1. Purpose of this policy

Northern Health collects the personal information (including health information) of patients, their representatives and next of kin, members of the public and donors, suppliers, contractors and service providers. The personal information collected will depend on the nature of the individual’s relationship or interaction with Northern Health and its staff. Northern Health will only collect personal information where it is reasonably necessary for, or directly related to, one or more of its functions or activities.

This Privacy Policy explains how Northern Health protects the personal information of the individuals we work with and service. In particular, this policy aims to ensure that Northern Health staff maintain patient privacy and confidentiality at all times, and understand their obligations under the relevant laws.

The policy deals with the collection, storage, use, disclosure, access, correction, and destruction of personal information within all campuses of Northern Health. The Northern Health policy on privacy is: Northern Health is committed to protecting a patient’s privacy and confidentiality.

All personal information collected, stored, used, released and destroyed by Northern Health complies with all Victorian legislation relating to confidentiality and privacy, including where relevant, the Information Privacy Act 2000 (Vic) the Health Services Act 1988 (Vic), the Health Records Act 2001 (Vic), the Mental Health Act 1986 (Vic) and the Freedom of Information Act 1982 (Vic).

2. Types of Personal Information we collect

2.1 Patients

Northern Health collects information about patients in order to properly diagnose health conditions, deliver appropriate services and improve health. Each patient of Northern Health has a patient record that is updated at every attendance. The type of information collected includes (but is not limited to):

  • contact details (name, address, telephone number, email address, next of kin);
  • age, date of birth, gender, marital status;
  • driver’s licence number, Medicare number;
  • medical history, treatment records, images, photographs, family medical histories;
  • referrals to and from other practitioners and their reports;
  • ethnic origin (for example, to assess your eligibility for free health services); and
  • if payments or co-payments are required, banking/credit card details.

2.2 Website visitors

For our website visitors, we collect information such as your IP address, internet service provider, the web page directing you to our website and your activity on our website. This information is usually anonymous and we do not use it to identify individuals. However, due to the nature of internet protocols, such information might contain details that identify you.

2.3 Health providers and stakeholders

We collect personal information regarding health providers and stakeholders (for example, general practices, allied health providers, government agencies), and their employees to better understand and improve the health system.

The type of information collected can include:

  • name;
  • contact details;
  • role / health services provided; and
  • connection with Northern Health.

3. How we collect your information

Northern Health will only collect health information that is necessary to perform our functions.

Staff will always try to collect information in a fair, lawful and non-intrusive manner. Wherever possible, staff will collect information directly from the patient (where it is reasonable and practical to do so) rather than from third parties.

If information is collected from a third party, all endeavours will be made to inform the patient. Information will be provided to patients advising them of why we are collecting information, any laws that require information to be collected, the organisations or types of organisations to whom we usually disclose the information and the consequences of not providing information.

3.1 Patients

Northern Health employees usually collect personal information directly from individuals and their representatives unless it is unreasonable or impracticable to do so. We collect health and sensitive information with your consent in a fair and unobtrusive way.

We also collect information about patients from:

  • patients and their representatives through forms, agreements, mail, email, telephone, in-person inquiries and website inquiries;
  • referrers and third parties (e.g. specialists or providers outside Northern Health); and
  • publicly available sources of information.

3.2 Website visitors

We collect data from our website using various technologies, including cookies. A cookie is a text file that our website sends to your browser which is stored on your computer as a tag identifying your computer to us. You can set your browser to disable cookies. However, some parts of our website may not function properly (or at all) if cookies are disabled.

3.3 Health providers and stakeholders

We generally collect personal information directly from individuals. However, for some health providers and stakeholders, we may collect your personal information from your colleagues or other health providers and stakeholders, or clients.

In some cases, we collect your personal information from public sources (for example national health practitioner register, internet) or through your memberships (for example with peak bodies).

3.4 Other individuals

We may collect personal information from other individuals from time to time in various situations. For example, we may collect personal information from next-of-kin and guardians of patients we treat. We may also collect personal information from prospective employees and from suppliers who enter into contracts with us.

4. Purpose of collection

4.1 Patients

We collect and use personal and health information for the primary purpose of providing health services and diagnosing conditions.

The following are specific examples of when we collect and use your personal information:

  • to make appointments and send reminder notices;
  • to maintain your personal information, our client records and other medical registers;
  • to inform your nominated emergency contacts (next of kin) of a medical condition;
  • to disclose your health information to paramedics and health professionals in a medical emergency;
  • to use de-identified information to model or forecast service demand;
  • to liaise with a person’s nominated representative or family members where needed; and
  • to improve our services through quality improvement activities, audits, surveys and program evaluations.

4.2 Website visitors

We use information regarding website visits for the purposes we collected it. We may also use your information to personalise your website visit or to enable remarketing website functionality.

4.3 Health providers and stakeholders

We collect personal information regarding the employees, volunteers and officers of our health providers and stakeholders:

  • to pursue collaborative projects and matters of common interest (e.g. referral, shared maternity care and community outreach programs);
  • in the course of contracting with them or arranging for the delivery of health services for clients; and
  • to distribute information about our activities and publications by way of direct communications/marketing to improve our health system and the health of our clients.

We may collect personal information regarding your interests to personalise your interactions with us.

5. Use and disclosure

We will only disclose your personal information:

  • for the primary purpose for which it was collected; or
  • for purposes related to the primary purpose; or
  • when permitted by the Information Privacy Principles or the Health Privacy Principles; or
  • with your consent; or
  • for direct marketing; or
  • when needed for law enforcement.

5.1 Patients

Staff shall only use or disclose personal information where the use or disclosure of the information is for the purpose of providing care and treatment to patients and for purposes directly related to providing such care and treatment.

Staff may disclose health information to other health care providers for the purpose of providing further treatment and care for patients. Northern Health may disclose your personal information to third parties, including:

  • other health providers in connection with treatment (such as doctors, specialists, pathology services, radiology services or allied health professionals) or training;
  • third party service providers to send correspondence or packages, arrange copayments, conduct surveys and perform administrative or health related functions;
  • regulatory authorities (for example, Medicare), accreditation bodies and government departments to comply with the requirements imposed on Northern Health and its employees; and
  • medical indemnity providers, quality assurance or accreditation bodies to comply with their administrative requirements.

Northern Health may also use or disclose information for other purposes permitted under the privacy laws, for example court orders and legislative requirements such as cancer registration and infectious disease notification. Aside from where the law specifically allows, staff will not use or disclose information for purposes, which are unrelated to the treatment or care of patients, without the consent of a patient.

5.2 Website visitors

Our technology infrastructure may make use of cloud infrastructure or servers located outside Australia. This means that we may disclose and store your personal information outside Australia, taking such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Information Privacy Principles or the Health Privacy Principles; or in respect of your personal information.

We may also obtain website analytics services (e.g. Google Analytics) for our websites. Information and data collected by such a provider may be stored on servers worldwide.

5.3 Health providers and stakeholders

We may disclose your personal information to fellow partners and stakeholders to undertake collaborative projects.

5.4 Other purposes

We may also use and disclose personal information for distributing information about Northern Health and its activities, making representations to Government and other agencies pertaining to our activities, complying with our statutory reporting obligations and other obligations imposes by law, and our internal business functions (including business management purposes and assessing employment applications).

6. Effect of non-provision of personal information; anonymity

From time to time, you may be able to deal with us anonymously. For example (without limitation), if you have a general inquiry about us and/or our health services, we may be able to respond to your inquiry on an anonymous basis.

Depending on the category of information, your withholding of personal information from us might mean we are unable to perform some essential functions of managing our operations and activities, including one or all of the purposes listed above in clause 4.

7. Data quality

Staff will take reasonable steps to make sure that the information held is accurate, complete and up to date. Staff are required to update or confirm patient details on each contact at any campus within Northern Health.

8. Data security and retention

Personal information kept in electronic and hard copy is controlled, monitored and restricted to relevant staff and authorised external users only. Security safeguards are in place to ensure information is protected against loss, modification, disclosure, unauthorised access or misuse. Health information must be retained for the minimum periods proclaimed in the Public Records Act.

Outside service contractors are required as part of their contract conditions to abide by the Northern Health Privacy Policy. All outside service contractors must demonstrate they comply with both State and Commonwealth privacy laws.

All documents containing personal information must be destroyed or permanently deidentified in a secure and confidential manner.

9. Transborder data flows

When required to transfer health information to organisations outside Victoria for the provision of care and treatment this will only be done when consent has been obtained, and the receiving organisation is subject to binding privacy obligations similar to the ones which Northern Health is obligated.

10. Transfer/closure of Northern Health

In the event that Northern Health ceases to operate, or the business is sold or transferred and Northern Health‘s health services are discontinued, Northern Health will ensure that adequate mechanisms are in place to protect your privacy information. Northern Health will take all reasonable steps to notify you of the transfer or closure, including publishing a notice in a local newspaper that is circulated in the locality of Northern Health.

Northern Health may elect to retain your privacy information, transfer it to the health service provider that takes over Northern Health, or transfer it to you or a health services provider you nominate. In circumstances where Northern Health elects to retain your privacy information, it will be secured or lawfully destroyed.

11. Making information available to another health service provider

An individual’s health information may be made available to another health service provider where the individual has directly requested Northern Health to provide the information, or has authorised another health service provider to obtain the information from Northern Health may be disclosed to another health service provider.

12. Privacy infringements

All suspected infringements of privacy will be thoroughly investigated. Disciplinary action will be taken in cases where investigations or suspected infringements of privacy are proven.

13. Access and correction

Patients seeking access to, or correction of, their health information must do so in writing under the Freedom of Information Act 1982. All requests for information must be addressed to the Freedom of Information Officer at the relevant campus and will be processed in accordance with the Freedom of Information Act 1982.

Personal information held by Northern Health may be accessed at any time, upon written request. We will respond within a reasonable time after the request is made and give access to the information in the manner requested by you, unless it is impracticable to do so. We are entitled to charge you a reasonable administrative fee for giving you access to the information requested.

13.1 Lodging a complaint

Should you wish to complain about a potential breach of this Privacy Policy or the Australian Privacy Principles please contact our Privacy Officer.

The Privacy Officer will make good faith efforts to rectify the issue and respond within a reasonable period after the complaint is made.

13.2 Contact details

Privacy Officer
Northern Health
185 Cooper Street
Epping, VIC 3076