Privacy and Confidentiality Policy
We respect your rights to privacy and take our privacy obligations seriously. We comply with the Australian Privacy Principles, found under the Privacy Act 1988.
The Diabetic GP Clinic collects information from you for the primary purpose of providing you with healthcare services. We require you to provide us with your personal and health information so that we may provide our services to you. We will also use the information you provide in the following ways:
Effectively communicate with third parties, including Medicare Australia, private health insurers, government departments and other practitioners involved in your healthcare including the Allied Health Practitioners that work from The Diabetic GP Clinic.
Appropriately manage our practice, such as conducting audits, undertaking accreditation processes, manage billings and education/training staff.
For more information you can download and read our brochure The Diabetic GP Clinic: Keeping Your Personal Information Private in Our Practice.
Privacy in Australia
One crucial aspect of any practice is the management and storage of patient information. The Privacy Amendment (Private Sector) Act 2000 sets the standards for the way in which private sector organisations collect, use and disclose information about individuals.
From March 2014, the Australian Privacy Principles (APPs) detail these standards. These APPs replace the National Privacy Principles, and govern the collection and production of personal information.
There are 5 components of the Australian Privacy Principles:
Management of personal information in a open and transparent manner;
Dealing with unsolicited information;
Use and disclosure of information and government related identifiers;
Integrity, quality and security of personal information; and,
Access to and ability to correct personal information.
The 13 Australian Privacy Principles are:
1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use or disclosure of personal information
7. Direct Marketing
8. Cross-border disclosure of personal information
9. Adoption, use or disclosure of government related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information.
CURRENT AS OF 1 AUG 2019
Australian Privacy Principles (APP Policy)
For further information, please refer to the Australian Privacy Principles (APPs) website.
The point of contact regarding any queries regarding this policy is Hanna Dixon (Practice Manager)
Why and when your consent is necessary
When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.
Why do we collect, use, hold and share your personal information?
Our practice will need to collect your personal information to provide healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health. We also use it for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (eg staff training).
What personal information do we collect?
The information we will collect about you includes your:
names, date of birth, addresses, contact details;
medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors;
medicare number (where available) for identification and claiming purposes; and or,
healthcare identifiers; and/or,
health fund details.
Dealing with us anonymously
You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.
How do we collect your personal information?
Our practice may collect your personal information in several different ways.
When you make your first appointment our practice staff will collect your personal and demographic information via your registration.
During the course of providing medical services, we may collect further personal information. Information can also be collected through electronic transfer of prescriptions (eTP), My Health Record (eg via Shared Health Summary, Event Summary). Currently, our practice participates in My Health Record.
We may also collect your personal information when you visit our website, send us an email or SMS, telephone us, make an online appointment or communicate with us using social media.
In some circumstances personal information may also be collected from other sources. Often this is because it is not practical or reasonable to collect it from you directly. This may include information from:
your guardian or responsible person
other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services
your health fund, Medicare, or the Department of Veterans’ Affairs (as necessary).
When, why and with whom do we share your personal information?
We sometimes share your personal information:
with third parties who work with our practice for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
with other healthcare providers
when it is required or authorised by law (eg court subpoenas)
when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
to assist in locating a missing person
to establish, exercise or defend an equitable claim
for the purpose of confidential dispute resolution process
when there is a statutory requirement to share certain personal information (eg some diseases require mandatory notification)
during the course of providing medical services, through eTP, My Health Record (eg via Shared Health Summary, Event Summary). Currently, our practice participates in My Health Record but not eTP.
Only people who need to access your information will be able to do so. Other than in the course of providing medical services or as otherwise described in this policy, our practice will not share personal information with any third party without your consent.
We will not share your personal information with anyone outside Australia without need and without your consent (unless under exceptional circumstances that are permitted by law). Currently we do not send information overseas and if we are required to do so, we will obtain your consent.
Our practice will not use your personal information for marketing any of our goods or services directly to you without your express consent. If you do consent, you may opt out of direct marketing at any time by notifying our practice in writing.
Our practice evaluates all unsolicited information it receives to decide if it should be kept, acted upon or destroyed.
The Diabetic GP Clinic will employ all reasonable endeavours to ensure that a patient’s personal information is not disclosed without their prior consent.
How do we store and protect your personal information?
The Diabetic GP Clinic complies with the Australian privacy legislation to protect your information. All data, both electronic and paper are stored and managed in accordance with the Royal Australian College of General Practitioners RACGP Computer and Information Security Standards and the requirements of our practice’s Business Continuity Plan.
How do we store your personal information?
At The Diabetic GP Clinic, your personal information may be stored in various forms. These forms include as an electronic record, paper records, visual x-rays and video and/or audio recordings. All personal information is stored security.
Our practice does try to avoid paper files and all information relating to a patient is scanned into their chart on our secure practice management system and then the paper file is securely disposed of by shredding. Visual records, such as x-rays, ct scans and eye images are all stored electronically in each patient’s chart.
How do we protect your personal information?
Our practice has documented policies and procedures in place to protect and manage the privacy, security, quality and integrity of the personal health information we hold.
By way of further assurance, and since establishment, The Diabetic GP Clinic has engaged a reputable IT service provider to securely monitor and manage our systems and network to ensure the safety, security and integrity of the personal health information we hold.
Our electronic files are password/passphrase-protected on several levels (which are changed on a regular basis). We keep frequent backups of all critical information and systems, and those backups are stored securely off site and not connected to the network to prevent their loss due to fire, theft or malware.
All our employees, service providers and contractors at The Diabetic GP Clinic are bound by a strict legal duty of confidentiality. As such, we require and ensure that each person has read, understood and signed a Privacy and Confidentiality Agreement.
How can you access and correct your personal information at our practice?
You have the right to request access to, and correction of, your personal information.
The point of contact for patient access to personal information is:
Phone: 4724 0700
Our practice acknowledges patients may request access to their medical records. Our practice will take reasonable steps to correct your personal information where the information is not accurate or up to date. From time to time, we will ask you to verify that your personal information held by our practice is correct and current.
If you make your request to access or correct your personal information over the phone or in person, you will be asked to put your request in writing. You may also be asked to provide proof of your identity.
If you are making a request on behalf of another person, your request must be made in writing, and must include evidence of your authority to act on the other person's behalf.
Your request should be in writing and to the attention of “The Practice Manager”. It should be provided either by email email@example.com, in person to the practice, or by post PO Box 262 Hyde Park Townsville 4812. Your request should include:-
Your full name, address and date of birth.
For access requests: a description of the information you're requesting and whether you require a summary, a full copy or if you want to view your records in person.
For correction requests: a description of the information you want to correct, the correct information and proof the existing information is inaccurate, incomplete, misleading or out-of-date.
Our practice will respond to all requests within a reasonable time, (approximately 30 days).
The Diabetic GP Clinic may charge a fee to give you access to your information but you will not be charged a fee for simply making a request.
Depending on the content of your request, our practice may charge you a fee to give you access to your personal health information, but this fee can’t be excessive. It may include the cost of:-
staff searching for, locating and retrieving the requested information, and deciding which health information is relevant to the request
staff reproducing and sending the health information
the postage or materials involved in giving access
using an intermediary, if necessary
Can we refuse your request?
The Diabetic GP Clinic can refuse to give you access to your health information in some situations, such as if:
it may threaten your or someone else’s life, health or safety
it may impact someone else’s privacy
giving access would be unlawful
If giving you certain information would impact someone else’s privacy, our practice may block out that part and give you the rest of the information. If it’s not possible to give information directly to you because of a concern for your health or safety then our practice might give access through an agreed third party.
If our practice refuses to give you access we will give you a written notice telling you why, and how you can complain about our refusal.
How can you lodge a privacy-related complaint, and how will the complaint be handled at our practice?
We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have in writing. We will then attempt to resolve it in accordance with our resolution procedure.
You may make a complaint in person, over the phone or in writing.
If you put the complaint in writing, it should be addressed to the attention of “The Practice Manager” and can be sent either by email firstname.lastname@example.org, or by post PO Box 262 Hyde Park Townsville 4812 or delivered in person at Suite 14, The Hyde Park Centre, Woolcock Street, Hyde Park Townsville 4812.
When you make the complaint, please make sure you:
give a brief description of the matter and why you think The Diabetic GP Clinic has mishandled your personal information (what happened, when it happened and any consequences)
let us know what you’d like us to do to resolve the matter
If your complaint is in writing, please also include:-
a contact address
a contact phone number
the date (if you’re sending a letter)
Our practice will respond to all requests within a reasonable time, (approximately 30 days).
You may also contact:-
The OAIC. Generally, the OAIC will require you to give them time to respond before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 363 992.
The Office of the Health Ombudsmen, Queensland - For further information visit www.oho.qld.gov.au or call the OHO on 133 646.