Your right to privacy
St Georges Basin Medical Centre is committed to protecting the privacy of your personal information in accordance with the Privacy Act 1988. The Australian Privacy Principles which came into effect in March 2014, in conjunction with other Privacy Legislation, set the standards for the way St Georges Basin Medical Centre handles personal information. This Privacy Statement explains how your personal information will be managed by the Practice.
ABOUT PRIVACY
You have the right to have your personal information kept private. We are bound by strict confidentiality and secrecy provisions. These provisions limit how we use your information and when and to whom it can be released. We also have obligations under the Privacy Act 1988.
WHAT IS PRIVACY
The Privacy Act contains 13 Australian Privacy Principles (APPs) which regulate the way we collect, store, provide access to, use and disclose personal information.
The Privacy Act provides you with a number of rights, including:
- You will generally be told what kind of information we are collecting and how we collect it
- You will generally be told why your personal information is being collected
- Your personal information can only be collected for a lawful purpose
- You can ask to see what information we hold about you. The Freedom of Information Act 1982 also supports this
- Your personal information must be stored securely and protected from interference or misuse
You can make a complaint to us about the way your personal information has been handled.
WHAT IS A PATIENT’S HEALTH RECORD
A general practice health record is a concise document containing an individual’s health history, including personal information, medical history, vital signs, test results, treatment plans, and correspondence with healthcare providers. It serves to support care coordination, clinical decision-making, and patient involvement in their healthcare.
COLLECTION AND USE OF INFORMATION
When we collect your personal information it must be reasonably necessary for, or directly related to our activities.
In addition to requesting information from you, we may also obtain information about you and your family from other third parties.
Any personal information we receive from a third party is treated the same as if you provided it.
DISCLOSURE OF INFORMATION
Your personal information will not be disclosed to any other person, body or agency unless:
- You give us permission
- It is authorised or required by law
- It meets one of the other exceptions in the Australian Privacy Principles
From time to time it may be necessary to disclose your personal information to third parties. The circumstances surrounding why, who and when your information may be disclosed are outlined in our Privacy Policy.
All information shared electronically is encrypted and sent via secure messaging through Argus.
All information shared in referral letters are obtained from standardised templates within our clinical software Best Practice and is approved by the RACGP standards. Only relevant information for the treatment required is written in our referrals.
PURPOSE OF THIS POLICY
The purpose of this privacy policy is to tell you about the handling of personal information within St Georges Basin Medical Centre.
Our Obligations under the Privacy Act
This policy sets out how we comply with our obligations under the Privacy Act 1988 and the Australian Privacy Principles which are set out in a Schedule to that Act.
APP 1 – Open and transparent management of personal information
St Georges basin Medical Centre will only collect information that is necessary for us to provide our patients with a service.
We collect personal information through a variety of channels, including:
- Paper form
- Electronic (via secured messaging Argus or fax)
- Face to face
- Over the phone
All personal information is stored electronically and is secure.
All information shared in referral letters are obtained from standardised templates within our clinical software Best Practice and is approved by the RACGP standards. Only relevant information for the treatment required is written in our referrals.
APP 2 – Anonymity and pseudonymity
Where lawful and practicable St Georges Basin Medical Centre patients have the option of not identifying themselves.
The Australian Privacy Principles gives individuals the option of de-identifying themselves, or using a pseudonym (alias) in accepted conditions.
APP 3 – Collection of solicited personal information
What is ‘personal information’ and ‘sensitive information’?
The terms ‘personal information’ and ‘sensitive information’ come from section 6 of the Privacy Act. References to personal information throughout the Privacy Policy include sensitive information unless otherwise indicated.
Personal information means:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- Whether the information or opinion it true or not; and
- Whether the information or opinion is recorded in a material form or not.
Sensitive information means:
- information or an opinion about an individual:
- Racial or ethnic origin
- Political opinions
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual orientation or practices
- Criminal record
- health information about an individual
- genetic information about an individual that is not otherwise health information
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification
Sensitive information
The Australian Privacy Principles impose additional obligations when collecting, using or disclosing sensitive information. We may only collect sensitive information where:
- You consent to the collection
- The collection is required or authorised by law or a court/tribunal order
- A ‘permitted general situation’ exists, such as to prevent a serious threat to safety.
APP 4 – Dealing with unsolicited personal information
We sometimes collect and receive personal information from third parties. Generally, when your personal information is collected from someone other than you, we will have taken steps to inform you, either by ways of a letter, or by phone.
APP 5 – Notification of the collection of personal information
Real-time Audio/Vidia Recording
St Georges Basin Medical Centre will always obtain informed patient consent for real-time audio/visual recording, duplication and storage of a consultation, including those via telehealth and those conducted remotely.
How to make a complaint about the handling of your personal information
If you believe St Georges Basin Medical Centre has not collected or handled your personal information in accordance with our obligations under the Privacy Act 1988, we recommend you try to resolve the issue with the Practice either in writing or by speaking with our Manager or the person concerned. If you are still not satisfied please write to
The Health Care Complaints Commission
Locked Bag 18, Strawberry Hills NSW 2012
Phone: 1800043159
Our Practice has a sign in the waiting room letting patients know how to get a copy of our Australian Privacy Policy
APP 6 – Use or disclosure of personal information
Our Practice collects and holds your personal information for the purpose of your health record only. The APP regulates how and when we may disclose your information to a third party. The only time this may occur is when:
- We have your consent
- The use or disclosure of the information is required or authorised by or under an Australian Law court/tribunal order
- A permitted general situation exists in relation to the use or disclosure of the information.
APP 7 – Direct marketing
Disclosing your personal information to other parties
St Georges Basin Medical Centre will not disclose your personal information to anyone or third parties unless:
- You have consented
- The disclosure is required or authorised by or under law
- The disclosure is otherwise permitted by the APPs.
Sharing (using) your personal information across the Practice
All staff sign a confidentiality agreement and do not disclose any personal information outside the Practice. If sharing your clinical information for the purpose of training and education at our Clinical Meetings all your personal information is de- identified.
Medical research and you
St Georges Basin Medical Centre is committed to continuous improvement, and may participate in research about a range of medical issues.
Medical research does not reveal the identity of the participants.
NB: you can withdraw from this service at any time
APP 8 – Cross-border disclosure of personal information
St Georges Basin Medical Centre Providers have obligations regarding the transfer of health information both in and out of Australia. In line with the Australian Privacy Principles your medical record is a confidential document. It is the policy of this practice to maintain security of personal health information at all times and to ensure this information is only available to authorised members of staff.
We may only disclose information within Australia when:
- You consent to the collection/disclosure
- The collection is required of authorised by law or a court/tribunal order
- A ‘permitted general situation’ exists, such as to prevent a serious threat to safety.
We may disclose your personal information to an overseas recipient, such as a foreign government or agency, where international information sharing arrangements are in place or the disclosure is required or authorised by law.
APP 9 – Adoption, use of disclosure of government related identifiers
St Georges Basin Medical Centre limits the use of Commonwealth Government identifiers (such as the Medicare number, the Veterans Affairs number or Centrelink numbers). All other personal information collected is reasonably necessary for our day to day functions such as Proof of Identity (POI) and for administrative purposes and for e-health.
APP 10 – Quality of personal information
The accuracy of your personal information is paramount to us. The importance of such information requires us to regularly audit such data by asking you for three Personal Identifiers such as your date of birth, Address and Name. This also ensures the accuracy of information that may be disclosed to a third party.
APP 11 – Security of personal information
The security of personal information at St Georges Basin Medical Centre covers our patients as well as our employees.
Our Practice takes reasonable steps to protect the personal information we hold and have a staff member who is responsible for privacy compliance. That person is our Practice Manager. The six terms listed in security considerations are: misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure.
These steps include:
1/ MISUSE
Personal information is classified “misused” if it is used for a purpose that is not permitted by the Privacy Act. APP 6 sets out when an entity is permitted to use personal information.
2/ INTERFERENCE
The interference of personal information occurs where there is an attack on personal information but does not necessarily modify its content. An attack on our computer system that would lead to exposure of personal information is interference.
Our Practice has an external IT provider who looks after our computer systems, access security and any data breaches. Our IT system has firewalls, encryption and anti-virus/antimalware protection.
3/ LOSS
The loss of personal information covers the accidental or inadvertent loss or personal information. This includes physically loses of personal information (including hard copy documents, computer equipment or portable storage devices containing personal information), for example, by leaving in a public place, or the result of theft following unauthorised access.
Loss does not apply to intentional destruction or de-identification of personal information that is done in accordance with the APPs.
In the instance of a loss, remedial action will be taken to determine if serious harm will occur as a result of the loss.
4/ UNAUTHORISED ACCESS
Unauthorised access occurs when personal information that our Practice holds is accessed by someone who is not permitted to do so. This includes an employee of our Practice or an independent contractor. Staff and contractors at our Practice have security access to our Best Practice software system that is relevant to their roles which restricts access to areas within the system that is unnecessary to their role. Each user has a separate password and all passwords are confidential.
5/ UNAUTHORISED MODIFICATION
Unauthorised modification is when personal information is altered by someone who is not permitted to do so.
All staff are educated in the APPs and their obligations. Staff are kept up to date with changes to the privacy laws and these changes are discussed at staff meetings.
6/ UNAUTHORISED DISCLOSURE
Unauthorised disclosure occurs when a staff member makes personal information accessible or visible to others outside our Practice or releases information in a way that is not permitted.
Our Practice has procedures and systems in place to prevent unauthorised access by persons in areas where sensitive information can be seen. The reception desk does not have computer screens facing patients or visitors and all work stations have a sleep timer on to change the display settings after 10 minutes.
Practice staff are trained and are aware that telephone conversations can be overheard by patients and visitors in our waiting area and sensitive conversations are conducted away from major traffic areas.
Staff are also trained in the following areas:
- Dealing with requests from partners and spouses for information on each other.
- Dealing with requests from a parent for information concerning their child.
- Privacy issues when dealing with patients over the telephone.
WHEN DESTROYING OR DE-IDENTIFYING PERSONAL INFORMATION
When no longer required, personal information is destroyed in a secure manner, or archived in accordance with our obligations under the Privacy Act and Archives Act 1983.
Our Practice contracts a secure document destruction company and they have adequate security measures in place to guarantee safe transit and destruction of patient records and documents.
When our Practice participates in clinical audits and clinical research all our data is de-identified.
APP 12 – Access to personal information
All patients of St Georges Basin Medical Centre have the right to access their own personal information unless in the following circumstances:
- Releasing the information may endanger the life health or safety of the patient or community.
- May impact the privacy of other individuals.
- You personal information is part of existing or anticipated legal action.
- May impact the privacy of other individuals.
APP 13 – Correction of personal information
St Georges Basin Medical Centre welcomes any corrections of patient’s personal information that may be brought to our attention. Audits are performed regularly to keep such records up to date and accurate by the way of checking three personal identifiers and updating all contact details.
Electronic Messaging Service (SMS)
From time to time we may send you an SMS alert or reminder. You may receive these messages from us if you have provided your mobile phone number.
The purpose of these alerts or reminders is to inform you of:
- Reminders to attend appointments
- Appointment cancellations
- Doctors scheduling changes
- Requests to contact the office
- Urgent call backs
NB: you can withdraw from this service at any time
Policy Review
This policy will be reviewed regularly to ensure it is in accordance with the Australian Privacy Principles and our organisational policies. Next review date 1/7/2024