1 Policy statement
SVHA is committed to protecting the privacy of the personal information and sensitive information which it collects and holds.
SVHA must comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), and other privacy laws which govern the way in which organisations (such as SVHA) hold, use and disclose personal information (including your sensitive information).
(a) the kinds of information that SVHA may collect about you and how that information is held;
(b) how SVHA collects and holds personal information;
(c) the purposes for which SVHA collects, holds, uses and discloses personal information;
(d) how you can access the personal information SVHA holds about you and seek to correct
such information; and
(e) the way in which you can complain about a breach of your privacy and how SVHA will
handle that complaint.
health information is:
(a) personal information or an opinion about:
(i) an individual's physical or mental health or disability (at any time);
(ii) an individual's express wishes about the future provision of health services for themselves; or
(iii) a health service provided, or to be provided, to an individual;
(b) other personal information collected to provide, or in providing, a health service;
(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances;
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(e) whether the information or opinion is true or not; and
(f) whether the information or opinion is recorded in a material form or not;
sensitive information means:
(a) personal information or opinion about an individual's:
(i) racial or ethnic origins;
(ii) political opinions or political associations;
(iii) philosophical beliefs or religious beliefs or affiliations;
(iv) sexual preferences or practices; or
(v) criminal record; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information.
3 Collection and use of personal information
3.1 Types of personal information collected by SVHA
SVHA will only collect information which is necessary to facilitate the provision to you of health care services by a member of the SVHA Group or to appropriately manage, conduct and oversee the SVHA Group’s businesses. This may include (as applicable):
(a) Patients/residents/clients/research participants
SVHA collects information from you to facilitate the provision of health care services to you by members of the SVHA Group or to enable you to participate in research studies. This includes collecting personal information such as your name, address, your health history, family history, past and current treatments lifestyle factors, and any other information which is necessary to assist the health care team in providing appropriate care, or our research team in conducting its research.
(b) VMOs, students, contractors and volunteers
SVHA collects information from you which is necessary to properly conduct, manage and oversee the SVHA Group’s businesses. This includes collecting personal information such as your name, address, professional experience, qualifications and past employers, and any other information which may be necessary to appropriately conduct, manage and oversee the SVHA Group’s businesses.
(c) Job applicants
SVHA collects information from you which is necessary to assess and engage job applicants. This includes collecting personal information such as your name, address, professional experience, qualifications, references and past employers, and any other information which is necessary to process your job application.
Where you have consented, SVHA collects information from you for the purposes of fundraising for the SVHA Group including agreeing the terms of and managing any donations you agree to make. This includes collecting personal information such as your name and address.
3.2 How we collect personal information
We will usually collect your personal information directly from you, however sometimes we may need to collect information about you from third parties, such as:
(a) another health service provider;
(b) past employers and referees; or
(c) related entities (being those listed in the annexure).
We will only collect information from third parties where:
(d) you have consented to such collection;
(e) such collection is necessary to enable us to facilitate the provision of appropriate health care services by a member of the SVHA Group;
(f) such collection is reasonably necessary to enable us to appropriately manage, conduct and oversee the SVHA Group’s businesses; or
(g) it is legally permissible for us to do.
3.3 How SVHA uses your personal information
SVHA only uses your personal information for the purpose for which it was collected by SVHA (primary purpose), unless:
(a) there is another purpose (secondary purpose) and that secondary purpose is directly related to the primary purpose, and you would reasonably expect, or SVHA has informed you, that your information will be used for that secondary purpose;
(b) you have given your consent for your personal information to be used for a secondary purpose; or
(c) SVHA is required or authorised by law to use your personal information for a secondary purpose (including for research and quality improvements within SVHA).
For example, SVHA may use your personal information to:
(d) facilitate the provision of health care services to you by a member of the SVHA Group;
(e) facilitate the provision of any ongoing health related services to you;
(f) appropriately manage, conduct and oversee the SVHA Group’s businesses, such as assessing insurance requirements, conducting audits, and undertaking accreditation processes;
(g) assist SVHA to manage, conduct and oversee the SVHA Group’s businesses, including quality assurance programs, billing, improving its services, implementing appropriate security measures, conducting research and training personnel;
(h) where required, effectively communicate with third parties, including Medicare Australia, private health insurers and Department of Veterans' Affairs; and
(i) carry out fundraising activities (where you have consented).
3.4 Complete and accurate details
Where possible and practicable, you will have the option to deal with SVHA on an anonymous basis or by using a pseudonym. However, if the personal information you provide us is incomplete or inaccurate, or you withhold personal information, we may not be able to provide the assistance or support you are seeking, or deal with you effectively.
4 Disclosing your personal information
SVHA will confine its disclosure of your personal information to the primary purpose for which that information has been collected, or for a related secondary purpose. This includes when disclosure is necessary to facilitate the provision of health care services to you by a member of the SVHA Group, to help us manage, conduct and oversee the SVHA Group’s businesses, or for security reasons.
We may provide your personal information to:
(a) medical and other healthcare professionals involved in your care;
(b) government agencies, such as Defence or Department of Veterans Affairs, where an individual is receiving services with a member of the SVHA Group under arrangements with those agencies;
(c) government departments responsible for health, aged care and disability where SVHA is required to do so; (d) third parties contracted to provide services to SVHA, such as entities contracted to assist in accreditation or survey processes;
(e) any of the related entities listed in the annexure;
(f) research institutions with which SVHA collaborates;
(g) private health insurance providers and Medicare Australia;
(h) anyone authorised by you to receive your personal information (your consent may be express or implied);
(i) fundraising institutions associated with SVHA (where you have consented);
(j) anyone SVHA is required by law to disclose your personal information to.
4.2 Third party service providers
Where we engage third party service providers, we may disclose personal information to those service providers who may use, process and/or store that information overseas. For example we have contracted with an Australian company for the provision of an electronic document portal to host papers for SVHA’s board and committee meetings. Board and committee meeting papers may occasionally include personal information. The service provider’s computer servers are located in Canada.
5 Data storage, quality and security
5.1 Data quality
SVHA will take reasonable steps to ensure that your personal information which is collected, used or disclosed is accurate, complete and up to date.
All your personal information held by SVHA is stored securely in either hard copy or electronic form.
5.3 Data security
SVHA strives to ensure the security, integrity and privacy of personal information, and will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. SVHA reviews and updates (where necessary) its security measures in light of current technologies.
5.4 Online transfer of information
While SVHA does all it can to protect the privacy of your personal information, no data transfer over the internet is 100% secure. When you share your personal information with SVHA via an online process, it is at your own risk.
There are ways you can help maintain the privacy of your personal information, including:
(a) always closing your browser when you have finished your user session;
(b) always ensuring others cannot access your personal information and emails if you use a public computer; and
(c) never disclosing your user name and password to third parties.
6 2017 Amendments to the Privacy Act 1988
6.1 The passage of the Commonwealth Privacy Amendment (Notifiable Data Breaches) Act 2017 established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Australian Privacy Act 1988 (such as the SVHA Group Entities at Annexure A) to notify any individuals likely to be at risk of serious harm by a data breach. In some cases of a data breach the Office of the Australian Information Commissioner (OAIC) must also be notified. Please Note the Privacy Amendment (Notifiable Data Breaches) Act prescribes timelines for the notification process to the OAIC.
6.2 SVHA has established a Data Breach Response Plan that details how SVHA Group Entities must deal with any instance where there has been a potential or actual breach of personal information held by SVHA in either electronic or hard copy form. The Data Breach Response Plan includes information on the assessment and reporting of a data breach, the convening of a Data Breach Response Team and details on the communication processes to be undertaken following a breach.
6.3 All staff must familiarise themselves with the Data Breach Response Plan and its processes and ensure the plan is followed whenever a data breach is suspected or discovered.
A 'cookie' is a small data file placed on your machine or device which lets SVHA identify and interact more effectively with your computer.
8 Links to other sites
SVHA may provide links to third party websites. These linked sites may not be under our control and SVHA is not responsible for the content or privacy practices employed by those websites. Before disclosing your personal information on any other website, we recommend that you carefully read the terms and conditions of use and privacy statement of the relevant website.
9 Accessing and amending your personal information
You have a right to access your personal information which SVHA holds about you. If you make a request to access your personal information, we will ask you to verify your identity and specify the information you require.
You can also request an amendment to any of your personal information if you consider that it contains inaccurate information.
You can contact SVHA about any privacy issues as follows:
Group General Manager Legal, Governance & Risk
St Vincent’s Health Australia
Level 22, 100 William Street
WOOLLOOMOOLOO NSW 2011
Tel: (02) 9367 1100
Fax: (02) 9367 1199
While SVHA aims to meet all requests for access to personal information, in a small number of cases and where permitted to do so by law, SVHA may not give access or may do so only under conditions.
Subject to applicable laws, SVHA may destroy records containing personal information when the record is no longer required by SVHA.
If you have a complaint about SVHA's information handling practices or consider we have breached your privacy, you can lodge a complaint with:
(a) SVHA’s Group General Manager Legal, Governance & Risk, using the contact details listed in clause 9 above; or
(b) the Office of the Australian Information Commissioner.
SVHA aims to deal with all complaints in a fair and efficient manner.
This policy was adopted on 7 December 2017.
Annexure A – related entities
(a) St Vincent's Health Australia Ltd
(b) St Vincent's Care Services Ltd
(c) St Vincent's Private Hospital Northside Limited
(d) St Vincent's Hospital (Melbourne) Limited
(e) St Vincent's Private Hospitals Ltd
(f) St Vincent's Private Hospital Sydney
(g) St Vincents & Mater Health Sydney Limited
(h) St Vincent's Hospital Sydney Limited
(i) St Vincent's Clinic.