The Kimberley Aboriginal Medical Services Ltd (KAMS) acknowledges its ethical and legal obligations under the Privacy Act (1988) and the Health Services (Conciliation and Review) Act (1995) in the protection of the privacy of individuals.
KAMS also acknowledges that individuals, stakeholders, staff and the Board of KAMS have a right to expect their information is treated confidentially and their privacy protected.
- To detail the kinds of personal information KAMS collects and holds
- To detail how we collect personal information
- To explain why we collect, hold, use and disclose personal information
- How individuals can access and correct their personal information we hold
This policy applies to all Board, staff, contractors and volunteers of KAMS and KRS.
Information can mean both health information and personal information.
Access is defined as the provision of a copy of the information or the provision of supervised access to the information.
Child means a person under the age of 18 years.
Confidentiality is the protection of information that is meant to be kept secret or private.
Examples of maintaining confidentiality include:
- individual files are locked and secured
- workers do not tell other people what is in an individual’s file unless they have permission from the individual
- information about individuals is not told to people who do not need to know
- adults have the right to keep any information about themselves confidential, which includes that information being kept from family and friends.
Consent means express consent or implied consent.
Health information is defined as:
- information or an opinion, that is also personal information, about:
- the health or a disability (at any time) of an individual, or
- an individual’s expressed wishes about the future provision of health services to him or her, or
- a health service provided, or to be provided, to an individual, or
- other personal information collected to provide, or in providing, a health service, or
- genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Examples of health information include:
- information about an individual’s physical or mental health
- notes of an individual’s symptoms or diagnosis and the treatment given
- specialist reports and test results
- appointment and billing details
- prescriptions and other pharmaceutical purchases
- dental records
- information about an individual’s suitability for a job, if it reveals information about the individual’s health
- an individual’s healthcare identifier when it is collected to provide a health service
- any other personal information (such as information about an individual’s date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.
Australian Privacy Principles (APP) which are contained in schedule 1 or the Privacy Act 1988, outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.
Parent in relation to a child, includes –
- a step-parent;
- an adoptive parent;
- a foster parent;
- a guardian; or
- a person who has custody or daily care and control of the child.
Personal Information as defined by the Privacy Act 1988 as:
Information or an opinion about an identified individual, or an individual who is reasonable identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Sensitive Information is a subset of personal information and is defined as:
Information or an opinion (that is also personal information) about an individual’s:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual orientation or practices, or
- criminal record
- health information about an individual
- genetic information (that is not otherwise health information)
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
- biometric templates.
Policy Guidelines and Procedures
Openness (APP 1)
KAMS is committed to the open and transparent management of information in accordance with Australia Privacy Principle 1.
- How individuals may apply to access, correct or update personal information about them.
- How KAMS complies with Australian Privacy Principles to manage personal information in an open and transparent way;
- How KAMS deals with enquiries or complaints from individuals about our compliance with Australian Privacy Principles.
Collection of Personal Information Solicited by KAMS (APP 3)
KAMS collects personal information in accordance with the Australian Privacy Principals in a fair and lawful manner.
KAMS only collects personal information that is reasonably necessary for KAMS functions and activities.
Where practical, KAMS collects the information directly from the individual to whom it relates.
KAMS will only collect sensitive information with the individual’s consent, and the information is necessary for KAMS functions and activities.
KAMS collects and uses personal information for related purposes including:
- Delivery of health care and related services;
- Organisational management, governance and administration;
- Employment of staff – recruitment and employment;
- Students undertaking training delivered by KAMS;
- Clinical audit and quality improvement;
- Stakeholder comments, participation in services, research and evaluation, education, programs, public enquiries, feedback;
The types of information KAMS collects and holds includes (but is not limited to) personal information and health information about users of our services, and personal information about our employees, students and contractors.
Notification of Collection of Personal Information (APP 5)
At all times (before, during or after – if not practical earlier) when KAMS collects personal information about an individual we will take reasonable steps to notify or ensure the individual is aware of:
- Our identity and contact details
- If we collect the information from someone else, or the individual may not be aware we have collected the information, we will ensure they are notified that the information has been collected and the circumstances.
- If the information is required under Australia law court/tribunal order
- The purpose of why we collect the information
- The consequence for the individual (if any) if we don’t collect all or some of the information
- Other agencies we usually disclose personal information to (if any)
- How the individual may access or correct the information we hold
- How to complain about privacy breaches and how we deal with complaints
- Whether we are likely to disclose to overseas agencies, and if yes, which countries that applies to
Anonymity (APP 2)
In accordance with Privacy Principal 2, KAMS will give individuals the option to remain anonymous and to use a pseudonym when dealing with KAMS where practical.
Dealing with Unsolicited Personal Information (APP 4)
If KAMS receives personal information that we did not solicit (request or ask for), we will determine (within a reasonable period) whether we could have collected the information under APP3 if we had solicited it.
If we determine we could not have solicited the information, it is not within Commonwealth Record, then as soon as practical, and if it is lawful, we will either destroy the information or ensure it is de-identified.
Quality of Personal Information (APP 10)
KAMS will take reasonable steps to ensure the personal information we collect and/or disclose is accurate, up to date and complete.
Use or Disclosure of Personal Information (APP 6)
KAMS will not use information for purposes other than those for which it was collected unless prior consent has been obtained.
KAMS will not disclose personal information to third parties without consent from the individual to whom it pertains, unless required to do so by law or as otherwise allowed under the relevant State Acts.
KAMS will take reasonable steps to de-identify information where that is appropriate to disclosure.
KAMS will not disclose personal information for the purposes of direct marketing. (APP 7)
KAMS will not disclose to overseas recipients without the individuals consent or unless required by Law (APP 8 – Cross border disclosure of personal information).
KAMS electronic patient information systems sends records by secure encrypted electronic transmission.
Security of Personal Information (APP 11)
In order to protect information from misuse, loss or unauthorised access, modification or disclosure, KAMS maintains secure information storage systems and procedures for the management of both physical and electronic information.
Information will be disposed of or de-identified when the information is no longer required (by KAMS or by law).
Access and Correction (APP 12 & 13)
KAMS will provide individuals with access to the information held about them, provided such access does not infringe upon the privacy of other individuals.
If there are reasons for refusing access to such information, KAMS will provide a written explanation.
Individuals have the right to correct information held about themselves if they think that it is not accurate.
KAMS will correct personal information, where KAMS is unsatisfied with the accuracy or when the individual requests us to correct the information.
KAMS will notify third parties of corrections made, when the individual makes the request, and we have previously provided information to the other entity.
If you wish to seek access to your personal information or inquire about the handling of your personal information, please contact the Corporate Services Manager by email at email@example.com.
Adoption, Use or Disclosure of Government Related Identifiers (APP 9)
KAMS will not adopt, use or disclose a government related identifier of an individual as if it were our client code. Government related identifiers such as Medicare numbers will only be disclosed for the purposes of providing health care services.
In accordance with KAMS Feedback and Complaint Handling Policy, individuals can complain about breaches of this policy:
- By telephoning KAMS on 08 9194 3200 and speaking to the Corporate Services Manager
- By completing a feedback form from the KAMS website
- By writing to KAMS Attention: Corporate Services Manager PO Box 1377 Broome WA 6725
- By emailing KAMS at firstname.lastname@example.org
Complaint Management Steps
- The Complaint is Recorded:
KAMS will record the complaint on LogiQC Feedback Register upon receipt of it. Updates will be added to the LogiQC record throughout the complaint handling process. Personal information will be maintained in accordance with relevant privacy legislation.
- The Complaint is Acknowledged:
Within five business days of receiving a complaint, KAMS will acknowledge receipt of the complaint either by email or letter.
- The Complaint is Reviewed:
An initial review of the complaint will be carried out to determine whether or not any additional information or documentation is required to complete an investigation. KAMS may need to contact the customer to clarify details or request additional information where necessary.
- An Investigation is Carried out
Within 15 business days of receiving a complaint KAMS will investigate the complaint objectively and impartially. All information provided will be considered, including actions taken by staff in relation to dealing with the complaint and any other information which may be available, that could assist in investigating the complaint.
Following the investigation, KAMS will notify the customer of the findings, any action(s) taken and the reasons for any decisions made.
- Continual Improvement:
There will be regular reviews and monitoring of complaint records for continuous improvement. Where appropriate, KAMS will amend business practices or policy. Improvements arising from feedback and complaints are recorded on LogiQC Improvement Register.
In accordance with Privacy Amendment (Notifiable Data Breaches) Act 2017, KAMS will notify individuals whose personal information is involved in an eligible data breach that is likely to result in serious harm. This notification will include recommendations about the steps individuals should take in response to the breach.
An ‘eligible data breach’, which triggers notification obligations, is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples of a data breach include when:
- a device containing client’s personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person.
KAMS will notify the Australian Information Commissioner when eligible data breaches occur.
External Agencies for Complaints
Individuals have the right to complain to the Health and Disability Services Complaints Office (HaDSCO) if they are not satisfied with how the matter has been handled.
Health and Disability Services Complaints Office (HaDSCO)
469 Wellington Street, Perth WA 6000
GPO Box B61
Perth WA 6838
Complaints and enquiries line: (08) 6551 7600
Country Free Call: 1800 813 583
TTY: (08) 6551 7640
Fax: (08) 6551 7630
HaDSCO reviews and reports on the causes of complaints, undertakes investigations, suggests service improvements and advises service providers about effective complaint resolution.
Roles and Responsibilities
- The Board is the ultimate decision making authority of the Kimberley Aboriginal Medical Service Ltd. and they delegate the decision making power of the day to day running of the Kimberley Aboriginal Medical Service Ltd. to the CEO in line with the CEO Position Description; and
CEO and Management
- The CEO of the Kimberley Aboriginal Medical Service Ltd. is responsible for overseeing privacy procedures across the organisation;
- Allocate responsibility for privacy management and delegation of authority; and
- Allocate sufficient resources for secure management of personal information.
- Comply with Policies and Procedures; and
- Maintain confidentiality and privacy for individuals.
- Confidentiality Policy & Procedure
- Code of Conduct
- Code of Ethics
- Discipline Policy
- Conflict of Interest Policy
- Feedback and Complaints Handling Policy
- Computer Security Procedures and Disaster Recovery
- Headspace Broome Collection and Use of your Personal information