WHISE (Women’s Health in the South East) has legal and ethical responsibilities with regard to the protection of personal privacy, confidentiality and access to information. WHISE ensures that consumers’ privacy and confidentiality is kept just that; private and confidential.
From time to time, WHISE collects personal information as part of its research, community surveys/consultations and project evaluation activities. WHISE also maintains a list of members and their contact details.
WHISE is a not for profit with a turnover of less than $3million. The WHISE Board, staff, consultants, contractors, auditors, volunteers and students are all bound by our Privacy Policy and related procedures and by the following legislation relating to privacy, confidentiality and information access.
- Privacy and Data Protection Act 2014 (Victoria)
- Health Records Act 2001 (Victoria)
- Charter of Human Rights and Responsibilities Act 2006 (Victoria)
In addition to this WHISE adheres to the following Commonwealth legislation and regulation:
- Privacy Act 1988 (C’Wealth)
- Associations Incorporation Reform Act 2012
- Policy Principles
The following privacy principles apply to personal information collected and held by WHISE:
Collection of Personal Information
WHISE will collect (by lawful and fair means) only that information about an individual, which is necessary for one or more of its functions or activities and only with the prior knowledge or consent of the individual.
The individual must be advised of the uses of the collected information and the individual’s right to request access to the information.
Use and Disclosure of Information[1]
WHISE will use individual personal information solely for the purpose for which it was collected.
WHISE will not disclose individual personal information to a third party unless required by law.
Data Quality Control
WHISE will take reasonable steps to ensure that individual personal information it collects is accurate, complete, up-to-date and relevant to its function.
Data Security and Retention
WHISE will take reasonable steps to protect and secure the personal information it holds from misuse, loss and unauthorised access, modification or disclosure.
WHISE will only destroy or delete health information in accordance with the provisions of the Health Records Act 2001 (Victoria).
Openness
WHISE will ensure that individuals can access the WHISE Privacy Policy, and the WHISE website Policy Statement.
Access and Correction
Individuals have a right to request access to personal and health information held about them by WHISE.
If an individual establishes that her personal or health information held by WHISE is inaccurate, incomplete, misleading or out of date, WHISE will take reasonable steps to correct the information.
Unique Identifiers
WHISE will not collect, use or disclose any unique identifier assigned to an individual by another organisation (such as Tax File Numbers, Driver License Numbers, Medicare Numbers) unless required by law to do so, and the individual’s consent has been obtained.
From time to time, WHISE conducts surveys or research, which may involve assigning an identifier code to an individual’s survey/research responses for the purpose of collection and collation of data. Such identifier codes will not be used for any other purpose and will not be disclosed to third parties. Any published survey results or research reports will not contain any identifying information about individual respondents.
Anonymity
Wherever it is lawful and practicable, individuals will have the option of not identifying themselves when entering transactions with WHISE.
Sensitive Information
WHISE will only collect sensitive personal information (such as racial origin, political views, religious beliefs, sexual orientation, criminal record) where necessary and with the consent of the individual.
Interstate or International Information Transfer
The transfer of personal or health information outside Victoria or Australia may occur only if the individual requests or consents to the transfer and if the recipient is subject to privacy laws substantially similar to Victoria’s laws.
Definitions
Personal information is information or an opinion (whether true or not) about any individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Examples of personal information include an individual’s name, address, telephone number, photograph, and bank account details.
Health information is information or an opinion about an individual’s physical health, mental or psychological health, their disability, or any health services provided to them or to be provided.
Sensitive information is information or an opinion about an individual’s racial or ethnic origin; political beliefs or membership of a political association; religious beliefs/affiliations; philosophical beliefs; membership of a professional or trade association or trade union; sexual orientation or practices; physical, mental and psychological health; or criminal record.
Our Practice
Our Privacy Officer and Response to Complaints and Requests
The declared Privacy Officer for WHISE can be reached via email.
The privacy officer can be contacted via email on complaints, concerns and queries on the WHISE Privacy policy, this statement, and activities in relation to our legal and ethical responsibilities with regard to the protection of personal privacy, confidentiality and access to information.
Collection and Use of Information
Where personal information is to be collected, the individual will be advised of WHISE’s privacy provisions and the purposes for which the information is being collected.
Data Security
All personal identifying information must be kept securely. Archived records must be kept secure and protected from deterioration.
Access to individual records is restricted to authorised staff. No staff member may access any individual records except where such access is required to perform her professional or administrative duties.
The CEO of WHISE will have access to individual records where necessary for the investigation of complaints and for specified legal purposes. As required to manage complaints, access, correction and matters relating to privacy, the CEO can delegate the access on specific items to the Privacy Officer.
All Board members, staff and volunteers are subject to a signed privacy, confidentiality and security agreement.
Access and Correction
Access
An individual may request access to their personal and health information held by WHISE through the Privacy Officer.
The individual must email the privacy officer requesting “Request for Access”.
WHISE will respond to individual requests within 45 days of receipt and the response will be coordinated by the Privacy Officer.
Correction
No records may be destroyed or deleted, but may be amended or supplemented by a correcting statement added to the individual’s records under the coordination of the Privacy Officer.
If an individual requests a correction to their information records, through the Privacy Officer, WHISE will:
I.discuss with the person the details of their request; and
II.where necessary, take steps to include a correcting statement to the individual’s records.
WHISE will respond to requests for a correction to an individual’s records within 30 days of receipt of the request.
Retention and Disposal of Information
WHISE must retain and dispose of individual health information in accordance with the requirements of the Health Records Act 2001.
Unless otherwise authorised or required by law, individual health records must be retained for a minimum of seven years after the last occasion on which a health service was provided by WHISE to the person.
Complaints Process
An individual may lodge a privacy complaint if they believes their personal information has been collected, used, disclosed or handled inappropriately.
Complaints may be made in writing to the CEO of WHISE via the privacy officer contact page who with the Privacy Officer will investigate and respond to the complainant. All complaints will be treated seriously and investigated promptly. Complaints will be addressed within 21 days of the complaint being lodged.
If the matter is not resolved to the complainant’s satisfaction, the complainant should be made aware of their right to take the complaint to the Office of the Victorian Information Commissioner, or to the Victorian Health Services Commissioner if the matter relates to the individual’s health information.
[1] Use” refers to the handling of information within the organisation. “Disclosure” refers to the transmission of information to a third party outside the organisation.