Last update: 18 July 2017
QIDerm and Queensland Institute of Dermatology value your privacy and want to ensure your personal and health information is handled in accordance with your expectations and all legal requirements.
We have developed this policy to demonstrate our commitment to best practice in relation to the management of personal information. The purpose of this policy is to inform you how personal information is collected and used within our practice, and the circumstances in which we may share it with third parties.
1. What and who does this policy apply to?
This policy relates to the collection, use and disclosure of personal information. Personal information generally refers to information or an opinion about an identified individual. For example, if the information you have provided has been de-identified, then this policy may not apply to that information.
2. How do we use and collect your information?
2.1 When do we get your consent?
When a patient first attends our practice you are asked to fill out forms which give us basic information about you and provide consent for our doctors, medical staff, employees and consultants to handle your personal information. We also collect personal information about patients during consultations, from referring doctors and other third parties. We will always try and obtain information from patients directly but this may not always be practical (e.g. when if a patient does not have the relevant information).
2.2 Why do we need your information?
We need to collect patient information in order to provide the best quality healthcare. Without all the relevant information, we may not be able to provide the same standard of care.
If you are a patient, our main purpose for collecting, using, holding and sharing your information is to manage your healthcare. In order to manage your healthcare we may have to collect and disclose your information with treating doctors, medical staff (e.g. Registrars and locums) referrers, hospitals, service providers (e.g. those that provide pathology or testing services) and administrative staff at our practice. We also use it for related business activities, such as complying with our legal obligations (which may include Medicare requirements and notification of communicable diseases), financial claims and payments, practice audits and accreditation, and business processes (e.g. staff training).
We need information from donors in order to ensure we comply with our obligations as a charity as well other obligations imposed under Australian law, including the Anti-Money Laundering and Counter Terrorism Financing Act 2006.
2.3 Can you deal with us anonymously?
Australian law generally allows individuals to deal with third parties anonymously or under a pseudonym, unless it is impracticable or the law otherwise allows the third party to only deal with identified individuals.
It would be impractical for us to deal with patients on an anonymous basis or under a pseudonym, as it would prevent us from communicating with other medical professionals involved in their care and would increase the risk that we cannot contact them in the case of an emergency. Also, because we are required to interact with Medicare, keep accurate records, provide medical reports, and ensure reliable payment we will not be able to deal with you on an anonymous basis. If requested, we will verbally address you by a pseudonym, however our records will need to use the name under which you are known to Medicare.
2.4 What kinds of information do we collect?
The information we may collect and maintain from patients includes, but is not limited to:
your name, date of birth, addresses, contact details;
·medical information, including medical history, past and present medications prescribed to you, allergies, adverse events, immunisations, social history, family history and risk factors;
Medicare number (where available) for identification and claiming purposes;
healthcare identifiers and health fund details;
referrals to and from other health service providers; and
·treatment, screens, medical service outcomes, results and reports.
The information we may collect and maintain from donors includes but is not limited to:
your name, date of birth, addresses, contact details; and
payment method information (such as credit card information).
The documents and records in relation to the above remain our property at all times. However, you have a right to access our records as set out in the policy or as the Privacy Act otherwise requires.
2.5 How do we collect personal information?
We will generally collect personal information from you directly when you provide us with your details, from any person responsible for you (e.g. if you are a child or under someone else’s care) or from third parties where permitted by law (e.g. other health care providers, your health fund, the Department of Veteran’s Affairs or medical service providers).
As outlined above, when patients first attend our practice we collect personal information from them. We may also collect personal information when you visit our website, send us an email or SMS, telephone us or make an appointment or donation online. We may also collect further information during the provision of medical services, for example, where your doctor takes notes during a consultation.
2.6 How do we hold personal information?
Your personal information may be stored at our practice in various forms, including paper records, electronic records, visual records and other recordings. For example, if you come in for an appointment, the doctor may record notes of the appointment in a Dictaphone, in hand written notes, make notes on your electronic file or take a photo of particular condition for follow up purposes.
All records are kept secure to protect against unauthorised access. We have processes in place to ensure compliance with these requirements and to protect your information. We do this by ensuring that all of our staff are obliged to treat your information on a confidential basis and are trained in our privacy requirements.
2.7 Can we use your information for research purposes?
We occasionally undertake or participate in clinical trials or other research projects. We will not disclose any of your personal information that has not been de-identified as part of a clinical trial without your consent, unless permitted by law.
We will generally not seek your consent where we de-identify your information because that will mean you cannot be readily identified from the relevant information, which means the information is usually not personal information. If we cannot use your de-identified information, we will obtain your consent to use your personal information unless it is impractical to do so and the research is conducted in accordance with:
established rules of confidentiality used by medical bodies; or
the guidelines issued by the CEO of the National Health and Medical Research Council and approved by the Privacy Commissioner.
Our staff may contact you about potential clinical trials or research projects that may be relevant to you. Please let us know if you do not want to be contacted for these purposes.
3. When will we disclose personal information?
In general, we may collect, hold, use and disclose your personal information for the following purposes:
to provide health services to you and to communicate with you about your health services and other matters;
to comply with our legal obligations, which may include mandatory notifications to government bodies, reporting to Medicare and other departments; and
to help us manage our accounts and administrative services.
We may disclose your personal information to the following:
others involved in your health care, including your referring General Practitioner or other referring service provider, pathology clinics, and specialists outside this medical practice. This may occur through referral to other doctors, or in the reports or results returned to us following the referrals;
between QIDerm and Queensland Institute of Dermatology, as both entities occupy the same premises and may also use some of the same professional or administrative personnel;
other doctors and medical staff, including locums and Registrars on the dermatology or other training programs;
our associated entities, including any businesses we engage to assist in running our practice;
entities that your doctor works for outside of our practice;
any new medical practice where your treating doctor transfers or moves to in the future; and
external contractors (e.g. IT Contractors), but only where those contractors are accessing our records generally to help us with any issues we are having.
We would ordinarily not disclose information relating to donors to third parties unless required by law.
Despite the above, there may be occasions where the law will require us to release your personal information irrespective of whether you consent to the disclosure of the information is given. Examples of such occasions include where:
there is a serious threat to an individual’s life, health and safety or suspicion of unlawful activity;
there is a specific requirement by law, for example, when served with a subpoena or other court order;
you are physically or legally incapable of giving consent and the disclosure to a person responsible for you is necessary to provide appropriate health care or treatment or for compassionate reasons and this is not contrary to any prior wish or wish that the responsible person is aware.
Our practice will not use your personal information for marketing any of our goods or services directly to you without your express consent. If you do consent, you may opt-out of direct marketing at any time by notifying our practice in writing. We will never sell your information to anyone else.
3.1 Are we likely to disclose personal information to overseas recipients?
We do not intend to disclose your personal information to overseas recipients. However, like many businesses we may use secure cloud storage services that may have servers located overseas. Otherwise, we may disclose your personal information to the following overseas recipients:
any practice or individual who assist us in providing services (such as where you have come from overseas and had your health record transferred from overseas or have treatment continuing from an overseas provider)
anyone else to whom you authorise us to disclose it; and
anyone else where authorised by law.
4. Access and Correction of Personal Information
4.1 How can you access your personal information?
Subject to the Privacy Act, you can request access and correction of personal information which we hold about you.
If you want to request access to your personal information, please contact reception or the Practice Manager (using the details provided below) and we will provide you with the relevant form to complete. We will use our best endeavours to respond to your request within 30 days.
We may not be able to provide you with all the personal information you have requested because we need to consider if there may be a risk of physical or mental harm to you or any other person that may result from disclosure of your information. Accordingly, we may give you access to the records after we have removed any information we are entitled to withhold that may adversely affect the safety or privacy of other individuals.
You will not be charged for making a request, but we may charge you for the costs of complying with the request. Depending on what is involved, we are entitled to charge you fees to cover time spent by administrative staff to provide access at the employee’s hourly rate of pay, time necessarily spent by a medical practitioner to provide access at the practitioner’s ordinary sessional rate and for photocopying and other disbursements at cost. If a fee will be charged for providing access, you will be advised of the approximate cost before you have to pay the fee.
4.2 How can you correct your personal information?
We will take reasonable steps to ensure your personal information is accurate and kept up to date. From time to time we will ask you to verify that your personal information held by our practice is correct and up to date. You may also request that we correct or update your information, and you should make such requests in writing to the Practice Manager (using the details set out below).
If we refuse a request to correct information, we will:
· provide you with notice in writing setting out the reasons for the refusal and setting out the mechanisms available to you to complain about the refusal; and
· note your request on the file.
We will not charge you for the costs of making a request for correction or for the costs of correcting the personal information. We will use our best endeavours to respond to your request within 30 days.
5. Our Website
Our website may, at times, utilise “cookies” which allow us to monitor our web traffic. Generally, a cookie does not identify you personally but may identify your internet service provider and IP address. We extend the same privacy protection to personal information gathered from our website to that gathered from other sources.
Our website may, at times, contain links to other third party websites. Any access to and use of such websites is not governed by this Policy, but is governed by the privacy policies of those third party websites. We are not responsible for the information practices of third party websites.
6. How can you contact us about privacy matters?
If you have any queries about this policy, your rights about access and correction of personal information, or any privacy concerns, please contact us using the details set out below:
Telephone: (07) 3329 4400
Address: QIDerm, Denman St, Greenslopes Qld 4121
Please address your correspondence to the attention of the Practice Manager and mark it “private and confidential: privacy”.
7. How can you make a privacy related complaint?
7.1 How can you make a privacy related complaint?
We take complaints and concerns regarding privacy seriously. We ask that you advise us of any privacy concerns you may have in writing. Please direct any questions or complaints to the Practice Manager using the postal address or email address listed above. We will then attempt to resolve it in accordance with our resolution procedure.
Any complaint will be thoroughly investigated by us and you will be notified of the making of any decision in relation to your complaint as soon as is practicable after it has been made, usually within 30 days.
If we are unable to resolve your complaint you may also contact the Office of the Australian Information Commissioner (OAIC). The OAIC will generally require you to give us time to respond before they will investigate. For further information visit or call the OAIC on 1300 336 002.
8. Updates to this Policy
This policy will be reviewed from time to time to take into account new laws and technology, changes to our operations and other necessary developments. When this policy is updated we will publish the updated policy on our website and place a notice at reception advising patients of the updated policy for 3 months after the change.