Privacy Policy for Management of Personal Information¹

Introduction
1. This document describes the Glynn Mind Clinic (GMC) privacy policy (Policy) for the management of clients’ or patients’ personal information. GMC is committed to ensuring that people who come into contact with GMC have the right to have their privacy respected. As such, GMC has implemented the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth) (PR Act) My Health Records Act 2012 (Cth) (MHR Act), the Health Records Act 2001 (Vic) (HR Act), the Australian Psychological Society Code of Ethics (Code) and other applicable legislative instrument or regulation.
2. This Policy applies to all Glynn Mind Clinic (GMC) employees, contractors, agents, volunteers and Directors (defined as “Workers” for the purpose of this Policy) and is to be read in conjunction with GMC’s Information and Communication Technology and Internet Usage Policy.
Purpose and Objectives
1. This Policy outlines the legislative and policy requirements that apply to all Workers, who in the course of their work have access to personal information collected, used, disclosed or stored by or on behalf of GMC.
2. For the avoidance of doubt, the expression “Worker” does not connote the existence of an employment relationship between GMC and a contractor or volunteer of GMC.
3. This Policy further outlines how client/patient personal information is to be collected, stored and used. It further outlines how clients/ patients can raise any concerns regarding the collection, use and storage of their personal information.
Definitions
1. “Personal information” is information or an opinion, whether true or not, relating to a person, or the affairs of a person, whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
2. “Sensitive information” is personal information that includes details or an opinion about an individual’s race, political opinions, religious beliefs, trade union membership or association, sexual orientation, criminal record and health information. Sensitive information has a higher level of privacy protection as opposed to other personal information.
3. “Consent” means that an individual has authorised their personal information to be used for a defined purpose or handled in a particular manner. Consent may be expressed (i.e. given orally or in writing) or implied (i.e. reasonably inferred from the conduct of the individual).
4. “Informed consent” means that an individual is aware of the implications of providing or withholding consent after being properly and clearly informed about how their personal information will be handled.
5. “My Health Record” means the Commonwealth Government’s electronic health record system. Unlike other electronic health records, the content of My Health Record is controlled by the individual, including what information is shown in the record and who has access to it. Persons cannot collect information from the ‘My Health Record’ system if the collection is unauthorised. Such conduct would amount to a breach of the My Health Records Act 2012 (Cth).
6. “Primary purpose” means the dominant purpose for which information is collected. Most often in the health system the primary purpose will be to provide care, or an episode of care.
7. “Reasonable” should be taken to mean how an individual, who is properly informed, would be expected to act in the circumstances.
8. “Record” means:
  1. any written, graphic or pictorial matter, or
  2. a disk, tape, film or other object that contains information or from which information may be reproduced (with or without the aid of another object or device).
Policy Statement
1. This Policy applies to personal information regardless of its format e.g. paper or electronic records such as videos, photographs, specimens, entries on computer databases (including patient information systems) and emails or other electronic messaging systems. This includes information from which the names and addresses have been removed but where sufficient information remains so that the individual could potentially be identified (e.g. by way of a number, reference or details which, when combined with other information, can be related to an individual).
2. For the purposes of this Policy, “Services” is used to refer to all services provided by GMC including, but not limited to:
  1. Psychological treatments;
  2. Dietetics; and
  3. Other services that may be provided at the discretion of GMC
Responsibilities
1. All Workers have an obligation to:
  1. only access personal information that they need to perform their duties;
  2. protect the privacy and confidentiality of personal information that they may collect or hold;
  3. not disclose personal information without legal authority;
  4. not disclose or share passwords;
  5. accept responsibility for all activities undertaken using their password; and
  6. not remove confidential information from the workplace unless authorised.
Client information
1. Client files are held within GMC’s Practice Management Software (i.e. Power Diary) which is only accessible to authorised Workers. The information on each file may include personal information such as name, address, contact phone number, medical history, and other personal information collected as part of providing the psychological service.
How clients or patients’ personal information is collected
1. Client personal information is collected with informed consent and for purposes related to the provisions of GMC’s psychological services. Personal information is collected from clients when making enquiries/bookings, during psychological consultation, including when a client provides their information to GMC Workers through means such as email correspondence, completion of questionnaires and forms (including those facilitated through NovoPsych) and referrals.
2. Once collected, GMC will hold and store personal information via:
  1. storage services including, but not limited to, Google Applications, Apple Applications, Power Diary (GMC’s Practice Management Software), NovoPsych, National Australia Bank (NAB) for payment transactions, and any other applications or software used for business operations;
  2. GMC Devices, including but not limited to mobile phones and computers operated by Workers;
  3. soft copy and hard copy client forms and files.
3. When collecting personal information, GMC is required to take reasonable steps to advise the individual of the usual practices regarding the disclosure of information to third parties.
4. With the exception of where a data breach or unlawful disclosure has occurred, the duty in 6.3 does not require GMC to advise that a particular disclosure has occurred or will occur. Rather, it requires GMC to notify or ensure awareness of its usual practices in disclosing personal information to other entities.
5. GMC must take reasonable steps to ensure that the personal information it collects is relevant to the purpose of the collection, and not excessively personal. The personal information collected should also be complete and up to date.
Security
1. GMC implements reasonable and secure measures to protect all stored personal information from being compromised or accessed by users who do not have authority to do so.
2. GMC limits access to personal information to those with a valid and legitimate reason for using that information.
3. GMC information storage includes security measures to protect privacy such as passwords, pins, encryption, session expiries, SSL network encryption, SSL certificate and website transmission encryption, the use of reputable vendors (e.g., Power Diary and NovoPsych), two-factor authentication, and physical destruction of paper documents once electronically uploaded.
4. Workers are required to set unique, strong passwords to access computers, devices and software (which are never to be shared with anyone else). Workers are strongly encouraged to use password managers in order to protect the privacy of passwords and systems used at GMC.
5. All computers and devices must be protected by antivirus software, hardware and software firewalls and must be updated on a regular basis as required. All internet browsers are also required to be updated regularly to ensure that the latest versions of these browsers are being used at GMC.
6. GMC Management are responsible for reviewing all users accessing GMC platforms and software and removing users, such as Workers no longer engaged by GMC, as required.
7. GMC prohibits Workers from accessing GMC networks and platforms whilst connecting to public unsecure Wi-Fi hotspots. Such activities may compromise the security measures implemented by GMC to protect privacy.
8. When GMC uses the services of third-party businesses to provide our Services, they may gain access to GMC’s data, including personal information. Such third-party services may include:
  1. Google applications;
  2. Power Diary;
  3. NovoPsych;
  4. third-party contractors such as IT support services and web/software development services;
  5. NAB payments;
  6. billing services provided by private health insurers and Medicare.
9. GMC will only share personal information with these third parties to the extent necessary to perform its functions.
Consequence of not providing personal information
1. If a client or patient does not wish for their personal information to be collected in a way contemplated by this Policy, GMC may not be in a position to provide Services to the client.
2. In some circumstances, clients or patients may request to be anonymous or to use a pseudonym. Should this occur, GMC will consider these requests on a case by case basis.
3. If GMC forms a reasonable view that it is impracticable for GMC to deal with the client in this manner or if GMC is required or authorised by law to deal with identified individuals, GMC reserves its rights to deny providing Services to the client or patient.
Purpose of holding personal information
1. Client and patient personal information is gathered and used for the purpose of providing Services, which includes assessing, diagnosing and treating a client or patient’s presenting issue. The personal information is retained in order to document what happens during sessions and enables the psychologist to provide a relevant and informed psychological service.
2. It is generally accepted that in providing a health service to an individual, it may also be necessary to use their information for other related purposes e.g. billing purposes or to improve health services.
3. Personal and sensitive information about individuals is authorised to be used for the purposes for which it was collected.
Use and disclosure of personal information
1. In the course of the provision of Services, GMC collects, uses and discloses personal information when:
  1. booking appointments with psychologists for patients and sharing information about inquiries;
  2. managing patient records;
  3. requiring patients to fill out forms or questionnaires;
  4. processing patient payments;
  5. facilitating Medicare and private health insurance claims; and
  6. sharing information with other health practitioners or parents/guardians.
2. Clients’ or patients’ personal information will remain confidential except where:
  1. it is subpoenaed by a court, or disclosure is otherwise required or authorised by law; or
  2. failure to disclose the information would, in the reasonable belief of GMC, place a client or another person at serious risk to life, health or safety; or
  3. the client or patient’s prior approval has been obtained to:
    1. provide a written report to another agency or professional, e.g., a GP or a lawyer; or
    2. discuss the material with another person, e.g. a parent, employer, health provider, or third-party funder; or
    3. disclose the information in another way or for another purpose; or
    4. disclose to another professional or agency (e.g. GP) and disclosure of the personal information to that third party is for a purpose which is directly related to the primary purpose for which the personal information was collected.
  4. A client or patient’s personal information is not disclosed to overseas recipients unless the client consents or such disclosure is otherwise required by law. Client’s or patients’ personal information will not be used, sold, rented or disclosed for any other purpose.
  5. In the event of unauthorised access, unauthorised disclosure or loss of a client’s personal information occurs GMC will activate its data breach plan and use all reasonable endeavours to minimise any risk of consequential serious harm.
Consent
1. Where possible the consent of an individual (or their guardian, medical agent or substitute decision-maker) should be obtained prior to the use or disclosure of their personal information or a secondary purpose.
2. The key elements of consent are:
  1. The individual is adequately informed before giving consent;
  2. The consent is reasonably specific;
  3. The consent if freely given;
  4. The individual has the capacity to understand and communicate their consent;
  5. Consent is timely;
  6. Consent should be obtained in writing or verbally.
3. It is important that where an individual has given consent that a notation is made in the individual’s file to indicate their specific and clear intention for the disclosure of personal information.
4. However, there may be instances when it is not appropriate to seek a person’s consent e.g. a legislative reporting requirement such as the reporting of a child or young person at risk under the Children’s Services Act 1996.
5. There may be other instances where disclosure of personal information may be considered necessary to lessen or prevent a serious threat e.g. sharing personal information to allow early intervention to prevent a threat to life, health or safety of a person.
6. It is equally important to document decisions to disclose personal information without the consent of the individual.
Requests for access and correction to client information
1. At any stage, clients or patients may request to see and correct the personal information about them kept on file. The treating practitioner may discuss the contents with them and/or, subject to seeking approval from GMC, give the client or patient a copy of the information, subject to the exceptions in the PR Act.
2. If satisfied that personal information is inaccurate, out of date or incomplete, reasonable steps will be taken in the circumstances to ensure that this information is corrected.
3. All requests by clients or patients for access to or correction of personal information held about them should be lodged with admin@glynnmindclinic.com.au, requests will be responded to in writing within 14 days, and an appointment will be made if necessary, for clarification purposes.
Parent plans for children seeking GMC’s services
1. When a child is accessing GMC Services, both parents of that child are equally entitled to be involved in the child’s therapy that GMC or its agents provide to them and access all information related to the child’s treatment (unless a court order says otherwise) pursuant to the Family Law Act 1975 (Cth).
2. Where possible, both parents/ guardians of a child should come to a mutual agreement on whether they would like their child to access our services.
3. In circumstances where a child’s parents or guardians are separated, we encourage the parties to make arrangements so that both parents/guardians are involved in their child’s treatment and that there is an agreement as to the split (if any) of the costs associated with these services.
4. In accordance with the operation of the Family Law Act 1975, it is a requirement for GMC that both parents/guardians are aware that their child is attending GMC for treatment and therapy. In circumstances where one parent brings a child to our clinic, GMC will:
  1. enquire about the child’s second parent/guardian to ensure that they are aware of their child accessing our services;
  2. discuss how the second parent/guardian will participate in the child’s treatment;
    and
  3. invite the second parent/guardian to be involved in their child’s therapy if they have not been asked to participate already.
5. Each parent/guardian is responsible for keeping the other parent/guardian informed about the child’s treatment (uncles a court order says otherwise).
6. At the beginning of a child’s assessment and therapy, GMC will request both parents to complete intake and consent forms at the outset of the child’s engagement with our clinic.
7. If there are pending or current consent orders/court orders (including Family Violence Orders) in place that relate to the child (e.g. order which only give one parent legal responsibility for the child), GMC must request that the details of these orders be provided to us prior to the child’s initial appointment.
8. It is important that GMC ensures that parents/guardians provide us with the most up to date consent orders/court orders throughout the course of the child’s treatments, as such orders affect whether a child is allowed to access GMC’s services. If up-to-date orders are not provided, GMC may need to pause the child’s treatment.
9. Both parents/guardians of a child will be entitled to access any information gathered about that child during the treatment services we provide, such as personal details obtained from intake forms, invoices/receipts from treatment and the child’s Medicare details (unless a court order says otherwise).
10. If both parents/guardians are unable to come to an agreement on their child accessing our services, or if one parent objects to their child seeking treatment, GMC may have to pause the child’s services until a mutual agreement is reached or consent orders/court orders are made.
Dealing with Privacy Breaches, Concerns and Complaints
1. A data breach occurs when personal information that GMC may hold is subject to unauthorised access or disclosure or is lost.
2. Data breaches may occur as a result of someone stealing personal information (such as taking GMC devices or scamming an individual to provide personal information to them) or by someone inadvertently disclosing personal information to someone as a result of human error (such as a Worker sending an email to the wrong recipient in error). Such instances must be reported to GMC immediately by contacting the Practice Manager ( admin@glynnmindclinic.com.au).
3. All breaches of privacy must be recorded as a data breach incident in accordance with the GMC Data Breach Response Plan. This will ensure that the breach has been formally recorded and for remedial action to be implemented immediately.
4. GMC will respond to complaints in writing within a reasonable period (usually 10 business days from the business day the complaint is received).
5. GMC will try to work with individuals to resolve complaints within 20 business days, although that period may be longer subject to the nature of the complaint.
6. If individuals are unsatisfied with GMC’s response to a privacy complaint, they may refer the complaint to the Office of the Australian Information Commissioner (http://www.oaic.gov.au/).
7. You may also refer to the Australian Privacy Principles, which describe how personal information must be handled.