The following two privacy policies can be found on this page:
Health Information Privacy and Access
The Privacy Act (C’lth) incorporates ten National Privacy Principles (NPPs) which set out requirements for the handling of personal and sensitive information, which includes health information (see definitions below). They govern information collection, storage and maintenance, and use and disclosure; as well as access by an individual to his/her information and openness about how it is managed by the institution.
The NPPs do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified.
Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Sensitive information is a subset of personal information. It means information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations; philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, and criminal record or health information about an individual.
Health information is one kind of sensitive information and includes information or an opinion:
- about an individual’s health or disability at any time (that is, past, present or future)
- about an individual’s expressed wishes regarding future health services
- about health services provided, or to be provided, to the individual
- collected while providing a health service
- collected in connection with the donation or intended donation of body parts and substances.
This means that personal details related to a patient’s attendance (e.g. name, address, Medicare number, billing information, admission/discharge dates), medical information, notes made by health care personnel, identifiable biological specimens or samples, or genetic information all constitute “health information”.
Collection of information
According to the NPPs the Hospital must:
- Only collect health information necessary for its functions or activities.
- Use fair and lawful ways, that are not unreasonably intrusive, to collect health information.
- Collect health information directly from an individual if it is reasonable and practicable to do so (there is an exception where it is necessary to obtain an individual’s family, social or medical history, which may contain information relating to other persons).
- Take reasonable steps, at the time of collecting health information or as soon as practicable afterwards, to make an individual aware of why the information is being collected, who it may be disclosed to, how it can be accessed etc. (This is done by providing a copy of the Personal Information Management Policy—see below.)
- Take reasonable steps to ensure the individual is aware of the above points even if the information is collected from someone else.
- Only collect health information with the express or implied consent of the individual concerned, unless collection is required by law or it is necessary to prevent a serious threat to the life or health of any person.
Use and disclosure of information
The Hospital may use or disclose an individual’s health information where use or disclosure is:
- for the primary purpose for which it was collected (eg provision of medical care and treatment; health fund claims)
- for a directly-related secondary purpose that would have been within the reasonable expectations of the patient at the time (eg quality improvement activities)
- with the consent of the individual (see Consent to Use Information below)
- required or authorised by law
- necessary to prevent serious and imminent threat to an individual or to public health.
Access to and correction of information
- Patients have the right to access health information held about them, unless:
- It would pose a serious threat to the life or health of any individual.
- It would have an unreasonable impact on the privacy of others.
- The request for access is frivolous or vexatious.
- Denying access is required or authorised by law.
- Access may be provided in a number of different ways. For example the patient (or his/her authorised representative) may view and discuss their records with a health service provider and/or obtain a copy of the information or a summarised report.
- Access requests or related queries should be directed to the Privacy Coordinator who can also provide the appropriate form (ie Request to Access a Patient Record).
- Access requests must be processed within 30 days and reasonable fees may be charged.
- If a person requests a correction to their health information, the Hospital must either make the correction, where appropriate, or add a note to the records with details of the request. Requests for correction shall be directed to the Privacy Coordinator.
Storage and maintenance of information
The Hospital must take reasonable steps to:
- Ensure that the health information it collects, uses or discloses is accurate, complete and up-to-date.
- Protect the health information it holds from misuse and loss, and from unauthorised access, modification or disclosure.
- Destroy or permanently de-identify health information when it is no longer needed or required to be kept.
The hospital must not adopt Commonwealth identifiers, such as Medicare or DVA numbers, for its own identification systems (eg hospital medical record number).
Transborder data flows
The hospital may only transfer a person’s health information overseas when:
- The individual has given consent.
- The transfer is necessary for the fulfilment of a contract between the individual and the Hospital.
- The transfer is for the benefit of the individual but it is impracticable to obtain consent.
- It is believed that the information will be protected by a privacy scheme or legal provisions comparable to what exists in this country.
Enquiries and complaints
- Complaints by individuals who believe that the Hospital has breached their privacy. (Any unresolved complaint is dealt with by the Office of the Federal Privacy Commissioner).
Mater Health Services
South Brisbane Qld 4101
Phone: 07 3163 2666
Fax: 07 3163 8104
Clinical records request form
The following form has been made available for patients seeking access to clinical records.
Web Site Privacy
Mater Misericordiae Health Services Brisbane Limited ACN 096 708 922 (Mater) acknowledges and respects the privacy of individuals. This statement discloses our collection, use and disclosure of personal information practices in relation to Mater Web site.
Collection of Information
When you access Mater Web site Mater may record your server address, domain name, the date and time of your visit, the pages viewed, the information downloaded and the frequency of visits.
Mater may also record information about the types of browsers that are being used to visit Mater site. Mater uses this information for Web site and system administration, including monitoring to prevent security breaches, to assist Mater in further development and to improve the functionality of the site.
Mater will only collect sensitive information if it is necessary for the Mater to be able to consider the application for employment that you make, and only then with your express consent.
As part of any application for employment process it may be necessary for Mater to request and for you to provide additional information such as
- providing registration details including your e-mail address; or
- providing a resume which will include your name, address, e-mail address, telephone numbers, employment and educational history, etc.
Use of Personal Information
Mater only uses personal information for the primary purpose of determining the suitability of an applicant for employment at Mater.
Internally, Mater has controls and procedures in place to ensure that the personal information Mater collects remains confidential to those Mater staff who may need to access the information for the primary purpose. All of Mater staff are trained in privacy and are bound by duties of confidentiality.
Disclosure of Personal Information
Mater does not sell or trade in personal information, or allow third parties to use that personal information for their own purposes. The exception to this is where Mater may be required by law to disclose certain information.
Security of Personal Information
Mater will take reasonable steps to ensure that all information Mater collects, uses or discloses is accurate, complete, up to date, stored in a secure environment and accessed only by authorised persons. Mater aims to achieve best industry practice in the security of personal information which Mater holds.
It is Mater's policy to destroy personal information once there is no longer a legal or business need for the Mater to retain such information.
Access, Correction and Concerns
Mater will provide access to personal information upon request by an individual, unless a request is unreasonable and the National Privacy Principles would permit us to decline that access (e.g., where granting access would infringe another person's privacy or where the request for access is frivolous or vexatious).
If you believe that the information the Mater holds about you is incorrect, or if you have concerns about how Mater is handling your personal information, or you want to organise access to the information the Mater holds about you, please contact the Privacy Coordinator.
Office of the Privacy Commissioner
Further information on Mater's obligations under the Federal Privacy Act are available from the Office of the Privacy Commissioner.