The Privacy Act 2001 comprises of 10 National Privacy Principles that set the standard for how private sector organisations are to handle personal information. Corporate Bodies International is committed to complying with this standard.
Privacy & Consent Position Statement
Corporate Bodies International's Privacy and Consent Policy is based on the Privacy Amendment (Private Sector) Act 2000 and the Privacy Act 1988, which regulates the private health sector throughout Australia. This co-regulatory approach offered by the legislation recognises the particularly sensitive nature of health information and places extra protections around its handling and protection.
On 12th March 2014, the Australian Privacy Principles (APPs) replaced the National Privacy Principles (NPPs) that previously applied to private sector organisations (1). The Australian Privacy Principles now regulate how Corporate Bodies International (CBI) handles service participant personal health information.
This policy outlines how CBI collects, uses, stores, secures and discloses an individual's personal health information and how they can access or seek correction of it and report a privacy breach.
Consent to Participate and Release of Medical Data
Individuals must give written consent to participate in some CBI services to acknowledge their understanding of the following;
That they are participating at their own risk. They acknowledge their understanding that there is minor risk of injury when undertaking some of the assessments.
That they release their personal health information to be used by CBI to compile an anonymous health report in statistical format. The population report will be forwarded to company management and cannot be tracked back to the individual.
That their assessment is not a replacement for a thorough medical assessment or regular medical care by their General Practitioner (GP).
Capacity and Consent
If an individual does not have the capacity to consent to a CBI service or make decisions about their personal health information, a nominated/appointed representative (i.e. a family member, friend or guardian) may be required. For the purpose of a minor (person under 18 years of age), Privacy Law states, consent is valid if that person can understand both the nature and effect of a proposed action (such as the specific handling of their personal information) (2). CBI ensures all individuals are adequately informed, have the capacity to understand, provide and communicate their consent and provide their consent voluntarily.
Purpose for Collecting Personal and Health Information
CBI only collects personal health information when it is necessary to carry out its work. CBI provides a suite of health services to corporate clients and their staff, individuals and community groups. Services include but are not limited to;
In order to provide such services effectively, CBI needs to collect certain personal health information. This serves to ensure the health and safety of individual's partaking in a particular service and assists in determining the type of services required for corporate clients.
CBI will not collect any personal or health information unless an individual has consented to give us this information and it is relevant to our work. CBI staff will always collect personal information in a non-intrusive, lawful and fair manner. .
Type of Information Collected
Personal health information that may be requested by CBI includes and is not limited to;
Use of personal and Health Information
CBI is required to maintain the privacy of an individual's personal and health information from their employer (and any other person). Data is released to the employer with prior written consent from an individual for the reporting of progress or results. For example, where CBI is providing rehabilitative services that require progress reporting.
All individual's (service participants) can trust that their personal health information will be kept confidential, as though they were visiting their own General Practitioner. Although an employer outlays costs for population reporting, the data remains the individual's property and is held by CBI to ensure the safe handling, privacy and security of such information.
Under no circumstances will CBI provide an individual's personal information to their employer (or any other person) without the individual's prior written consent, unless such disclosure is required by law or to comply with the Privacy Act (3).
Disclosure of Information
CBI will not provide an individual's personal health information to any other person or organisation, unless such disclosure is required by law or to comply with the Privacy Act (3). Personal health information will always be treated with the strictest confidence by contractors who provide services on our behalf. In these cases, we ensure that our contractors are bound by and comply with CBI's Privacy and Consent processes.
CBI attempts to collect all personal health information directly from an individual, but with written consent, may be required to obtain this information from additional sources, such as other healthcare providers. If an individual chooses not to provide the particular information required to effectively provide a service, CBI may not be able to deliver the services as intended.
Information Accuracy and Quality
CBI takes due care to ensure personal health information collected, used and disclosed is accurate, up-to-date and complete.
Information Storage and Security
CBI maintains physical, electronic and procedural safeguards to protect an individual's personal health information from disclosure to unauthorised parties and against loss and misuse. All personal health information collected in hard-copy is transported in a locked suitcase and stored in secure lockable filing cabinets, in a lockable storeroom/office with limited access via keys and/or security cards. Electronically stored information is protected via security passwords, firewalls and virus protection. CBI's quality management procedures ensure any stored personal health information is only accessible by authorised personnel as specified in this Privacy and Consent Policy.
The Privacy Act requires CBI to destroy or permanently de-identify personal and health information, once it is no longer required for the intended service or by law. CBI retains hard and/or soft copy of personal and health information for a minimum of 7 years from the date of last contact (4).
All CBI staff are made aware of the company's Privacy and Consent Policy. Induction and refresher training is provided to ensure all staff understand the importance of privacy and how personal information is to be handled in accordance with the Australian Privacy Principles. Intentional breach of CBI's Privacy and Consent Policy will result in disciplinary action, up to and including dismissal. CBI may also consider lodging a complaint with the Health Professional's professional association or registration agency, if a breach of their Code of Professional Conduct has occurred.
Openness and Access to Information
CBI can make an individual's personal health information available to them upon request. This includes the nature of the personal information we hold about them and for what purpose we use, collect, hold or disclose that information.
If an individual would like to access the information we hold about them, they can contact Corporate Bodies International by calling 1300 21 31 41. In order to maintain the confidentiality of an individual's personal health information, we will ask an individual to come into their nearest CBI office and to bring with them 100 points of identification before we give them access. If it is not practical for them to visit our office, we will arrange to check their identification before we mail any information to them.
In the unlikely event that we are unable to provide someone with access to their personal information for reasons specified in the Privacy Act – Section 6 (see Appendix 1), CBI will provide reasons for denying the individual access. This may include circumstances where CBI has recorded data without names attached and we are unable to identify their actual data amongst a large group of anonymous data.
In the course of obtaining personal health Information, it may be necessary for a CBI Health Professional to ask sensitive information. Only information which is released by consent and that which is necessary to provide the intended health service to the individual will be collected.
We plan to keep our Privacy and Consent Policy current, but information can be subject to change according to Privacy legislation. When appropriate, a revised Privacy and Consent Policy will be posted on the CBI website (www.corporatebodies.com.au) which will incorporate any such changes. Please return periodically to review the latest policy.
If you have a complaint based on a breach of CBI's Privacy and Consent Policy and/or the Australian Privacy Principles, you may contact CBI's head office on 1300 21 31 41 to register your complaint. All complaints will be investigated in a timely manner and you will be provided with a response in writing.
Charter of Health Care Rights
Download the CBI Charter of Health Care Rights.