Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy policies for GPs

Being open and transparent with patients about how their personal information is handled by your GP practice is one of the best ways to build trust and confidence. It is also a requirement of the Privacy Act 1988. An APP privacy policy is a key tool for meeting APP 1’s objective of ensuring that APP entities manage personal information in an open and transparent way.

A version of this presentation was delivered by Alun Thomas at a webinar on 11 August 2015.

If you need assistance because the resource you need is not available in a format you can access, please contact us.

Slide 1

Slide

Crest: Australian Government — Office of the Australian Information Commissioner

Privacy policies for GPs

Presented by:

Alun Thomas
Assistant Director, Regulation and Strategy

11 August 2015

www.oaic.gov.au

Transcript

Good afternoon everybody.

Welcome to the Office of the Australian Information Commissioner’s (OAIC) webinar on privacy policies for GPs.

My name is Alun Thomas. I’m an Assistant Director in the Regulation and Strategy branch of the OAIC.

Quick bit of housekeeping. We understand you’re busy and that this is your lunchtime so I’ll try to limit this webinar to around 25 minutes of me speaking, and then we’ll try and answer some questions at the end.

You can ask questions by typing them into the chat box on your screen at any time. We’re putting the slides from the webinar up on our website after this presentation, and we hope to put up the audio as well. That will depend a little bit on the quality of the audio recording. We may need to re-record it later.

Slide 2

Slide

Outline

  • What is personal information?
  • What is a privacy policy?
  • How do I begin?
  • What should it look like?
  • What must I include?
  • Privacy management framework
  • Recap

Transcript

We’ll be looking at a number of things today. Firstly, we’ll have a quick recap on what is personal information. We’ll then talk about what is a privacy policy. I’ll have a chat about how you might want to start beginning drafting a privacy policy and what it should look like. Then we’ll talk about the content you must include in your privacy policy, and then we’ll have a quick chat about the OAIC’s new Privacy management framework. And then, we’ll recap at the end.

Slide 3

Slide

Personal information

  • It is information or an opinion that identifies you or could reasonably identify you
  • It does not matter if it true or not
  • It includes sensitive information

Transcript

Personal information, a brief overview because most of you, I hope, will understand what this is. The Privacy Act 1988 (Privacy Act) regulates the handling of personal information. Personal information is information or an opinion that identifies you or could reasonably identify you. It does not matter whether the information is true or not, particularly if it’s a matter of opinion, it may not be true.

Most of us sort of know what personal information is. Normally, it’s a name, an address, a telephone number linked to a person, if you can be identified from it. But, sometimes it’s not so obvious on its face.  For example, in the context of a GP clinic, a Medicare billing code or a health care fund billing code, when you link it to a person, itself becomes personal information, and it might actually tell something quite sensitive about the person, what their treatment is or what they might be diagnosed with.

Something to remember as well, as a GP clinic, most, probably all of the information you collect, is likely to be sensitive information. This is because in providing a healthcare service, if you’re collecting information to provide that service, you’re collecting, health information. Health information is part of sensitive information, and, sensitive information under the Privacy Act has more stringent requirements. You can only collect sensitive information with consent.

Slide 4

Slide

An APP 1 privacy policy

  • Required by the Privacy Act
  • Bedrock for your privacy management
  • Transparent description of how you handle personal information
  • Must be clearly expressed and up-to-date
  • Must contain certain specified information
  • Must be accessible

Transcript

Amendments to the Privacy Act, which created the Australian Privacy Principles (APPs), came into force on 12 March 2014. That’s about 18 months ago. Your privacy policy is now governed by APP 1. Therefore, having a policy that complies with those requirements is a matter of law.

It’s worth noting, and I’ll just make the point at this time, we have just been undertaking a series of assessments of the privacy policies of 40 randomly selected GP clinics. We haven’t finalised those assessments yet. But, we’re close to it. Of those, around half don’t actually recognise, we don’t think recognise, the APPs. It would suggest that a lot of people are still dealing with out-of-date privacy policies that aren’t complying with current law.

APP 1 is a key principle for all APP entities. It’s a bedrock for your privacy management. If you comply with it, you’ll be able to create policies and procedures to help you meet your obligations under the Privacy Act. One of those obligations is the privacy policy.

A privacy policy should be a transparent description of how you handle personal information. It should be clearly expressed and up-to-date. You need to review it regularly. It should be able to be understood easily by your patients, and not just available for them to read it, but to be able to understand it. As we noted before, it must contain certain specified information, which we’ll deal with later in this webinar. You must take reasonable steps to make it available to your patients. An easy way to do this is to put it on your website, if you have one. If not, you need to think about the other ways you might make it available. For example, displaying it at your reception desk, handing it to people when they register with you for the first time, or just generally making people aware of it by putting a reference to it on registration forms, so they know that it exists and that they can access it.

Slide 5

Slide

How to begin

  • Understand the information flows in your practice
  • Know what you collect, how and why
  • Know what you do with it
  • Know how you hold it
  • Know how you protect it

Transcript

Before you put pen to paper, there’s a strong suggestion we’d make and that is, understand the information flows within your practice. Know what you collect and why you collect it. Know how you’re collecting it and what you’re going to do with it. You also want to know how you hold it, how you’re going to protect it. Sit down and work these information flows out, because until you do so and you understand how and where this information is used in your practice, you can’t really draft your privacy policy.

It’s worth noting that the privacy policy obligation is couched in terms of practices’ usual collection of personal information, usual purposes of collection, use and disclosure, and usual approach to holding information. In other words, it’s what you usually do, it’s not intended to be a fulsome description of everything that you might do.

One idea might be to create a dummy patient, a Mr Jones or a Ms Jones, and pretend that this person is presenting to your practice for the first time, and how and why you’re going to take their personal information and what you’re going to do with it.

You might want to use a template. Quite a few different organisations have created APP 1 templates for their members to use. Our suggestion for there is, use that as a tool but don’t be constrained by it. You still need to look at what your business does and how you handle personal information within your business.

Slide 6

Slide

What should it look like

  • Readability and accessibility
  • Plain English
    • use headings, lists, shorter sentences, paragraphs
    • use active not passive language; use ‘you’
    • Flesch Kincaid and other tools
    • road test it with real people
  • Use templates, but as a tool only
  • Put it on the web/make it accessible

Transcript

What should a privacy policy look like? It needs to be transparent and accessible. It needs to be able to be understood by a wide range of people who will be visiting your practice. One of the critical things is to write it in plain English. There’s a simple number of concepts to think through here. One is the structure

  • Use headings, lists, short sentences and paragraphs.
  • Give your privacy policy some space — don’t try and bunch it up into long sentences.
  • Try and use the active language, not the passive language.
  • Try to use ‘you’ and ’us’, not ‘the practice’ and ’the patient’.

If you try to talk in terms of ‘we’, ’we will do this’, ‘we will collect your personal information’, ’we will disclose it in this way,’ then you’re actually a creating a conversation between you and your patient, and you will tend to actually use the active voice more naturally. That’s what you’re trying to do. You’re trying to have a conversation with your patients.

There’s some tools you can use to work out how complex your language is as well. One idea is Flesch Kincaid, which is a test which you can use online — and at the end of the presentation we’ll give some resources for you — where you can actually cut and paste your privacy policy into an online tool, which will tell you how complex your language is. It’ll basically look at how many syllables you’re using in your words, how many words are in your sentences, how often you’re using the passive voice versus an active voice, and will then suggest how old a person has to be, and what education they have to have, to be able to understand your policy easily.

It’s worth noting that, again, from our assessments we’ve done, it seems that the average reading age is about 19 to 21 years old, which is quite a high reading age for somebody to be able to understand a policy easily. So, we suggest you do think about trying to make it as simple as possible. Another suggestion would be to road-test it on real people. What I mean by that is, people who (a) aren’t lawyers, and (b) aren’t in the medical profession. This is a tool that should be available to everybody and to be able to be used by people generally.

We talked about templates, the other ways to make it accessible, and we talked about that a little bit — put it on your website, put it in your practice, display it at reception and hand it out to new registrants. Those are suggestions.

Slide 7

Slide

What must it say — collection

  • What kinds of personal information are you collecting
    • health information
    • identifying information (including Government identifiers)
  • How are you collecting it
    • in consultations, at registration
    • from other practitioners, the PCEHR system, tests

Transcript

Now, we’re walking into what must the privacy policy actually contain. There’s a series of requirements under APP 1 saying, these are issues that you must cover in your privacy policy. The first is, what information are you collecting, what kinds of information and how are you going to collect it. If you go back to the dummy patient that you’ve created in your mind, Mr Jones or Ms Jones, what kinds of information are you going to collect from Mr Jones? A name, address, maybe their telephone number, maybe their Medicare number, maybe their health fund number. Those are just general bits and pieces. You’re also going to be collecting their medical information, their health, their past medical history, maybe issues from the rest of their family, and you’d be collecting that information from them. So, that’s the kind of information that you’re going to be collecting. Is there any other kind of information you may collect? You need to put that down in your privacy policy.

Then, you need to think about how you’re going to collect it. And again, think about Mr Jones when he presents to your practice. Do you have a registration form? Quite clearly you’re going to be collecting it. Sometimes from consultations, in consultations with doctors or with nurses or other health professionals. You may be collecting it from other sources — from referrals, maybe from pathology reports or other tests that have been done, maybe from the PCEHR system if you’re using it. You will be, for example, collecting information on a shared health summary that someone else has uploaded to the system, a discharge summary or an events summary.

Slide 8

Slide

What must it say — collection

  • Why are you collecting it
    • to provide healthcare services
    • for internal administration
    • for accreditation/insurance
    • other?

Transcript

You then need to also say, what is your purpose for collecting it, why are you collecting it? In some ways this is quite clear — you’re collecting it all to provide your patient with a healthcare service. But, there might be other reasons why you’re also collecting it that are directly related to that. You’ll be using it for internal administration purposes, you might be using it for accreditation purposes, you might be using it for your own insurance purposes as well. I mean, obviously you keep records. Your insurer requires you to keep records of your patients and what care you’ve given them. So, you need to think about those things and set them out in your privacy policy. Again, the usual purposes that you use.

Don’t overreach why you might be collecting the personal information. One thing we need to think about, and we’ll touch on it again in Disclosure, is, when you collect sensitive information, you need the consent of the person to do it. Now, quite clearly, there’s a clear implicit consent that this information is consented to for the use to provide healthcare services. But, that is limited to that purpose. You need to be careful that you don’t try to suggest that you’re using it for a whole bunch of other purposes where you don’t have at least a very strong implied consent, or direct explicit consent, from the patient. 

Slide 9

Slide

What must it say — holding

  • Why are you holding the personal information
    • often the same as collection
  • How you are holding the personal information
    • how are you keeping it secure
    • some examples of key security measures
    • general statements are not enough

Transcript

You must also say why you are holding it. Now, this is quite a simple question to answer in many ways because, very often, why you’re holding it is exactly why you collected it as well. You might be holding it for insurance purposes. Obviously it’s a health record of the patient, so in many ways it’s very much the same text.

How you are holding it though, is slightly different. Here, we are talking about how you’re going to secure that personal information. In what manner are you holding it? And, we really would suggest here that a general statement along the lines of ’We treat your information as confidential’ is not really what we’re looking for in a privacy policy.

It would be good for you to put a few concrete examples of how you protect people’s personal information. For example, if you’re keeping it in paper files, do you keep them secure, under lock and key? Is your building secured? If you’re keeping electronic files, are they password-protected? For all information you hold, do you have limits as to who can access certain bits of information? For example, if you’re using the PCEHR system, is that limited to access only by doctors and medical staff and not, for example, to reception staff as well? Those are the kind of things you need to think about. We’re not expecting you to put down an awful lot of information about how you secure information, but some good examples will give confidence to your patients as well, that you’ve thought these issues through.

Slide 10

Slide

What must it say — use and disclosures

  • Often linked to the purpose of collection
    • to provide healthcare services etc.
  • Other common uses/disclosures
    • to other third parties (including practitioners)
    • to create shared health summaries and upload to the PCEHR system
    • to disclose through eTP services

Transcript

What you also need to talk about then is the use and disclosures and again to a degree this is fairly obvious — you’re going to use and disclose it to provide healthcare. But, you may also disclose it to places where it’s not quite so obvious to the patient. For example, if you’re using the Electronic Transfer of Prescriptions (eTP) service, you’ll be disclosing the patient’s information into that service. That’ll be a usual disclosure for you, and you might want to put — you should put that down in your privacy policy.

Equally, a usual disclosure would be a referral to a specialist. You might provide it to another medical practitioner. Or, into the PCEHR system, we’ve talked about downloading from it as a usual collection, uploading to it would be a usual disclosure. As we said before, in general terms, if the primary purpose is to provide healthcare, so, if that is the purpose of the use or disclosure, that’s okay. In general terms as well, you can disclose information if it’s directly related to that primary purpose and it’s within the reasonable expectations of the patient. So, you may want to use your privacy policy as an avenue to create those reasonable expectations within the patient about how you’re going to use that information.

Slide 11

Slide

Tips and feedback

  • Generally set out what is usual for your practice, not what you might do
  • Do not recite the law — set out what you actually do
  • Don’t forget the PCEHR and eTPs
  • Medical research is a complex area — does not fit in privacy policies easily

Transcript

Okay, some tips. Always set out what is usual for your practice. Not what you might do, or what could be done, but what you normally do. Another thing that we found out from some of the assessments we’ve done is that, people tend to try to just recite the law. Try not to do that.

Firstly, it clogs up your privacy policy. You want to keep it simple and transparent to people. Secondly, to a degree, you want to be setting out what is usual for you. If you’re actually setting out usual permitted disclosures under the Privacy Act, that’s not what really your privacy policy is for. What do you usually collect information for, what do you usually do with it? Don’t forget, use of the PCEHR or eTPs, particularly if you use those services, obviously. We saw some policies also trying to deal with medical research, which is a very complex area, and we would suggest that you don’t try and deal with that within your privacy policy. To the extent that you de-identify people’s personal information, it’s no longer personal information, so that’s not an issue, but we saw people trying to talk about that in a privacy policy. But if you’re trying to use some of the exemptions or ways that are set out in the Privacy Act and in other exemptions to do medical research, we suggest you deal with that separately, outside the privacy policy, in a separate policy document when you seek consent from the patient themselves.

Slide 12

Slide

What it must say — Access, corrections and complaints

  • Include right to access and correct
    • note your right of refusal to correct in limited circumstances
  • Include right to complain
    • include a summary of the complaint process
  • Include contact details
    • role, phone number, email address

Transcript

And, we move on to some of other the things you need to put in there. You need to be able to set out that the patient has a right to access, to correct their personal information and to make a complaint. You need to make it clear in the policy that these are actually a patient’s rights. You also need to make it clear that in some ways you can refuse to correct information but, we recommend that if you do so and you reserve that right to do so because you don’t believe the correction is accurate, that you need to be able to note the person’s request within their record.

You must include the right to complain, and we recommend that you also include a small summary of your complaints process, so that the patient knows what’s going to happen if they do make a complaint. Most crucially we think you need to put in contact names. In fact, that’s a requirement of the Privacy Act and the APPs. You need to be able to make it easy for your patient to contact you, to make a complaint, or to correct, or to access their personal information. Quite a few of the policies we’ve seen don’t actually put any contact details into the privacy policy. It’s not making it easy for the patient.

Our strong suggestion, in fact our recommendation is, you put in a role, such as the Practice Manager as the person who should be contacted, a phone number and an email address. We would suggest, don’t limit it just to written addresses. We saw that. What you’re actually asking your patient to do is to essentially find a piece of paper, a pen, an envelope and a stamp and write you a letter. That’s very disengaging for the patient and in fact, arguably, you’re pushing the patient away from exercising their rights.

Slide 13

Slide

Tips and feedback

  • Make contacting you easy
    • do not limit it to doctors or require consultations in all cases
    • do not limit it to letters only
    • make sure your patients know who to contact for what
  • Complaints — what happens next?

Transcript

Some of these we’ve already covered. Making contact easy. Don’t limit it to needing to have a consultation with a doctor, which is another thing we saw in one of the policies. You might want to consider triaging. If somebody is going to call up and want to make a correction or wants to access, try and triage it through your Practice Manager. If a doctor is needed because it is directly related to their personal information or to their health information, that’s fine, the doctor should get involved. But, that shouldn’t necessarily be the patient’s first port of call. And again, regarding complaints, try and set out some of the information about your complaints resolution procedure. Please don’t just refer to ‘See our complaints resolution procedure’ because that’s not necessarily accessible to the patient. Think about setting out ‘We will respond within three weeks’ or ‘two weeks’ or ’if you’re not satisfied you can escalate your complaint’. Also, possibly put in that if they’re not satisfied, they can contact us — the OAIC.

Slide 14

Slide

What must it say — Overseas disclosures

  • You need to disclose if you are likely to disclose personal information outside of Australia
  • If you do, you need to set out where you are likely to make those disclosures

Transcript

Finally, another thing you need to put in is overseas disclosures. This may not really apply to a lot of your practices or a lot of your businesses because it would not be usual, unless you’re part of a bigger corporate entity or a bigger corporate group, to be disclosing information overseas. But, do remember you need to disclose if you are likely to disclose personal information outside of Australia. If you’re not likely to do it, then say that you’re not going to be doing it unless, for example, the patient provides you with consent or asks you to. Don’t forget as well, even if you do say that you’re likely to, rules for disclosure under APP 6, i.e. it must be directly related to the primary purpose and within the reasonable expectations of the person this is where the information is going to be sent, still applies. So, recommendation, if you’re unlikely to do it, why not say that you’re not likely to do it, or you’re not going to do it.

Slide 15

Slide

Tips and feedback

  • ‘We generally do not..’ is not acceptable — are you likely to?
  • Do you use overseas transcription services?

Transcript

In this context, saying we’re ‘generally’ not going to be sending information overseas is not really an acceptable statement. It leaves open, generally you’re not going to, or does that mean you are going to? So, again, as I said before, if you are not going to be sending information overseas, you might as well say it.

Another one which is an interesting question — transcription services. Some GP clinics we know do consider using overseas transcription services, send electronic audio files overseas to have them typed up. That is actually an overseas disclosure of personal information. So, if you’re doing that, you do need to make patients aware of it.

Slide 16

Slide

Privacy management framework

  • APP 1.2: take reasonable steps to implement practices, procedures and systems that ensure compliance with APPs
  • The OAIC’s privacy management framework sets out the steps the OAIC expects you to take
    • embed a culture of privacy
    • establish robust and effective policies, practices and procedures
    • evaluate them to maintain effectiveness
    • enhance your response to privacy issues — be proactive and anticipate

Transcript

Finally, the OAIC has just created a privacy management framework guide which it’s put on its website. This is guidance to help you comply with APP 1.2. When I talked before about the bedrock to the whole 13 APPs, this is really it. It’s basically a framework to enable you to set out how you’re going to comply with the APPs internally.

It has four steps. It’s about embedding a culture of privacy, establishing robust privacy policies, making sure you evaluate those policies for effectiveness and where necessary amend them and enhance your response to privacy issues that arise. That guide sets out these four steps and gives you some thought about how you might want to implement those steps. How you do that and how you might implement them is up to you. It depends on your business and how you wish to implement, but we would recommend that you might want to have a look at that.

Slide 17

Slide

Recap

  • Know
    • what information you are collecting and how
    • why
  • What you are going to do with it
  • Understand your processes for access, corrections and complaints
  • Write for your audience — plain English
  • Make your policy available to patients — on your website and in your practice
  • Commit to your own privacy management plan

Transcript

Hopefully, you’ve now got a reasonable understanding about what needs to be put into an APP 1 privacy policy. As I said before, you need to know what information you’re collecting, and how and why you’re collecting it. You need to understand as well, quite clearly, what you’re going to do with it. You then need to put that into your privacy policy. You need to understand your processes for access, corrections and complaints, and put that into your privacy policy.

When you’re writing it, write in plain English. Write for your audience. You understand your audience better than I do. The audience for an inner city GP clinic may be very different from an audience in, and will be very different, to one out in regional New South Wales for example. You understand your patients, write for them. Make your policy available for your patients, put it on your website if you have one. If not, make it freely available within your practice. And we would recommend you think about and commit to your own privacy management plan.

Slide 18

Slide

Transcript

I’ll just talk through the resources very quickly. We have two pages worth of resources which we’ll just go through. We have some APP guidelines and policy guidance. That APP 1 policy guidance will actually give you some further tips about how to create an APP 1 policy. We have a Guide to handling complaints which you might want to look at as well. We’ll move on to the next slide.

Slide 19

Slide

Transcript

This is our slide for the Privacy management framework. If you look at the last link there to read-able.com, that’s an online Flesch Kincaid test that you might want to do.