Our Privacy Policy
Privacy Act and Australian Privacy Principles
Our practice is covered by the Privacy Act 1988 and must meet the obligations of the Act. We have systems in place to protect the personal information we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Our practice holds sensitive information; sensitive information requires a higher level of privacy protection than other personal information.
Sensitive information is personal information that includes information or an opinion about an individual’s:
- racial or ethnic origin
- political opinions or associations
- religious or philosophical beliefs
- trade union membership or associations
- sexual orientation or practices
- criminal record
- health or genetic information
- some aspects of biometric information
Australian Privacy Principles
The Australian Privacy Principles (or APPs) are the cornerstone of the privacy protection framework in the Privacy Act 1988 (Privacy Act). They apply to any organisation or agency the Privacy Act covers.
There are 13 Australian Privacy Principles and they govern standards, rights and obligations around:
- the collection, use and disclosure of personal information
- an organisation or agency’s governance and accountability
- integrity and correction of personal information
- the rights of individuals to access their personal information
Our practice regularly reviews our privacy policy to ensure compliance with the APPs, summary of APP guidelines
APP 1 | An APP entity must manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy. |
APP 2 | An APP entity must give an individual the option of not identifying themselves or of using a pseudonym. Limited exceptions apply. |
APP 3 | Outlines when an APP entity can collect solicited personal information. Higher standards apply to the collection of sensitive information. |
APP 4 | Outlines how an APP entity must deal with unsolicited personal information. |
APP 5 | An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. |
APP 6 | An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. |
APP 7 | An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. |
APP 8 | Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas. |
APP 9 | Outlines the limited situations when an organisation may adopt a government-related identifier of an individual as the organisation’s own identifier or use or disclose a government-related identifier of an individual. |
APP 10 | An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure. |
APP 11 | An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An APP entity has obligations to destroy or de-identify personal information in certain situations. |
APP 12 | Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the APP entity. This includes a requirement to provide access unless a specific exception applies. |
APP 13 | Outlines an APP entity’s obligations for correcting the personal information it holds about individuals. |
Reference: https://www.oaic.gov.au/privacy/australian-privacy-principles
Confidentiality and privacy of health and other information (C 6.3 A – D)
All patient health information must be considered private and confidential, and therefore must not be disclosed to family, friends, staff or others without the patient’s consent. This information includes medical details, family information, address, employment and other demographic and accounts data obtained via reception.
All practice team members are aware that any information given to unauthorised personnel will result in disciplinary action, possible dismissal and other legal consequences.
Informing patients on managing confidentiality and personal health information (C6.3 A)
Our practice has developed and implemented a privacy policy that details how we manage data, it includes data:
- collection
- use and disclosure
- quality and security
- correction
- access
- complaints
- overseas transfer
Patients, their family and carers can access our privacy policy on website, newsletter, posters, brochures or at request.
All members of the practice receive training in the significance and obligations of the Privacy Act and the Australian Privacy Principles, the importance of confidentiality and our privacy policy. Training records are stored in PracticeHub or Personnel Files. It is the responsibility of the Practice manager to ensure all training records are completed and current.
At the commencement of their employment/engagement the team member must sign a confidentiality agreement, the completed agreement is stored in their employment file in Practice Hub or Personnel File.
A template for the patient privacy policy can be found here RACGP Privacy policy template
Informing patients how to access their health information (C6.3 B)
Patients of our practice are informed of their rights to access their personal health information in accordance with the Australian Privacy Principles (APP). This is done via the practice information sheet, notice in the waiting area, the practice website www.verevfamilydoctors.com.au.
On request for access to personal health information, our practice documents each request and endeavours to assist patients in gaining access according to the Privacy Act and APP, we:
- Document the patient’s request and forward a request to the patient’s healthcare practitioner to check for exemptions
- Complete all steps to confirm identification of the patient or legally nominated representative prior to access being granted
- Provide personal health information within period of time as outlined in the Privacy Act
- Note any exemptions to access
Refer to C6.3 A above, for practice member training and training record requirements.
Transferring patient health information (C6.3 C)
To ensure timely, authorised, and secure transfer of patient health information we use Argus/Healthlink secure message service or XML encryption method. The patient may consent to their information being sent without such protection, this consent must be documented and recorded in the patient’s medical record.
Confidential data is not to be sent via email or the internet.
Electronic transfer of a patient’s health information cannot proceed unless requested by the patient. The patient’s consent is documented in their health record.
Refer C6.3 A above, for practice member training and training record requirements.
The Practice manageris responsible for the maintenance of secure messaging software; troubleshoot and managing issues with the secure messaging software vendor. The Practice manager is responsible for reviewing this use of secure messaging service, addressing any discrepancies identified, updating procedures as required and providing updates to all practice team members.
Our healthcare professionals send all health information using secure messaging.
Our practice has advised external healthcare professionals/organisations that the practice’s method of transferring patient health information is using Argus/Healthlink secure messaging. All secure messaging contact details on the Healthcare Provider Directory and Endpoint Location Service are accurate and up to date.
Authorised access to patient health records, prescription pads, and other official documents (C6.3 D)
Our practice has secure storage electronic and/or physical locations for all official documents, including prescription forms, administrative records, templates and letterhead.
Document | Location (insert site information) |
official documents | electronic – e.g., shared drive |
prescription forms | clinical software, access-controlled area |
administrative records | Practice Hub/Practice Manager |
templates | Shared Drive |
letterhead | Best Practice Software |
Social media use (C6.4G)
This policy applies to all workplace participants and outlines the expectations of Verve Family Doctor’s (Practice) regarding social media use in connection with work, and identifies the risks associated with work and private social media use that might:
- impact the reputation or interests of the Practice;
- cause damage to the working relationship;
- impact on the safety of one or more workplace participants; and/or
- be incompatible with a workplace participant’s duties and obligations, including other workplace policies of the Practice (such as the Appropriate Workplace Behaviour Policy and the Practice’s work health and safety policies).
While the Practice respects the rights of individuals to comment on and engage in public debate about political, social and other issues, the Practice expects workplace participants to act in a professional, ethical, responsible and courteous manner when using social media, particularly when such use has the potential to adversely affect the Practice and/or other workplace participants.
Social media has many forms. For the purposes of this policy, social media consists of websites and applications that allow users to create and share high visible user-generated content and to participate in social networking. Social media includes, but is not limited to, Facebook (including Facebook Messenger), Instagram, SnapChat, TikTok, Twitter, LinkedIn, Share, blogging, message boards, chat rooms, electronic newsletters, online forums, social networking sites and wikis, however described.
This policy applies to social media use at all times, irrespective of whether:
- the social media use is during or outside working hours;
- the worker is using technology equipment and/or devices provided by the Practice, the worker themself, or a third party; and
- the worker is located at the workplace or elsewhere.
The Practice may be vicariously liable for the conduct of a workplace participant on social media platforms, including personal social media accounts, where this usage impacts on the workplace. As such, workplace participants are required to take a conservative and cautious approach to compliance with this policy, and if in doubt about the Practice’s expectations under this policy (or how this policy applies to any proposed or particular conduct or behaviour on a social medial platform), must immediately contact [insert relevant contact eg the practice manager].
What are my obligations when using social media platforms?
When using social media platforms, all workplace participants must:
- not engage in any conduct or behaviour that is inconsistent or interferes with their duties to, or their relationship with, the Practice or may tend to bring the Practice into disrepute;
- where an individual could reasonably be identified as having a working relationship with the Practice, be polite, courteous and respectful of others and behave in a way that upholds the integrity and good reputation of the Practice;
- where an individual could reasonably be identified as having a working relationship with the Practice, not be vulgar, sexually explicit, obscene or deliberately provocative;
- not disparage, or unreasonably criticise, make false or misleading statement about, abuse, threaten, bully, harass, humiliate, victimise or discriminate against the Practice, other workplace participants and/or its patients;
- not use or disclose any of the Practice’s confidential information, intellectual property and/or sensitive commercial information (or any third party’s confidential information, intellectual property and/or sensitive commercial information obtained through or as a result of the individual’s work at the Practice) unless expressly authorised by the Practice;
- not use or disclose any personal information of a patient of the Practice unless expressly authorised by the Practice and in accordance with privacy laws, including the Privacy Act 1988 (Cth);
- unless expressly authorised by the Practice, not imply that the Practice endorses their personal views or opinions;
- unless expressly authorised by the Practice, not use any email address provided to the individual by the Practice to register a personal social media account;
- comply with any relevant social media platform’s terms and conditions of use;
- comply with all applicable Australian laws (including, but not limited to, criminal, intellectual property, defamation, privacy, equal opportunity, bullying, sexual harassment, discrimination and consumer protections laws) and any applicable court or tribunal judgements; and
- comply with any other workplace policies (including, but not limited to, the Appropriate Workplace Behaviour Policy).
Can I use social media during working hours?
Occasional use of personal social media during working hours is permitted. However, when using social media in a private capacity during working hours:
- access should be brief and infrequent, and not undermine the performance of the individual’s duties in any way;
- access should not interfere with the individual’s work responsibilities or their colleagues; and
- workplace participants are required to comply with their obligations under this policy and any other workplace policies (including, but not limited to, the Appropriate Workplace Behaviour Policy).
Before posting online in a private capacity, workplace participants should be mindful that:
- anonymity online is not guaranteed, and anyone who posts material online should assume that their identity and the nature of their work can be revealed;
- material posted online lasts forever and may be replicated endlessly, through sharing and re-posting;
- material posted online may also be sent to unintended or unexpected recipients, who may view that material out of context;
- the speed and reach of content posted on social media means that comments posted online are available immediately to a wide audience; and
- social media platform security settings are not a guarantee of privacy, and material posted in a relatively secure setting can still be copied and reproduced elsewhere without your prior knowledge or agreement.
What constitutes best practice when using social media?
When posting on social media, all workplace participants should be mindful to comply with the following practices:
- don’t express your views as facts;
- don’t post impulsively; and
- don’t post when you are angry, upset or unsettled.
What happens if I don’t comply with this policy?
A workplace participant who fails to comply with this policy may be subject to disciplinary action, which may include termination of their employment or engagement.
A workplace participant who is suspected of breaching this policy must cooperate with any investigation conducted by or on behalf of the Practice, which may include preserving and not deleting relevant social media content, and by providing the Practice with reasonable access to such content. A failure to comply with such a requirement may, in itself, result in disciplinary action, including, in appropriate circumstances, termination of employment or engagement.
How will the Practice know if I haven’t complied with this policy?
Workplace participants should expect that any information they create, post, exchange or discuss on social media platforms may be viewed by the Practice at any time without notice.
The Practice will, on a continuing and ongoing basis, monitor and review, without further notice, on a continuous and ongoing basis a workplace participant’s activities using the Practice’s IT resources and communication systems, including but not limited to social media postings, profiles and activities. The Practice may also conduct audits of social media platforms from time to time, including personal social media accounts.
The monitoring and/or audits will occur to ensure that workplace participants are acting in accordance with their duties and obligations to the Practice, including those arising under this policy and other workplace policies of the Practice, and for legitimate business purposes.
How do I make a complaint about social media use?
If a workplace participant is concerned that this policy has been breached, they should immediately contact the practice manager.
How do these guidelines interact with the Practice’s other workplace policies and my terms and conditions of work?
This policy is not intended to be exhaustive and it does not override or otherwise displace any other obligations that a workplace participant owes to the Practice. Workplace Participants must never use social media in a manner that breaches this policy or any of the Practice’s workplace policies, including, but not limited to:
- the Code of Conduct;
- the Appropriate Workplace Behaviour Policy; and
- the Practice’s work, health and safety policies.
If social media use would breach the duties or obligations of a workplace participant if carried out in the workplace, it will also breach those duties or obligations in an online forum.
This policy does not form part of any contract between the Practice and a workplace participant and is not, and is not intended to be, contractual in nature.
The Practice may amend, replace or withdraw this policy at any time.