Collection of personal information
This medical practice collects sensitive information from you for the purpose of providing quality health care. We require you to provide us with your personal details (name, gender, address, contact details, date of birth, Medicare number) and a full medical history so that we may properly assess, diagnose and treat illnesses and be proactive in your health care, as well as manage the practice.
Wherever practicable we will only collect information from you personally. However, we may also need to collect information from other sources such as treating specialists, radiologists, pathologist, hospitals and other health care providers.
We collect information in various ways such as over the phone or in writing, in person when you attend the practice or over the internet. This information may be collected by medical or non-medical staff.
In emergency situations we may also need to collect information about you from your relatives or friends.
The practice will take reasonable steps to ensure the information collected is accurate up-to-date and complete. For this purpose, the practice staff may ask you to confirm that your contact details are correct when you attend a consultation. We request that you inform us if any of the information we hold about you is incorrect or out of date. The practice is obliged to notify other health organizations of any corrections made to information already provided.
We will also use the information you provide for the following purposes. Only relevant information will be used and disclosed.
- Administrative purposes in managing this medical practice
- Billing purposes, including compliance with Medicare and Health Insurance commission requirements
- Disclosure to others involved in your health care, including treating doctors and specialists outside this medical practice. This may also include allied health professionals, and institutions such as hospitals. This may occur through referral to other doctors, or for medical tests and in the reports or results returned to us following the referrals. This may occur verbally, in writing or electronically (by email or SMS).
- Disclosure to other doctors in the practice, locums, and by Registrars and medical students attached to the practice for the purpose of patient care and teaching. Please inform us if you do not want your records accessed for these purposes.
The practice will treat your personal information as strictly private and confidential. Information will only be used or disclosed for purposes directly related to your care and treatment, or in ways that you would reasonably expect that we may use it for your ongoing care and treatment.
There are circumstances where we may be permitted or required by law to disclose your personal information to third parties (for example Medicare, Police, insurers, solicitors, government regulatory bodies, tribunals, courts of law, hospitals or debt collection agents). We may also provide statistical data to third parties for research purposes.
Disclosure for other purposes may occur in the ‘permitted general situations’ (relating to Health and Safety, unlawful activity and serious misconduct, location of a missing person, defending or establishing a legal or equitable claim and in confidential mediation).
Disclosure of information may also occur in ‘permitted health situation” which relate to research, prevention of serious threat to life, safety and health of a genetic relative, or to a responsible Person/Guardian.
You will always be asked for specific consent if your personal information is requested to be used for research purposes.
Information collected may be stored on our computer medical records system and in some cases in hand -written medical records. Personal information that we hold is protected by securing our premises and by placing passwords and varying access levels on databases to limit access and protect electronic information from unauthorized interference, access, modification and disclosure.
We may need to take photographs of your skin condition for inclusion in the medical record. As clinical photographs are a part of the medical record they cannot be deleted.
As part of the medical record, clinical photographs may be sent with other written communication to other treating doctors. Your verbal permission will be sought if the photograph is to be sent electronically to other health professionals.
Your written permission will be sought if photographs are to be used for any other purpose such as teaching or publication.
Some review appointments may be conducted as a telehealth consultation using videoconferencing platforms on which your cybersecurity cannot be guaranteed. Sometimes is carried out with another practitioner present during the consultation. Your verbal consent will be obtained prior to arranging a telehealth consultation.
Your personal information will not be disclosed to any person or service outside Australia unless it is established that protections are similar to APPPs or unless your express permission has been obtained. At the present time this practice does not disclose personal information to overseas recipients.
The practice does collect and record government related identifiers (Medicare number) but this is used for the purpose listed above (related to billing). Government identifiers will not be used or disclosed to another party unless exceptions apply .
The practice takes reasonable steps to protect the personal information it holds from misuse, loss, interference, unauthorized access, modification and disclosure.
The practice will take reasonable steps to destroy or de- identify personal information that is no longer required for authorized purposes.
Collection of information requires your consent. You are not obliged to provide the information requested but failure to do so might compromise the quality of health care and treatment. You have the legal option to interact with this practice anonymously or by using a pseudonym, however this would create significant difficulty in providing you with optimum care. If this option is requested this practice would have to obtain further advice and may not have to comply if an exception applies in relation to a particular matter.
This practice will not use or disclose personal information for the purposes of direct marketing by this practice or any other party.
Unsolicited personal information may be retained if it could have been lawfully collected and used, otherwise it will be destroyed or de-identified.
Data Breach Response Plan
Training of staff to identify a data breach
All staff have annual training in Privacy including being able to identify and act on a potential data breach.
A data breach is a circumstance where confidential information about a person or persons is accessed by an unauthorised person or is stolen or lost. This can be unintentional or malicious and can include loss of physical equipment such as a laptop with personal information on it or unauthorised access being granted to some-one to another person’s information or inadvertent disclosure due to human error or disclosure induced by fraud or scamming activities.
Training enables staff to know how to identify a data breach or potential data breach, who to report it to, when it should be reported and what other actions to take to protect patients’ personal information.
Notifying a suspected breach
Any member of staff who believes a data breach may have occurred is required to notify the practice principal either orally (followed by a confirming email) or by email, as soon as possible after forming the belief that this has occurred
The data breach response team including external partners
Once the notification is received the practice principal will
- Decide by telephone if the matter is something the practice can manage alone or whether any other person needs to be involved
- If appropriate, the external IT provider should be advised as soon as possible.
- Advise any cyber security insurance provider or general liability provider
- Notify medicolegal insurance provider.
How plan applies to different types of breaches
The nature of the practice’s response will differ according to the circumstances in which the suspected breach occurred and the nature of the breach.
The practice principal needs to determine if the breach raises the possibility of a serious risk to a person’s life or health. If so the practice principal must immediately contact the person at potential risk of harm to advise of the risk
If there is no immediate risk to a person’s life or health the assessment must identify if this is a reportable breach. A reportable breach occurs if the breach could result in serious harm to a person.
How assessment of breaches will occur
The assessment must consider:
- How the breach occurred
- Has the breach been contained
- If the breach has not been contained what actions need to be taken to contain the breach
- What actions can be taken to ensure the breach does not occur again
- Is the breach reportable
The assessment and actions taken should be completed within 30 days
How affected persons will be notified
If the number of persons impacted by the breach are few enough, notification should be by telephone by the practice principal
The information to be provided is:
- the fact that a data breach has occurred, that the patient’s information has been accessed by a third party
- brief details of how it occurred
- details of the information accessed
- details of what steps the practice has taken to contain the breach
- any suggestions the practice can make as to steps the patient can or should consider taking to protect their interests
- details of what changes to information storage or management the practice is making to avoid the breach occurring in the future,
- a commitment to follow up with each person when the event has been fully investigated about any further action taken
A record should be kept of the contact with contact details
If the number of persons is too large to be done by telephone the notification should be by email by the practice principal in conjunction with liability insurance advice
Reporting to OAIC or other bodies
If the matter is a reportable breach the OAIC should be notified in writing as soon as possible (and no later than 30 days) advising what steps have been taken to contain the breach and notify affected persons
Record keeping for breaches
A separate file must be created by the practice principal for any suspected breach and all emails and memos and correspondence should be saved to the file
Requirements under agreements with third parties
The practice principal is to consider all obligations to notify third parties of the suspected breach including the OAIC, state privacy entities, insurers
Reviewing of plan and testing of plan
This plan should be reviewed at least every two years or if there are any new IT system programs introduced into the practice or significant changes in how information is stored
Post breach review assessment
After a breach has occurred the practice must review what has occurred by reference to this plan.
Note: A copy of this plan is printed and available to the practice principal and all staff. The plan is also available to download (pdf)
Accessing medical records
You have the right to access information collected about you, except in some circumstances where access might be legitimately withheld. If access to your medical records is denied you will be informed why this has occurred and the options available to you to respond to our decision.
If you request access to information about yourself, the practice is entitled to charge fees to cover the costs involved. This will be in accordance with fees recommended by the Australian Medical Association. Information will be provided within 30 days of the request. Request for access to your medical record should be made in writing to Dr Drummond.
We are required by law to retain medical records for certain periods of time depending upon your age at the time we provided services.
Practice Communication by Email and SMS
Email service used by this practice is non secure and unencrypted. There are risks to your privacy using email to communicate with the practice staff or doctors.
You will need to provide written consent that you understand and accept this before any email communication can be undertaken.
Very limited clinical advice can or will be provided via email. Any advice provided via email by the doctor will be of a general nature only.
Diagnoses can be difficult or impossible to make with a description of the problem.
Photographs may be useful but often because of suboptimal quality it is not possible to make an assessment.
Email may not be accessed or checked for 2-3 days at a time, so email should not be used for any urgent situation. If this is the case, the practice should be contacted by phone.
If staff are unavailable to take your call or the practice is closed, you should contact your general practitioner, or if an emergency you should attend the Emergency Department at your nearest hospital.
A record of email communication will be stored in your medical file.
Making a privacy complaint
If you wish to make a complaint about a perceived breach of the Australian Privacy Principles please submit a letter detailing your complaint addressed to Dr Drummond. Upon receipt of a complaint we will consider the details and attempt to resolve it in accordance with our complaints handling procedures.
If you are dissatisfied with our handling of a complaint or the outcome you may make an application to the Australian Information Commissioner or the Privacy Commissioner of the ACT.
This can be requested from the practice reception staff. A personal copy can be made available upon request.
Suite 16, Francis Chambers
40-42 Corinna St, Phillip ACT 2606
The best way to contact us is via email
P: +61 2 5114 2682
F: +61 2 5114 2684
How to get here
We acknowledge the Traditional Custodians of the ACT, the Ngunnawal people. We acknowledge and respect their continuing culture and the contribution they make to the life of this city and this region.