Privacy Policy

Privacy Policy

Nursing Essentially is committed to protecting your personal information. As such Nursing Essentially handles all information according to the Privacy Principles as described in the Australian Commonwealth Privacy Act (1988).

The client is advised that:

Collection of personal information

Nursing Essentially will only collect personal information necessary for our business functions or activities. This includes:

  • providing you with our services;
  • providing you with information you may have requested and answering your enquiries;
  • providing you with the information we consider of interest to you – but please remember that we will always ask for your permission first.

In general, the information collected from you will be your name, address and contact details (including telephone number and e-mail address) and details that are applicable to you and or your dog (in the case of Animal Assisted Therapy – if applicable) in order for services to be conducted in as thorough a manner as possible.

Nursing Essentially will collect personal information by way of written forms, and other correspondence. This means letters and e-mails, by telephone, in person, by our representative and via our Website. Nursing Essentially will collect personal information directly from you, unless there are extenuating circumstances.

Fair and lawful means for collecting your personal information will always be used. At the time of collecting personal information, Nursing Essentially will inform you generally about the purpose of collection and to whom we will disclose the information. Nursing Essentially will inform you of any law that requires us to collect the information and the relevant consequences if you do not provide all information requested. Be aware that if not all the information we require is not forthcoming Nursing Essentially may be unable to provide you with the services you are seeking. Nursing Essentially will enable you to interact pseudonymously or anonymously, whenever practicable and lawful.

Use and disclosure of personal information

Nursing Essentially may use and disclose your personal information for the primary purpose for which we have collected it, and for other related purposes you would reasonably expect. This would generally include providing you with information about our services, marketing information or offers regarding other services of Nursing Essentially or upcoming events, and obtaining your feedback on our products and services. If you have received communications, from us but do not wish to do so  in the future, please let Nursing Essentially know via e-mail or call 0426 975 364.

Nursing Essentially will not pass on, sell or swap your personal information with any third party.

Apart from the above uses, Nursing Essentially will otherwise only use and disclose personal information with your consent (unless such uses and disclosures are required or permitted by law, including without limitation those prescribed by the APPs).

Storage and security

Nursing Essentially take all reasonable steps to securely store your personal information to ensure it is protected from loss, misuse, interference, or unauthorised access, modification or disclosure. Nursing Essentially safeguard your information through our written privacy policy and by using physical, electronic and procedural protection. The information collected is destroyed or permanently de-identified when it is no longer needed for any purpose.

However, be aware that if you provide us with your personal information via the website, Nursing Essentially cannot guarantee the privacy or security of that information during that transmission. But once Nursing Essentially receive it, we will take reasonable steps to securely store your personal information to ensure it is protected from loss, misuse, disclosure, interference, unauthorised access, or modification.

Nursing Essentially’s Website

Whenever you use our website, or any other website, the computer on which the web pages are stored needs to know the network address of your computer so that it can send the requested web pages to your Internet browser. The unique network address of your computer is called its ‘IP address’, and is sent automatically each time you access any Internet site. From a computer´s IP address, it is possible to determine the general geographic location of that computer, but otherwise it is anonymous.

Nursing Essentially does not keep a record of the IP addresses from which users access our website except when it is specifically provided to. Our website may contain links to other websites. We are not responsible for the privacy practices or the use and protection of your personal information on those sites.

Access and correction

You may seek access to any of the personal information we hold about you by contacting the Owner of Nursing Essentially. If Nursing Essentially is required or authorised by law to do so, Nursing Essentially may refuse to provide you with access to this information. If this is the case, then Nursing Essentially will provide a written reason/s for the refusal and how you may complain about our decision.

If access us granted, Nursing Essentially may require identification documents to accompany a request and may also charge a fee for providing access. This fee will be limited to the amount of our reasonable expenses incurred. The expenses one could generally expect to pay includes photocopying and administration. Nursing Essentially does not charge a fee for lodging a request for access.

Nursing Essentially may provide access to personal information in any of a number of ways. These include a paper hard copy, or by allowing viewing our records. If any personal information we hold is incomplete, inaccurate, irrelevant, misleading or out-of-date, we will amend that information and thus, our records, accordingly. Be advised that the onus is on you to let us know if any of your personal details change.

Complaints, concerns or further information

If a client believes Nursing Essentially has breached our obligations under the Privacy Act (including the APPs), or has queries or concerns regarding their privacy and the way in which we handle their personal information, we ask they contact the Owner of Nursing Essentially. As appropriate, Nursing Essentially will endeavour to provide further information, or in the case of a complaint Nursing Essentially will investigate the complaint and provide a response within 14 days.

Cameras and recording devices in the workplace and during home visits

Policy

The purpose of cameras and recording devices in the workplace in the workplace is to assist the Owner to provide quality services to the Client.

Cameras and recording devices may only be used with the permission of the Client and in the context of provision of services. However, it is acknowledged that some Clients may not be comfortable with this.

Nursing Essentially acknowledges the right of Clients, Visitors and Employees to privacy and will ensure that no person is photographed or recorded without their specific permission. Where the person is unable to give informed consent i.e. children, then the parent or guardian will be responsible for consent.

Definition

The definition of “camera” or “recording device” includes, but is not limited to:

  • Devices designed to record and/or store a still or moving image, with or without sound;
  • Mobile phones containing cameras;
  • Any device used to record voices including phones and laptops; and
  • Any other device that can be used as a camera or recording device.

For the purposes of this policy, “covert surveillance” refers to surveillance of an individual without their knowledge or consent and to surveillance of Nursing Essentially property without the Owners’s consent or authorisation.

Procedure

The use of any equipment to conduct covert surveillance without the Owner’s express consent is forbidden in the Office of Nursing Essentially.

The use of cameras or recording devices by an Employee of Nursing Essentially to photograph a Client, Visitor or an Employee, or record an interview or consultation without that individual’s knowledge and specific consent, is strictly prohibited. Media consent is obtained in the Services Contract and will be expressly asked prior to photographs or videotaping being obtained.

Any Employee who is found to have compromised the confidentiality or safety of any individual or of Nursing Essentially through the inappropriate use of a camera or recording device, will have the images confiscated and will be disciplined. In serious cases, an Employee’s employment contract will be terminated and where appropriate, the matter will be reported to the SA Police.

Clients and any other Visitors may not take photographs or use recording devices within the Office of Nursing Essentially, Clients, etc. (whether inside the office or outside the office) without the express approval of the Owner of Nursing Essentially.

Any Employee who observes the inappropriate use of a recording device, or becomes aware of another Employee who has been the perpetrator or victim of inappropriate use of a recording device, must report such use to the Owner as soon as possible. If the Owner is of the opinion that confidentiality or the Privacy Act has been breached then they may consider taking legal action.

Clients and Visitors must be advised of the requirements in relation to the carrying and/or use of cameras and recording devices on the premises, especially those contained in mobile phones.

 

Opt in:

“Section 6EA of the Privacy Act allows small businesses/not-for-profits, who would otherwise not be covered by the Privacy Act, to choose to be treated as an organisation for the purposes of the Privacy Act and therefore subject to the Australian Privacy Principles and any relevant APP code” (Office of the Australian Commission, Australian Government, 2018). Nursing Essentially has decided to “opt in” and be subject to the Australian Privacy Principles and any relevant APP code.

 

Data Breach and the Australian Privacy Act

Information sourced directly from: Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) “Office of the Australian Commission – Australian Government”: https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response

Key points

  • A data breach is an unauthorised access or disclosure of personal information, or loss of personal information.

  • Data breaches can have serious consequences, so it is important that entities have robust systems and procedures in place to identify and respond effectively.

  • Entities that are regulated by the Privacy Act should be familiar with the requirements of the NDB scheme, which are an extension of their information governance and security obligations.

  • A data breach incident may also trigger reporting obligations outside of the Privacy Act.

What is a data breach?

A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.

Personal information is information about an identified individual, or an individual who is reasonably identifiable.[1] Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.

A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.

Examples of data breaches include:

  • loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information

  • unauthorised access to personal information by an employee

  • inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person

  • disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

Consequences of a data breach

Data breaches can cause significant harm in multiple ways.

Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation.

Examples of harm include:

  • financial fraud including unauthorised credit card transactions or credit fraud

  • identity theft causing financial loss or emotional and psychological harm

  • family violence

  • physical harm or intimidation.

A data breach can also negatively impact an entity’s reputation for privacy protection, and as a result undercut an entity’s commercial interests. As shown in the OAIC’s long-running national community attitudes to privacy survey, privacy protection contributes to an individual’s trust in an entity.[2] If an entity is perceived to be handling personal information contrary to community expectations, individuals may seek out alternative products and services.

An entity can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in their data breach response. This involves being transparent when a data breach, which is likely to cause serious harm to affected individuals, occurs. Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that an entity takes their responsibility to protect personal information seriously, which is integral to building and maintaining trust in an entity’s personal information handling capability.

The Australian Privacy Principles

The Privacy Act contains 13 Australian Privacy Principles (APPs) that set out entities’ obligations for the management of personal information. The APPs are principles-based and technologically neutral; they outline principles for how personal information is handled and these principles may be applied across different technologies and uses of personal information over time.

Compliance with the APPs as a whole will reduce the risk of a data breach occurring. This is because the APPs ensure that privacy risks are reduced or removed at each stage of personal information handling, including collection, storage, use, disclosure, and destruction of personal information. For example, APP 3 restricts the collection of personal information. APPs 4.3 and 11.2 outline requirements to destroy or de-identify information if it is unsolicited or no longer needed by the entity. Compliance with these requirements reduces the amount of data that may be exposed as a result of a breach.

Compliance with the requirement to secure personal information in APP 11 is key to minimising the risk of a data breach.[3] APP 11 requires entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. The type of steps that are reasonable to protect information will depend on the circumstances of the entity and the risks associated with personal information handled by the entity.[4]

In addition, APP 1 requires entities to take reasonable steps to establish and maintain practices, procedures, and systems to ensure compliance with the APPs.[5]

The OAIC has published various resources to assist entities to meet their obligations under APP 1.2[6] and APP 11.[7]

 The Notifiable Data Breaches (NDB) scheme

The NDB scheme in Part IIIC of the Privacy Act requires entities to notify affected individuals and the Commissioner of certain data breaches.

The NDB scheme requires entities to notify individuals and the Commissioner about ‘eligible data breaches’. An eligible data breach occurs when the following criteria are met:

  • There is unauthorised access to or disclosure of personal information held by an entity (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
  • This is likely to result in serious harm to any of the individuals to whom the information relates.
  • The entity has been unable to prevent the likely risk of serious harm with remedial action.

Entities must also conduct an assessment if it is not clear if a suspected data breach meets these criteria. The assessment will determine whether the breach is an ‘eligible data breach’ that triggers notification obligations.

The primary purpose of the NDB scheme is to ensure individuals are notified if their personal information is involved in a data breach that is likely to result in serious harm. This has a practical function: once notified about a data breach, individuals can take steps to reduce their risk of harm. For example, an individual can change passwords to compromised online accounts, and be alert to identity fraud or scams.

The NDB scheme also serves the broader purpose of enhancing entities’ accountability for privacy protection. By demonstrating that entities are accountable for privacy, and that breaches of privacy are taken seriously, the NDB scheme works to build trust in personal information handling across industries.

Part 4 of this guide provides detailed information to assist entities to meet their obligations under Part IIIC of the Privacy Act when responding to an eligible data breach or a suspected eligible data breach.

Other obligations

Entities may have other obligations outside of those contained in the Privacy Act that relate to personal information protection and responding to a data breach. These may include other data protection obligations under state-based or international data protection laws. Australian businesses may need to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR)[8] if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities might consider reporting certain breaches to:

  • the entity’s financial services provider
  • police or law enforcement bodies
  • the Australian Securities & Investments Commission (ASIC)
  • the Australian Prudential Regulation Authority (APRA)
  • the Australian Taxation Office (ATO)
  • the Australian Transaction Reports and Analysis Centre (AUSTRAC)
  • the Australian Cyber Security Centre (ACSC)
  • the Australian Digital Health Agency (ADHA)
  • the Department of Health
  • State or Territory Privacy and Information Commissioners
  • professional associations and regulatory bodies
  • insurance providers.

Some entities may have additional obligations to report to the Commissioner under the National Cancer Screening Register Act 2016 (NCSR Act)or have different reporting obligations under the My Health Records Act 2012 (My Health Records Act).

Under the NCSR Act, current and former contracted service providers of the National Cancer Screening Register must notify the Secretary of the Department of Health (the Secretary) and the Commissioner if they become aware of unauthorised recording, use or disclosure of personal information included in the Register. The Secretary must also notify the Commissioner of certain data breaches, including potential breaches, in connection with the National Cancer Screening Register. The Secretary must also consult the Information Commissioner about notifying individuals who may be affected. Separately, entities with NCSR Act obligations must consider whether the incident also requires notification under the NDB scheme, as the two schemes operate concurrently. Where the test for both schemes have been met, the entity may make a joint notification to the Commissioner.

Certain participants in the My Health Record system (such as the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider), are required to report data breaches that occur in relation to the My Health Record system to the either the System Operator or the Commissioner, or both, depending on the entity reporting the data breach (s 75 of the My Health Records Act). More information about obligations under the My Health Records Act and how these obligations interact with the NDB scheme is available in Part 4.

 

Information to be included

Yes/No

Comments

What a data breach is and how staff can identify one

Clear escalation procedures and reporting lines for suspected data breaches

Members of the data breach response team, including roles, reporting lines and responsibilities

Details of any external expertise that should be engaged in particular circumstances

How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions

An approach for conducting assessments

Processes that outline when and how individuals are notified

Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted

Processes for responding to incidents that involve another entity

A record-keeping policy to ensure that breaches are documented

Requirements under agreements with third parties such as insurance policies or service agreements

A strategy identifying and addressing any weaknesses in data handling that contributed to the breach

Regular reviewing and testing of the plan

A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan

 

Nursing Essentially is committed to a clear and immediate communications strategy that allows for the prompt notification of affected individuals and other relevant entities. In particular:

  • who is responsible for implementing the communications strategy;

  • determining when affected individuals must be notified (refer to Identifying eligible data breaches for further information about mandatory data breach notification requirements under the NDB scheme);

  • how affected individuals will be contacted and managed;

  • criteria for determining which external stakeholders should be contacted (for example, law enforcement and cyber security agencies, regulators such as the OAIC, and the media).

 

Strategies

Nursing Essentially will address the following questions to help identify strategies to contain a data breach:

  • How did the data breach occur?

  • Is the personal information still being shared, disclosed, or lost without authorisation?

  • Who has access to the personal information?

  • What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?

At this point, an entity may suspect an eligible data breach under the NDB scheme has occurred, which would trigger assessment obligations. Or, the entity may believe the data breach is an eligible data breach, which requires them to notify individuals as soon as practicable.

During this preliminary stage, be careful not to destroy evidence that may be valuable in identifying the cause of the breach, or that would enable the entity to address all risks posed to affected individuals or the entity.

Assess

An assessment of the data breach can help an entity understand the risks posed by a data breach and how these risks can be addressed. It should be conducted as expeditiously as possible.

Gather and evaluate as much information about the data breach as possible. By creating a complete picture of the data breach, an entity can ensure they understand the risk of harm to affected individuals, and identify and take all appropriate steps to limit the impact of a data breach.

This assessment should also assist entities in deciding whether affected individuals must be notified.

In Nursing Essentially, the assessment of a data breach will consider:

  • the type or types of personal information involved in the data breach
  • the circumstances of the data breach, including its cause and extent
  • the nature of the harm to affected individuals, and if this harm can be removed through remedial action.

All entities should consider whether remedial action can be taken to reduce any potential harm to individuals. This might also take place during Step 1: Contain, such as by recovering lost information before it is accessed.

Entities subject to the NDB scheme are required to conduct an assessment of ‘suspected’ eligible data breaches and take reasonable steps to complete this assessment within 30 days (see Assessing a suspected data breach). Criteria for assessing a data breach, including the risk of harm and remedial action, is explored in Identifying eligible data breaches.

Notify

Notification can be an important mitigation strategy that has the potential to benefit both the entity and the individuals affected by a data breach. The challenge is to determine when notification is appropriate. Sometimes, notifying individuals can cause undue stress or harm. For example, notifying individuals about a data breach that poses very little or no risk of harm can cause unnecessary anxiety. It can also de-sensitise individuals so that they don’t take a notification seriously, even when there is a real risk of serious harm. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.

Consider:

  • the obligations of the entity under the NDB scheme. Entities are required to notify individuals and the Commissioner about data breaches that are likely to result in serious harm. Part 4 of this guide provides further detail about the NDB scheme’s requirements
  • other circumstances in which individuals should be notified. For example, your entity may not have obligations under the NDB scheme, but have processes in place to notify affected individuals in certain circumstances
  • how notification should occur, including:
    • what information is provided in the notification
    • how the notification will be provided to individuals
    • who is responsible for notifying individuals and creating the notification.
  • who else other than affected individuals (and the Commissioner if the notification obligations of the NDB scheme apply) should be notified
  • where a law enforcement agency is investigating the breach, it may be appropriate to consult the investigating agency before making details of the breach public
  • whether the incident triggers reporting obligations to other entities.

Effective data breach response is about reducing or removing harm to affected individuals, while protecting the interests of your organisation or agency. Notification has the practical benefit of providing individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams resulting from the breach. It is important that staff are capable of engaging with individuals who have been affected by a data breach with sensitivity and compassion, in order not to exacerbate or cause further harm. Notification can also help build trust in an entity, by demonstrating that privacy protection is taken seriously.

Review

Once steps 1 to 3 have been completed, an entity should review and learn from the data breach incident to improve its personal information handling practices.

This might involve:

  • a security review including a root cause analysis of the data breach
  • a prevention plan to prevent similar incidents in future
  • audits to ensure the prevention plan is implemented
  • a review of policies and procedures and changes to reflect the lessons learned from the review
  • changes to employee selection and training practices
  • a review of service delivery partners that were involved in the breach.

 

In reviewing information management and data breach response, an entity can refer to the OAIC’s Guide to securing personal information.[10]

When reviewing a data breach incident, it is important to use the lessons learned to strengthen the entity’s personal information security and handling practices, and to reduce the chance of reoccurrence. A data breach should be considered alongside any similar breaches that have occurred in the past, which could indicate a systemic issue with policies or procedures.

If any updates are made following a review, staff should be trained in any changes to relevant policies and procedures to ensure a quick response to a data breach.

Notifiable Data Breach (NDB) Scheme

The Privacy Act requires certain entities to notify individuals and the Commissioner about data breaches that are likely to cause serious harm.

The requirements of the NDB scheme are contained in Part IIIC of the Privacy Act and apply to breaches that occur on or after 22 February 2018.

This part of the guide covers the following topics:

Entities covered by the NDB scheme

Key points

  • Entities that have existing obligations under the Privacy Act to secure personal information must comply with the NDB scheme.

  • This includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.

  • Entities that have Privacy Act security obligations in relation to particular types of information only (for example, small businesses that are required to secure tax file number information) do not need to notify about data breaches that affect other types of information outside the scope of their obligations under the Privacy Act.

APP entities

The NDB scheme applies to entities that have an obligation under APP 11 of the Privacy Act to protect the personal information they hold (s 26WE(1)(a)). Collectively known as ‘APP entities’, these include Australian Government agencies and private sector and not-for-profit organisations with an annual turnover of more than $3 million. The definition of APP entity generally does not include small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state (s 6C). However, some businesses of any size are APP entities, including businesses that trade in personal information[12] and organisations that provide a health service to, and hold health information about, individuals (see Is my organisation a health service provider?).

For more information about APP entities, see Chapter B of the Australian Privacy Principle Guidelines (APP Guidelines).[14]

Exempt acts and practices, including employee records

The NDB scheme only applies to entities and personal information holdings that are already subject to security requirements under the Privacy Act. This means that acts and practices of APP entities that are exempt from the Privacy Act will also be exempt from the NDB scheme.

For example, in some circumstances, private sector employers do not have to comply with the APPs in relation to employee records associated with current and former employment relationships (s 7B(3)). If an exempt employee record is subject to unauthorised access, disclosure or loss, the private sector employer does not have to assess the breach or notify individuals and the Commissioner. This exemption does not apply to TFN information that is contained within an employee record. However, given community expectations around the handling of their personal information, it is recommended that employers notify affected individuals where a breach of an employee record is likely to result in serious harm. Doing so will enable affected individuals to take protective action against any potential harms, as well as illustrating to employees that the security of their records is taken seriously.

Further information about acts and practices that are exempt from the APPs and, by extension, the NDB scheme can be found in Privacy business resource 13: Application of the Australian Privacy Principles to the private sector.

Small business operators

A small business operator (SBO) is an individual (including a sole trader), body corporate, partnership, unincorporated association, or trust that has not had an annual turnover of more than $3 million in any financial year since 2001 (s 6D).

Generally, SBOs do not have obligations under the APPs unless an exception applies (s 6D(4)).

In certain circumstances an SBO must comply with the APPs, and therefore with the NDB scheme. That will be the case where the SBO

  • holds health information and provides a health service
  • is related to an APP entity
  • trades in personal information. That is, the SBO discloses personal information about individuals to anyone else for a benefit, service or advantage; or provides a benefit, service or advantage through the collection of personal information about another individual from anyone else
  • is a credit reporting bodies
  • is an employee associations registered under the Fair Work (Registered Organisations) Act 2009
  • has ‘opted-in’ to APP coverage under s 6EA of the Privacy Act.

If an SBO carries on certain activities it must comply with the APPs, and therefore must comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities. Those activities include:

  • providing services to the Commonwealth under a contract
  • operating a residential tenancy data base
  • reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • conducting a protected action ballot
  • information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.

More information about how to determine whether a business or organisation is an APP entity or subject to the APPs for some of its activities is available at Privacy business resource 10: Does my small business need to comply with the Privacy Act?.[16]

Applicable Links

  

References to Policy:

        The Privacy Act (1988) – 13 Australian Privacy Principles

Principle 1 – Open and transparent management of personal information

·          An entity must manage personal information in an open and transparent way

Principle 2 – Anonymity and pseudonymity

·          Individuals must have the right to identify themselves via pseudonym unless prohibited by law or unless it is impracticable for the entity to deal with individuals who have used a pseudonym.

Principle 3 – Collection of personal information

·          Personal information may only be collected that is relevant for the function of the entity.

Principle 4 – Dealing with unsolicited personal information

·          Information that an entity receives about a person that is unsolicited must deal with that information in specific ways. Refer to the link above.

Principle 5 – Notification of the collection of personal information

·          The principle explains the obligations on the entity in the event that personal information is collected that the person may not know about.

Principle 6 – Use or disclosure of personal information

·          Relates to the requirement for personal information to not be disclosed for any purpose other than that for which it was given. (unless consent has been gained)

Principle 7 – Direct marketing

·          An entity may not use personal information for direct marketing. However there are exceptions. Refer to the link for more information

Principle 8 – Cross-border disclosure of personal information

·          Before passing on personal information to an overseas recipient steps must be taken to ensure that the recipient does not breach the Australian Privacy Principles

Principle 9 – Adoptions, use or disclosure of government related identifiers

·          An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless certain criteria are met.

Principle 10 – Quality of personal information

·          An entity must take steps to ensure that the personal information that they hold is accurate, up to date and complete.

Principle 11 – Security of personal information

·          Steps must be taken to keep the information secure from loss, misuse or unauthorised access. When information is no longer needed it should be destroyed or de-identified.

Principle 12 – Access to personal information

·          If an entity holds personal information about a person, the entity must give the individual access to the information.

Principle 13 – Correction of personal information

·          If an entity holds personal information they must take reasonable steps to ensure that that information is accurate, up to date, complete, relevant and not misleading.

For more information on the National Privacy Principles, see the National Privacy Principles guidelines, issued by the Office of the Federal Privacy Commissioner. The full text of the NPPs can be found at the Federal Privacy Commissioner’s website: http://www.privacy.gov.au/ 

 


Version Control

Related Acts, Policies and Documents

o  Scope of Practice for Registered Nurses and Midwives.

o  ICN Code of Ethics for Nurses.

o  Registered Nurse Standards for Practice.

o  Privacy Act (1988).

o  National Law: Section 39 – Mandated Reporting.

Children and Young People Act 2008 (ACT), Children and Young Persons (Care and Protection) Act 1998 (NSW), Care and Protection of Children Act 2007 (NT), Child Protection Act 1999 (Qld), Children’s Protection Act 1993 (SA), Children, Young Persons and their Families Act 1997 (Tas.), Children, Youth and Families Act 2005 (Vic.).

o  Nursing Essentially General Policies.

Policy Custodian Dr. Geller
Responsible Officer Dr. Geller
Endorsed By Dr. Geller
Reviewed By Mr. Jolly

Date

Version

Approved By

23rd June 2017

1

Dr. Geller
 22nd December 2018 2  Dr. Geller