Privacy Principles in the Medical Workplace

The Australian Privacy Principles, located in Schedule 1 to the Privacy Act 1988 (Cth), have been in force for some time now. For those of you who are asking “what on earth are the Australian Privacy Principles?”, here’s a refresher (or introduction!) to some of the principles, and how they might apply to you.

Australian Privacy Principle (‘APP’) 1: Open and Transparent Management of Personal Information
This principle essentially requires entities to develop and implement practices and procedures that ensure the entity complies with all of the APPs. It also requires a “clearly expressed and up-to-date” policy about how personal information is managed. This policy should be freely available and contain certain prescribed information. Whilst most organisations have a link to the privacy policy on their website, it may be a good idea to have a hard copy of the policy available for any new clients.

APP 11: Security of Personal Information
APP 11.1 requires an entity to take reasonable steps to protect personal information from:
a) misuse, interference, loss; and
b) unauthorised access, modification or disclosure.
If information is no longer required to be retained, it must be destroyed or de-identified.

This APP has implications for the systems used to store information including clinical files, patient notes, contact information and diagnoses. It also has implications for the systems in place relating to the archiving or destruction of files. For instance, in 2014, the Privacy Commissioner chastised a medical practice for keeping archived patient files in a locked garden shed, stating this method of storage did not comply with APP 11.

There are also APPs relating to the collection of personal information (APP 3), the use and disclosure of personal information (APP 6) and dealing with requests from individuals about personal information (APP 12). However, these must be read in the context of the rest of the Privacy Act and other legislation, particularly in relation to health agencies, and probably require the finesse and skills of a lawyer* or a politician to explain in full detail!

In short, anti-virus protection may not be enough to keep your data safe. Encrypted uploading processes, password protection and secure emailing are all easy ways you can keep personal information safe in the spirit of compliance with the APP**.

*I’m not a lawyer, so you should obtain proper legal advice about APP and privacy procedures, not just rely on my blog!
**In the interests of full disclosure, I (In On Time Medical Transcriptions) use password protection, encrypted uploading and secure emailing.