Collection of Personal Information
First, set out what type of information your business collects. Personal information includes:
- contact details;
- date of birth;
- demographics; and
If your business receives personal information from third parties, you should indicate that you do so, and explain that you will protect this third party information in the same way you protect information collected directly.
Medical businesses also collect sensitive information, which is a subset of personal information. This is given higher protection under the APPs.
Sensitive information includes:
- information or an opinion about an individual’s race, political opinions, religions and beliefs, memberships of a particular association, sexual orientation, or criminal records, which are also personal information;
- health information;
- genetic information (that is not otherwise health information); and
- biometric information.
Use and Disclosure of Personal Information
Uses may include contacting and communicating with clients, for internal record keeping, marketing, and providing information to third parties.
You are allowed to disclose personal information to credit reporting agencies and courts where your clients fail to pay for any goods or services you provided, to law enforcement agencies as required by law, and to third parties who may assist in providing information, products or services to the client.
In relation to sensitive information, use and disclosure is stricter.
For a medical business, generally, sensitive information may only be used or disclosed under the following circumstances:
- if the client would reasonably expect the business to use or disclose the information for a secondary purpose, and only if that secondary purpose is directly related to the primary purpose for which the sensitive information was collected;
- if it is required or authorised by law;
- if you reasonably believe that the disclosure is necessary for law enforcement purposes; or
- if a permitted health situation exists.
A permitted health situation only exists where the information is necessary to provide a health service to the individual and the collection is either:
- required or authorised by or under an Australian law; or
- in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
Storage and Security
You need to show your client that you are committed to keeping personal and sensitive information secure. You should outline what procedures you have in place to protect information such as physical, electronic or managerial procedures.
However, to limit your liability, it is wise to explain that whilst measures are taken, no information transmitted over the internet can be guaranteed to be secure.
You must provide details of how people can contact you in regards to the personal information that is held with your business and how they can correct this information.