuals to whom the information relates. The organisation or agency has been unable to prevent the likely risk of serious harm with remedial action. For further information on Notifiable data breaches please refer to the OAIC website: https://www.oaic.gov.au/privacy/notifiable-data-breaches/ Your data may also be available to our website provider to enable us and them to deliver their service to us, carry out analysis and research on demographics, interests and behavior of our users and supporters to help us gain a better understanding of them to enable us to improve our services. This may include connecting data we receive from you on the website to data available from other sources. Your personally identifiable data will only be used where it is necessary for the analysis required, and where your interests for privacy are not deemed to outweigh their legitimate interests in developing new services for us. In the case of this activity the following will apply: Your data will be made available to our website provider The data that may be available to them include any of the data we collect as described in this privacy policy. Our website provider will not transfer your data to any other third party, or transfer your data outside of the EEA. They will store your data for a maximum of 7 years. This processing does not affect your rights as detailed in this privacy policy.