View Document

Privacy - Health Information Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Background and Purpose

(1) The Health Records Act 2001 applies to public bodies established for a public purpose under an Act and to private health service providers and private organisations that collect, hold or use health information. It provides that an act done or practice engaged in by an organisation is an interference with the privacy of an individual if the act or practice is contrary to, or inconsistent with, a Health Privacy Principle.

(2) The University is bound by privacy legislation and must manage health information in accordance with the Health Privacy Principles in the Health Records Act 2001. The Principles stipulate how public sector organisations covered by the Act should collect, use, store, disclose and give access to health information.

(3) This Policy and Procedure:

  1. informs staff and students about how the University manages health information; and
  2. explains how to make a complaint if an individual believes there has been an interference with his/her privacy.
Top of Page

Section 2 - Scope

(4) Applies to:

  1. All campuses;
  2. All staff;
  3. All organisational areas of the University.

(5) This Procedure applies to all organisational areas of the University. It applies to the collection, use, storage, disclosure and access to health information.

(6) The health information can be recorded in any format - for example, in writing, online, digitally or by electronic means.

(7) This Procedure does not cover the management of personal information that is not health information. The management of such information is covered by the Privacy - Personal Information Policy. Nor does this Procedure apply to health information that is:

  1. in a publication that is available to members of the public;
  2. kept in a library, art gallery or museum for reference, study or exhibition purposes;
  3. a public record under the control of the Keeper of Public Records that is available for public inspection; or
  4. an archive within the meaning of the Commonwealth Copyright Act 1968.
Top of Page

Section 3 - Policy Statement

(8) The University is committed to the protection of the privacy of health information. It will manage health information in accordance with privacy laws.

Top of Page

Section 4 - Procedure

Health Privacy Principles

(9) The University will manage health information in accordance with the Health Privacy Principles (HPPs) in the Health Records Act 2001.  This Procedure should be read in conjunction with those Principles which are set out in Schedule 1 of the Health Records Act 2001. The University will:

  1. only collect health information that is necessary for its functions or activities in accordance with HPP 1;
  2. comply with all applicable guidelines issued by the Health Services Commissioner under Section 22 of the Health Records Act 2001;
  3. only collect health information about an individual if the individual has consented, the collection is required under law (e.g. collection of statistics for a government agency) or the collection is otherwise in accordance with HPP 1.
  4. if it collects health information about an individual, take reasonable steps to ensure that the individual is made aware of:
    1. the identity of the University’s privacy officer and how to contact that officer,
    2. that he or she is able to gain access to the information (subject to the provisions of the Freedom of Information Act),
    3. the purposes for which the information about him/her is collected,
    4. to whom the organisation usually discloses information of that kind,
    5. any law that requires the particular information to be collected, and
    6. the main consequences (if any) for the individual if the information is not provided.

      (Note:  This paragraph (d) will not apply to the extent that compliance with it would pose a serious threat to the life or health of any individual, or would involve the disclosure of information given in confidence)
  5. not use or disclose health information about an individual for a purpose other than the original purpose of collection except in accordance with HPP 2;
  6. as required by Section 16 of the Health Records Act 2001, interpret HPP 6 regarding an individual’s right to access to, and correction of, health information subject to the procedures contain in the Freedom of Information Act 1982; and
  7. take reasonable steps to ensure that health information is stored securely.

(10) Organisations and individuals contracted to provide services to the University will also be required to comply with the Health Privacy Principles in relation to acts done by the service provider for the purposes of the contract with the University.

Privacy Officer

(11) The responsibilities of the University’s Privacy Officer will include:

  1. ongoing review of the University’s practices and procedures to ensure that they comply with this Procedure, current legislation and best practice;
  2. reviewing this Procedure and advising and educating University management and staff of their responsibilities under this Procedure the Health Records Act 2001 and the Privacy and Data Protection Act 2014; and
  3. the receipt and investigation of complaints.

Complaints

(12) Any individual in respect of whom health information is or has been held by the University may complain to the University’s Privacy Officer about an act or practice of the University that the individual believes is an interference with the privacy of that individual.

(13) The Privacy Officer will investigate the complaint as speedily as possible.  The Privacy Officer will then advise the Vice-Chancellor or nominee of his/her findings and make recommendations to the Vice-Chancellor or nominee about the complaint.

(14) The Vice-Chancellor or nominee will make a decision on the complaint and advise the complainant in writing of the result of the investigation.

Top of Page

Section 5 - Definitions

(15) For the purpose of this Policy and Procedure:

  1. Health information has the meaning set out in section 3 (1) of the Health Records Act 2001. In summary, health information is personal information:
    1. about the physical, mental or psychological health or disability of an individual;
    2. about an individual’s expressed wishes regarding the future provision of health services to him or her;
    3. about a health service provided, or to be provided, to an individual;
    4. collected to provide a health service;
    5. about an individual collected in connection with organ or body substance donation; or
    6. that is genetic information in a form which is or could be predictive of the health of the individual or of his or her descendants.
Top of Page

Section 6 - Stakeholders

Responsibility for implementation – Vice-Chancellor; General Counsel, Legal Services; and Privacy Officer.
Responsibility for monitoring implementation and compliance – Privacy Officer.