Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Calvary Private Hospital ACT: Assessment report

Australian Privacy Principles
Section 27(1)(d) Privacy Act 1988

Assessment undertaken: April and June 2014
Draft report issued: June 2014
Final report issued: June 2014

Part 1 – Introduction

1.1 This report relates to the privacy assessment undertaken by the Office of the Australian Information Commissioner (OAIC) of Calvary Private Hospital ACT (Calvary) to assist Calvary in its readiness for the introduction of the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act). The APPs came into force on 12 March 2014.

Background

1.2 The OAIC has a Memorandum of Understanding (MOU) with the Department of Health (Health). The MOU relates to the provision by the OAIC of dedicated privacy related services under the Privacy Act, the Healthcare Identifiers Act 2010 (Cth) (HI Act) and the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) for the period 29 November 2012 to 30 June 2014.

1.3 Health and the OAIC agreed that the OAIC would undertake an assessment of a major private sector healthcare provider to assist it in its readiness for and compliance with the Australian Privacy Principles (APPs) contained in the Privacy Act, including in relation to its use of individual healthcare identifiers and eHealth records. The APPs came into force on 12 March 2014.

1.4 Calvary is a private hospital operated by Little Company of Mary Health Care (LCMHC), a private sector organisation which provides health, aged and community care services, including the operation of several public and private hospitals (known as Calvary hospitals) throughout New South Wales, Australian Capital Territory (ACT), Victoria, Tasmania, South Australia and the Northern Territory.

1.5 Calvary was identified by the OAIC as a potential focus for an APP assessment because it is a prominent health provider subject to the Privacy Act. In February 2014, LCMHC agreed to the OAIC conducting an assessment of Calvary.

Back to Contents

Part 2 – Description of assessment

Objective and scope

2.1 The objective of the assessment was to assess Calvary’s privacy policy and collection notice to determine Calvary‘s readiness for and compliance with the requirements under APPs 1 and 5[1].

2.2 The purpose and objective of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.

2.3 APP 5 sets out the obligation for an entity to ensure that an individual is aware of certain matters when it collects that individual’s personal information. Generally, the individual must be made aware of how and why personal information is, or will be, collected and how the entity will deal with that personal information.

2.4 Part of this process involved assisting Calvary to further develop its documentation to help ensure that it has:

  • a clearly expressed and up-to-date APP Privacy Policy in place about how it will manage personal information in relation to the PCEHR system and HIs (APP 1.3 and 1.4)

  • taken reasonable steps to make its APP Privacy Policy available free of charge in an appropriate form and, where requested, in a particular form (APP 1.5 and 1.6)

  • when collecting personal information about an individual, in relation to the Personally Controlled Electronic Health Record (PCEHR) system and Individual Healthcare Identifiers (IHIs), taken reasonable steps to notify the individual of certain matters outlined in APP 5 or otherwise ensure individuals are aware of those matters, at or before the time of collection, or as soon as practicable afterwards (APP 5.2).

2.5 In assessing Calvary, the OAIC used the checklist and guidance contained in the OAIC’s Guide to developing an APP privacy policy (APP 1 guide) and referred to the Australian Privacy Principles Guidelines .

2.6 This assessment process may also serve as a guide for other similar entities in developing or revising their own privacy policies and collection notices.

Timing and methodology

2.7 OAIC staff conducted the documentation review from 1 April to 11 April 2014 and 2 June to 5 June 2014 at the OAIC’s Sydney office. The assessment was confined to a review of documents received from Calvary:

  • draft Little Company of Mary Health Care (LCMHC) Limited Corporate Privacy Policy - March 2014 (draft APP 1 privacy policy)

  • draft Calvary APP 5 collection notice – 11 June 2014

  • Calvary Private Hospital admission package (old collection notice)

  • Calvary privacy brochure - rights and responsibilities of person receiving care

  • Calvary privacy brochure – privacy policy of the person receiving care

  • link to the privacy webpage on Calvary website ( www.calvaryactprivate.org.au/privacy-rights-and-responsibilities.html).

2.8 The OAIC also considered the following documents from the Calvary website which were relevant to the assessment:

  • information sheet for consumers or third parties on accessing health records
  • consumer request form for accessing health records

2.9 Between April and June 2014, OAIC staff provided written comments to Calvary on its draft APP 1 privacy policy and APP 5 collection notice. In addition, OAIC staff also had a number of telephone discussions and a face to face meeting with key staff from Calvary to understand Calvary’s operational environment and discuss Calvary’s documentation.

2.10 The assessors acknowledge the contribution Calvary staff made in giving their time, expertise and assistance to the OAIC in undertaking the assessment which was conducted in a collaborative and positive manner.

Back to Contents

Part 3 — Assessment issues

APP 1 privacy policy

Key issues

3.1 On 26 March 2014, Calvary provided the OAIC with a copy of its draft APP 1 privacy policy.

3.2 The OAIC reviewed the draft policy by using the OAIC’s APP 1 guide. In particular, the guide’s detailed checklist was used to work out whether Calvary’s draft policy met the requirements of APP 1. The checklist asks questions such as whether an organisation’s policy is easy to understand, specific and tailored and whether it covers the kinds of information collected, how the information is held and otherwise complies with the requirements of APP1.

3.3 Matters discussed in the checklist are not intended to be prescriptive or exhaustive. Therefore, Calvary was also advised that its particular circumstances and business operations would also be relevant as to whether additional topics should be covered by its APP 1 privacy policy.

3.4 Calvary were provided with preliminary written comments which noted a few key issues which in the OAIC’s opinion needed to be addressed in order to ensure Calvary’s APP 1 readiness and compliance. These issues included:

  • lack of clarity over which entity was covered by the policy. If it was intended that the policy act as central privacy policy applicable to all hospitals administered by the ‘Little Company of Mary Health Care Limited’ then this should have been properly articulated in the policy. If each hospital handles different types of personal information or the same information differently, then each hospital should consider developing its own privacy policy

  • both the draft privacy policy and the admission package collection notice used the terms ‘privacy policy’ and ‘collection notice’. The OAIC was of the view that the reader would confuse the APP 5 collection notice with the APP 1 privacy policy and it was recommended amending the titles to clarify this point

  • it was unclear what the relationship was between all the documents provided by Calvary. There were two brochures and an information sheet available on the Calvary website which related to privacy. However they were not referenced in the draft privacy policy nor was it clear if they were intended to act as a layered privacy policy

  • the OAIC also made a number of minor suggestions to improve the readability of the policy, such as adding a contents page and removing an appendix setting out all the APPs.

Addressing the OAIC’s preliminary comments and additional matters

3.5 The OAIC had a series of meetings with Calvary staff to work through the OAIC’s preliminary written comments and to discuss additional matters. Calvary agreed to address all of the issues raised and implement most of the suggested changes from the OAIC’s preliminary written comments.

3.6 Calvary advised it was taking the opportunity afforded by the introduction of the APPs to update all of its privacy related documents and its privacy webpage so that all link to or reference each other, are consistent with the draft privacy policy and reflect the APPs.

3.7 Following the meeting, Calvary twice updated its draft APP 1 privacy policy in order to address issues discussed in the previous meeting and in subsequent discussions with the OAIC. The following additional matters were discussed during the meeting and in the comments provided on the first draft received after the meeting:

  • the OAIC noted that the draft policy used the word ‘may’ throughout which suggested uncertainty about the extent of Calvary’s information handling practices. In certain circumstances it may be sufficient to use ‘may’. However the OAIC was of the view, and Calvary agreed, that where possible, the policy should be definitive regarding Calvary’s information handling practices

  • Calvary advised that the draft policy was intended to act as a central privacy policy for all hospitals administered by the LCMHC. Therefore in developing the policy Calvary had to consider other jurisdictions and legislation as there may have been overlapping obligations for Calvary’s public hospital operations where the entity operating the hospital may be an APP entity and subject to the Privacy Act

  • Calvary noted that it was rationalising its website to make it more accessible and make it easier to find privacy related information such as the privacy policy. The OAIC noted that most websites have links to privacy policies located at the bottom of the website’s homepage.

  • In addition, the OAIC also pointed out that an important component of APP 1(specifically APP 1.5 and 1.6) was to take reasonable steps to make its APP Privacy Policy available free of charge in an appropriate form and, where requested, in a particular form. Having a policy which was easily accessible online would be an important step towards fulfilling this APP requirement

  • the OAIC noted that the policy should clarify the overseas disclosures which are made by Calvary, in that if there are no overseas disclosures, this should be stated clearly in the policy. The OAIC noted that an APP entity may disclose information overseas to business suppliers to provide its services to the entity without the APP entity realising this now needed to be disclosed in its privacy policy. Calvary staff were confident that Calvary did not disclose personal information overseas, though they agreed to properly examine its internal business practices to confirm that this was the case

  • the OAIC suggested amending the policy’s security section so that it more accurately describes in general terms Calvary’s practices to secure personal information

  • the OAIC enquired about the section of the policy which deals with individuals consenting to Calvary sending them direct marketing communications. The OAIC drew Calvary’s attention to the OAIC’s view on ‘voluntary consent’ (consent is voluntary if an individual has a genuine opportunity to provide or withhold consent) and ‘bundled consent’ (bundling together multiple requests for an individual’s consent to a wide range of collections, uses and disclosures of personal information).

  • The OAIC noted that in the context of a provider of health care services, it is likely that any personal information collected from a patient, including demographic information, would come within the definition of ‘Health information’ in s 6 of the Privacy Act and would be sensitive information with the meaning of the Act. As a result, any use of that information for direct marketing would require consent under APP 7.4. The ‘reasonable expectation’ exemption under APP 7.2 would not apply.

  • There is a risk that the practice of bundled especially where it involves obtaining consent to handle personal information for direct marketing purposes when a person is seeking medical services has the potential to undermine the voluntary nature of any consent. Direct marketing in this context may then be a breach of APP 7.4.

  • Calvary said that it added the section as a standard provision and, though it may consider direct marketing in the future, Calvary did not then use personal information for this purpose and would consider deleting or revising this section

  • the OAIC emphasised that the policy should specifically reference the handling, including usual collection and usual disclosure of individual healthcare identifiers and eHealth records as they are specifically defined as being personal information under legislation. Calvary said they would use this advice as they further developed the policy.

Latest draft

3.8 The latest version of the draft policy was received by the OAIC on 11 June 2014.

3.9 The OAIC welcomed the efforts made by Calvary to implement the office’s comments and suggestions. For example, it was clear in the latest draft that the policy is intended to be a central privacy policy for all hospitals administered by the LCMHC. Calvary determined that other Calvary entities operating public hospitals are APP entities.

3.10 Further, the latest draft of the policy contained a completely revised direct marketing provision which states that Calvary does not use personal information for direct marketing purposes, thus removing any concerns the OAIC had regarding obtaining consent from individuals to use its personal information for direct marketing purposes.

3.11 Calvary adopted the OAIC’s suggestion to clarify the policy’s security paragraph which now articulates in clear but general terms the measures Calvary has in place to protect the personal information of individuals.

3.12 Other positive aspects of that draft included:

  • the policy clearly stated that Calvary will not disclose personal information to anyone located overseas

  • Calvary adopted the OAIC’s suggestion to expand the policy’s examples of personal information collected and held by Calvary so that it also mentions Medicare numbers, IHIs and medical insurance details

  • the addition to the ‘To whom will we disclose your information?’ section, so that it now refers to Calvary’s disclosures to the PCEHR System Operator when it uploads personal information to a patient’s eHealth record; and in relation to IHIs, to other entities in accordance with the HI Act

  • amendments were made to the section which outlines the purposes for which Calvary collects, holds, uses and discloses personal information. The amendments included examples of the types of contractors, service providers and third parties Calvary discloses personal information to in order to provide health care services to individuals

  • clarification of to whom Calvary will disclose personal information by providing examples of third party disclosures.

Areas for improvement

3.13 After reviewing the latest draft of the policy, the OAIC also noted a few areas for improvement from a privacy perspective which are outlined below.

  • Calvary did not clarify in the latest draft of the policy why profession, occupation or job title information is collected and what is done with this information when it is provided. For example, where the policy describes the purpose of collection in the ‘For what purposes do we collect, hold, use and disclose your personal information?’ section, no purpose explicitly applies to the purpose of collecting profession, occupation and job title information. The OAIC suggests that the policy explain this point further.

  • The latest draft of the policy states that Calvary will collect anonymous answers to surveys and aggregated information about how users use the Calvary website for statistical purposes. However it also says that in all other circumstances it will be impractical for Calvary to interact with individuals anonymously or pseudonymously.

  • APP 2 provides that individuals must have the option of dealing anonymously or by pseudonym with an APP entity unless an exception applies, for example, if it is impracticable for the entity to deal with individuals who have not identified themselves (APP 2.2(b)). The OAIC noted that Calvary needs to be satisfied that it is impracticable to interact with individuals anonymously or pseudonymously in all cases. The OAIC did suggest that Calvary reconsider this section by providing further detail on circumstances where it may be impracticable or qualify the statement (by including the phrase ‘it usually will be impracticable…’ or similar), though this was not adopted in the latest draft of the policy.

  • On its face without the qualification suggested above, ‘it is impractical for us to interact with you anonymously or pseudonymously’ without further explanation may be inconsistent with the later section of the policy which states that if personal information is not collected, Calvary may not be able to provide health care services at a same standard or at all .

  • The OAIC is of the view that Calvary should consider the implications of this section further to ensure it accurately reflects Calvary’s practices and obligations under APP 2 and is consistent with other parts of the policy.

  • Following advice received from the OAIC, Calvary included text in the ‘What personal information do we collect and hold?’ section of the policy to cover Calvary’s handling of IHIs which are used to identify and access patient records in the eHealth record system. However the latest draft of the policy notes that a patient at one of its facilities will be assigned an IHI, mistakenly implying that this will occur when a patient receives healthcare services from Calvary.

  • If a patient is enrolled in Medicare, or holds a Department of Veterans' Affairs treatment card, they have already been allocated an IHI. Only if an individual is not eligible for these programs, such as visitors to Australia or international students will they not automatically have an IHI. The OAIC recommends redrafting this section to accurately reflect the handling of IHIs.

APP 5 collection notice

3.14 Along with the privacy policy, Calvary also provided the OAIC with a copy of its privacy collection notice contained in the Calvary Private Hospital admission package form. The notice was created in reference to the National Privacy Principles which have since been replaced by the APPs.

3.15 An APP entity must take reasonable steps either to notify an individual of the APP 5 matters or to ensure the individual is aware of those matters (APP 5.1). The reasonable steps for an APP entity will depend upon circumstances that include – the sensitivity of the personal information collected. More rigorous steps may be required when collecting ‘sensitive information’.

3.16 As noted above, all personal information collected by Calvary from a patient is likely to be ‘sensitive information’. Therefore the OAIC took this into account when it conducted its assessment of Calvary’s collection notice.

APP 5.2 matters

3.17 APP 5.2 lists the matters that must be notified to an individual or of which they must be made aware. For each matter, Calvary in developing its collection notice must consider whether notifying the individual would be reasonable in the circumstances. This means that it may be reasonable for Calvary to notify an individual of some but not all of the matters listed in APP 5.2.

3.18 The OAIC’s view was that the notice was clearly written and generally presented the necessary information well. However the OAIC’s preliminary comments highlighted how the notice could better address relevant matters in APP 5.2, including:

  • to avoid confusion, the notice should consistently specify the entity collecting the personal information

  • Calvary may want to consider adding an alternative form of contact such as a telephone number and/or email address (for example the privacy officer details found in the corporate policy), that will not change with staff movements, to allow for remote communication regarding privacy enquiries and requests

  • set out if applicable the Australian law authorising or requiring the collection of personal information or if multiple Australian laws authorise or require the collection, include a generic description of the laws under which personal information is collected by Calvary (for example, ‘ACT Health laws’)

  • separate how the personal information collected in the form will be used from how it will be disclosed (for example disclosure could have its own heading)

  • providing a direct link to Calvary’s full privacy policy, or more detailed instructions about where to find it on Calvary’s website

  • the notice did not address disclosure of information to overseas recipients; and could state whether this is the case and the circumstances of the disclosure

  • amending the title ‘Privacy Policy’ in its Calvary Private Hospital admission package so that readers do not confuse this document with Calvary’s full privacy policy

  • if Calvary participates in the PCEHR system and handles healthcare identifiers, the notice and any accompanying material would have to be updated to reflect the handling of this personal information.

New collection notice

3.19 Following the receipt of our preliminary comments, Calvary developed a new collection notice which was provided to the OAIC on 11 June 2014. After reviewing the new collection notice, the OAIC noted the following:

  • addressing an issue previously highlighted by the OAIC, the new collection notice consistently refers to the entity collecting the information (ie Little Company of Mary Health Care Limited)

  • like the previous notice, this document does not either specifically or generically refer to any applicable Australian laws authorising or requiring Calvary’s collection of personal information

  • the notice refers to the handling of personal information in relation to the eHealth record system. However the OAIC suggests rewording this section so that it states Calvary ‘will’ collect, use and disclose personal information rather than ‘required to’ so that the notice more accurately reflects the handling of eHealth under the PCEHR Act and the latest draft of Calvary’s privacy policy. In addition, this section should also refer to the handling by Calvary of IHIs in accordance with the HI Act.

  • to enhance the notice’s readability and clarify the facts and circumstances of collection, the OAIC suggests using headings as in the previous notice

  • remove reference to direct marketing to ensure consistency with the latest draft of the privacy policy

  • when setting out the entities that Calvary will disclose personal information to, the notice should include disclosures to the PCEHR System Operator when Calvary uploads information to a patient’s eHealth record; and in relation to IHIs, to other entities in accordance with the HI Act. These changes would make the notice consistent with the latest draft of the privacy policy

  • Calvary adopted our previous suggestion by including in the new notice contact information which will not change with Calvary staff movements and allow for remote communication regarding privacy enquiries and requests.

Back to Contents

Part 4 – Opinion

4.1 The assessors are of the opinion that Calvary’s privacy policy generally reflects the requirements found in APP 1. However, Calvary’s collection notice requires some redrafting to make it consistent with the privacy policy.

4.2 The assessors have identified areas where Calvary could improve its privacy policy and notice and make suggestions that, if put in place will (in the opinion of the OAIC) enhance Calvary’s readiness and compliance with the APPs.

Back to Contents

Footnotes

[1] APPs 1 and 5 can be viewed on the OAIC’s website at: www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles

Back to Contents