Dealing with Personal Information

Patients and individuals have a right to access their information
Only use data for its primary or proper purpose
Store data only in the appropriate location
Each patient should have a separate file
Only the staff members directly involved in a patient's care are permitted to access that file
You have additional obligations when working remotely
Notify the Practice Manager if there is a suspected breach

Access

If we hold Personal Information about an individual, they have a right to access that information, correct that information and request the destruction of that information. Should you receive any of the above-mentioned requests from an individual, you must comply with that request after consulting the Practice Manager.

Use only for Primary Purpose

Personal Information which is collected by us should only be used for:

the primary purpose; or
a purpose related to the primary purpose and which the individual would reasonably expect the Personal Information to be used for.

What is the primary purpose?

This will differ depending on each stakeholder (e.g. patient versus job seeker) and their needs. Where we require Personal Information about an individual, when requesting such information from an individual, it must be made clear at the outset why the information is required, and how it will be used.

If the information is disclosed to us by an individual without requesting it, we must ensure the information is actually required in order to complete the services we have been engaged for.

If it is not required, we should destroy the information.

Storage

Where Personal Information is held by us, we must ensure the information is stored securely and accurately. Accordingly, information should only be stored on company approved systems and should be saved to the appropriate location in accordance with company policy. Equally important is securing and protecting devices e.g. mobile phones and laptops in order to prevent unauthorised access or loss.

Additionally, access to information is only permitted if it is a genuine requirement of your role and duties.

It is the responsibility of all stakeholders to ensure the information is kept up-to-date and accurate. Should you become aware of outdated information, you must update it.

Where Personal Information is held by us and it is no longer required for the purpose it was collected for, you should contact the Practice Manager who will arrange to either securely destroy such information, or de-identify the information.

Privacy Obligations when Working Remotely

The requirements of the Privacy Laws continue to apply when employees work off site or from home. When working remotely and dealing with privacy and/or personal information, employees and contractors must:

ensure they only work in private spaces (including video conferences and phone calls);
where possible, use headphones during work related calls to minimise the information that may be inadvertently overheard;
ensure that their work-related devices are locked and secured when not in use, in accordance with our policies and procedures; and
documents containing personal information should not be printed out in hard copy.

What happens if there is a suspected data breach?

Contact the Practice Manager
Refer to our Data Breach Response Plan

Continue to next section...

Destruction of Personal Information >

Other Policy Sections For Employees

For Staff

Staff Obligations

Collecting Personal Information

Dealing with Personal Information

Destruction of Personal Information

Data Breach Response Plan