Patient Support
Get in Touch
MCPA Privacy Standard
Target Audience
This document is intended for all staff members of the Medicinal Cannabis Patients Australia (MCPA), to ensure Directors, Staff, including contractors, understand their obligations to privacy and confidentiality under relevant legislation.
Purpose
MCPA is committed to providing quality patient advocacy and services and this policy outlines our ongoing obligations in respect to how we manage personal, sensitive and health Information.
It is essential to ensure that all information collected by Medicinal Cannabis Patients Australia remains private and secure.
This includes health-related information and non-health-related information about patients, staff members and others.
The Office of the Australian Information Commissioner (OAIC) is responsible for promoting and upholding the privacy rights of Australians via the Privacy Act 1988, which outlines the 13 Australian Privacy Principles (APP). These principles set out entities' obligations for the management of personal information and help to govern the way in which we collect, use, disclose, store, secure and dispose of Personal Information. Furthermore, the Health Privacy Principles contained in the Health Records Act 2001 (Vic) specifically pertains to the handling of information by public health organisations.
Consent
Consent applies to a patient's decisions about how you handle the patient's information. MCPA must only collect information from individuals with their consent. Unless the patient has given express permission, MCPA may only collect patient data in the following circumstances:
  • The collection is required or authorised under law.
  • The collection is necessary to prevent or lessen a serious threat to the life or health of any individual or to public health, public safety or public welfare.
Collection and Use
Patients
MCPA staff must collect health information only by lawful and fair means and not in an unreasonably intrusive way and must only disclose health information about an individual for the primary purpose for which the information was collected. MCPA staff must collect information about an individual only from that individual, where reasonable and practicable to do so. MCPA may disclose a patient's personal information to other health care providers in reasonable circumstances for the purpose of providing: Advocacy and financial support.
Staff
MCPA may collect personal information (including health and sensitive information) from staff for the following purposes:
  • Employment and human resources
  • Business and operations activities
  • Contract management
  • Contact tracing for any health pandemics
  • Staff Clinic and Immunisation programs
  • Where permitted to do so under law
Quality
MCPA must take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, considering the purpose of the use or disclosure.
Security
According to the Australian Privacy Principles, an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to the following:
  • governance, culture and training
  • internal practices, procedures and systems
  • ICT security
  • access security
  • third party providers (including cloud computing)
  • data breaches
  • physical security
  • destruction and de-identification standards.
Breaches
A data breach is an unauthorised access to, or disclosure of, personal information or loss of personal information.
Any suspected privacy breaches should be taken seriously and acted upon according to the 'Data Breach Preparation and Response (July 2019) - A guide to managing data breaches in accordance with the Privacy Act'.
Entities are required to notify affected individuals and the Commissioner of eligible data breaches.
To report a data breach to the OAIC, complete an electronic 'Notifiable Data Breach Form' found on the AOIC website www.oaic.gov.au.
Government Identifiers
Australian Privacy Principle Guidelines, Chapter 9: APP 9 — Adoption, use or disclosure of government related identifiers, states that an organisation must not adopt, use or disclose a government related identifier, i.e. Medicare number, unless an exception applies.
The objective of APP 9 is to restrict general use and sharing of government related identifiers by organisations so that they do not become universal identifiers. That could jeopardise privacy by enabling personal information from different sources to be matched and linked in ways that an individual may not agree with or expect.
It is worth noting however that you can use or disclose a patient's government related identifier where it is reasonably necessary for you to verify the patient's identity for your activities.
Research
Regarding research, health information may be collected, used or disclosed about an individual if the collection is necessary for research or statistical activities relevant to public health or public safety. Health information used for the purpose of research can be collected without consent if it is impracticable to obtain the individual's consent.
Any health information collected in these circumstances and required to be disclosed, must have reasonable measures taken to de-identified the data before disclosure.
For information to be considered relevant to public health or public safety, the outcome of the research or statistical exercise should impact on, or provide information about, public health or public safety. Examples could include research and statistics on communicable diseases, cancer, heart disease, mental health, injury control, diabetes and the prevention of childhood diseases.
Sending Information Outside Victoria
Explicit guidelines are defined in the Australian Privacy Principles, Chapter 8: APP 8 — Cross border disclosure of personal information. Before disclosing any health information, reasonable steps must be taken to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information.
In summary, only transfer health information outside Victoria if the organisation receiving it is subject to laws substantially similar to Victoria's. If a person's personal information travels, their privacy protection should travel with it.
Freedom of Information
The Freedom of Information Act 1982 (FOI Act) allows individuals to request access to identifying information held about them and to seek correction of that information if they consider it wrong or misleading. The FOI Act is supported by the FOI Guidelines issued by the Australian Information Commissioner. The Guidelines provide detailed information on how the FOI Act should be interpreted. Staff are not permitted to view their own records at leisure and must follow the same FOI policies to access information.
Complaints
Patients, staff and service providers must be provided with contact details in order to raise a query or complaint regarding their Privacy. Privacy complaints are to be taken seriously. Privacy complaints may be responded to by staff members directly involved in the incident (or their managers). The complainant should also be advised of their right to complain to:
  • the Health Complaints Commissioner (Victoria) about the handling of their health-related Identifying Information.
  • Office of the Victorian Information Commissioner (Victoria) about the handling of their FOI request.
Data Retention
Schedule 1, Principle 4 of the Health Records Act states the circumstances in which a health service provider may delete health information relating to an individual.
An entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the Australian Privacy Principles.
Privacy Culture
Personal information and data are one of our most valuable business assets, therefore it is imperative to embed a work culture that respects privacy and values the protection of personal information. Leadership commitment to a culture of privacy is a foundation for good privacy governance and management.
Roles and Responsibilities
According to the Privacy Management Framework, key roles and responsibilities should be appointed for privacy management, including a senior member of staff with overall accountability for privacy. Furthermore, ensure reporting mechanisms are implemented to inform senior management about privacy issues.
Relevant Standards
  • Charter of Human Rights and Responsibilities Act 2006
  • The Privacy Act 1988
  • Health Records Act 2001
  • Freedom of Information Act 1982
  • Victorian Data Sharing Act 2017
  • Public Records Act 1973
  • Privacy and Data Protection Act 2014
Definitions
Personal information
Personal information is defined in the Privacy and Data Protection Act as:
information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act applies.
Sensitive information
Sensitive information is a subset of personal information. It is defined in the Privacy and Data Protection Act. It means information or an opinion about an individual's:
  • racial or ethnic origin
  • political opinions
  • membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association
  • membership of a trade union
  • sexual preferences, orientation or practices
  • criminal record
Health information
The Health Records Act defines health information as information or an opinion about:
  • the physical, mental or psychological health (at any time) of an individual; or
  • a disability (at any time) of an individual; or
  • an individual's expressed wishes about the future provision of health services to him or her; or
  • a health service provided, or to be provided, to an individual
or
  • other personal information collected to provide, or in providing, a health service; or
  • other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.