Privacy Policy

St Vincent’s Hospital Sydney Limited, with respect to its facilities St Vincent’s Hospital Sydney, Sacred Heart Health Service (St Vincent’s Health Network), is committed to protecting the privacy of personal information (including health and sensitive information) that we collect and hold.

This policy applies to all employees of St Vincent’s Health Network, any medical or dental practitioners  appointed or credentialed with St Vincent’s Health Network; volunteers; students; contractors and any other persons who in the course of their work have access to personal information  and health information, whether by electronic means or otherwise.

This policy does not apply to any information which is not personal information or health information, or is de-identified information.

Objective

This privacy policy explains how St Vincent’s Health Network handles personal information in accordance with the requirements of the Privacy Act 1988 (Cth).

 

Definitions

In this Privacy Policy the following terms have the following meanings:

De-identified Information

Information or an opinion about a person whose identity cannot be ascertained from the information or opinion.

Health Information

  1. personal information or an opinion about:
    1. an individual’s physical or mental health or disability (at any time);
    2. an individual’s express wishes about the future provision of health services for themselves; or
    3. a health service provided, or to be provided, to an individual;
  2. other personal information collected to provide, or in providing, a health service;
  3. other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
  4. genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual; or healthcare identifiers.

NSW Health Organisations

Agencies or organisations which fall under the portfolio of the NSW Ministry of Health, which includes, as at April 2021:

  1. NSW Ambulance
  2. HealthShare NSW;
  3. NSW Health Pathology;
  4. eHealth NSW;
  5. Health Protection NSW;
  6. Local Health Districts and Specialty Networks under the Health Services Act 1997 (NSW), including any agencies governed by those Local Health Districts and Specialty Networks;
  7. Statutory Health Corporations under the Health Services Act 1997 (NSW), including:
    1. Agency for Clinical Innovation;
    2. Bureau of Health Information;
    3. Cancer Institute NSW;
    4. Clinical Excellence Commission;

Personal Information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

Personal Information includes both health information and sensitive information.

Related Entities

  1. St Vincent’s Health Australia Limited (SVHA);
  2. St Vincent’s Healthcare Limited;
  3. St Vincent’s Care Services Limited;
  4. St Vincent’s Private Hospital Northside Limited;
  5. St Vincent’s Hospital (Melbourne) Limited;
  6. St Vincent’s Private Hospitals Limited;
  7. St Vincent’s Private Hospital Sydney ;
  8. The Trustees of the Sisters of Charity of Australia
  9. St Vincent’s Hospital Sydney Limited;
  10. St Vincent’s Clinic.Trustees of Mary Aikenhead Ministries;
  11. Trustees of St Vincent’s Hospital Sydney.

Sensitive Information

  1. personal information or opinion about an individual’s:
    1. racial or ethnic origins;
    2. political opinions or political associations;
  2. health information about an individual; or
  1. philosophical beliefs or religious beliefs or affiliations;
  1. sexual preferences or practices; or
  1. criminal record; or

genetic information about an individual that is not otherwise health information.

 

Policy Statement

St Vincent’s Health Network is committed to protecting the privacy of personal information which it collects and holds.

St Vincent’s Health Network must comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), and other privacy laws (including the Health Records and Information Privacy Act 2002 (NSW)) which govern the way in which organisations (such as St Vincent’s Health Network) collect, hold, use and disclose personal information. As an affiliated health organisation under the Health Services Act 1997 (NSW), St Vincent’s Health Network is also subject to the NSW Health Privacy Manual for Health Information (Third Edition) as amended or replaced from time to time.

The purpose of this Privacy Policy is to explain:

  1. the kinds of information that St Vincent’s Health Network may collect about you and how that information is held;
  2. how St Vincent’s Health Network collects and holds personal information;
  3. the purposes for which St Vincent’s Health Network collects, holds, uses and discloses personal information;
  4. how you can access the personal information St Vincent’s Health Network holds about you and seek to correct such information; and
  5. the way in which you can complain about a breach of your privacy and how St Vincent’s Health Network will handle that complaint.


Mission and Strategic Fit

In line with St Vincent’s Health Network’s Mission and Values, this policy ensures that individuals are treated with compassion and empathy; and that their personal and health information is protected in accordance with the relevant privacy legislation.

 

Collection and use of personal information

Typesof personal information collected by St Vincent’s Health Network

St Vincent’s Health Network will only collect information which is necessary to provide you with health care services or appropriately manage and conduct our business. This may include (as applicable):

  1. Patients/residents/clients/research participants

    St Vincent’s Health Network collects information from you which is necessary to provide you with health care services or to enable you to participate in research studies. This includes collecting personal information such as your name, address and contact details, your health history, family history, past and current treatments, lifestyle factors, and any other information which is necessary to assist the health care team in providing appropriate care, or our research team in conducting its research.

  2. VMOs, students, contractors and volunteers

    St Vincent’s Health Network collects information from you which is necessary to properly manage and operate its business. This includes collecting personal information such as your name, address and contact details, professional experience, qualifications and past employers, and any other information which may be necessary to appropriately conduct its business.

  3. Job applicants

    St Vincent’s Health Network collects information from you which is necessary to assess and engage job applicants. This includes collecting personal information such as your name, address and contact details, professional experience, qualifications, references and past employers, and any other information which is necessary to process your job application.

  4. Donors

Where you have consented, St Vincent’s Health Network collects information from you for the purposes of fundraising and managing donations. This includes collecting personal information such as your name and address and any other information required to process your donation.

How we collect personal information

We will usually collect your personal information directly from you, however, sometimes we may need to collect information about you from third parties, such as:

  1. relatives;
  2. another health service provider;
  3. past employers and referees; or
  4. related entities.
  5. We will only collect information from third parties where:
  6. you have consented to such collection;
  7. such collection is necessary to enable us to provide you with appropriate health care services (such as in the case of an emergency medical treatment);
  1. such collection is reasonably necessary to enable us to appropriately manage and conduct our business (such as in assessing applications for accreditation from VMOs); or
  2. it is legally permissible for us to do so.

How St Vincent’s Health Network uses your personal information

St Vincent’s Health Network only uses your personal information for the purpose for which it was collected by St Vincent’s Health Network (primary purpose), unless:

  1. there is another purpose (secondary purpose) and that secondary purpose is directly related to the primary purpose, and you would reasonably expect, or St Vincent’s Health Network has informed you, that your personal information will be used for that secondary purpose;
  2. you have given your consent for your personal information to be used for a secondary purpose; or
  3. St Vincent’s Health Network is required or authorised by law to use your personal information for a secondary purpose (including for research and quality improvements both within St Vincent’s Health Network and in collaboration with NSW Health Organisations).

For example, St Vincent’s Health Network may use your personal information to:

  1. provide health care services to you;
  2. provide any ongoing health related services to you;
  3. appropriately manage our business, such as assessing insurance requirements, conducting audits, and undertaking accreditation processes;
  4. assist it in running our hospital business, including quality assurance programs, billing, improving its services, implementing appropriate security measures, conducting research and training personnel;
  5. where required, effectively communicate with third parties, including the NSW Ministry of Health, NSW Health Organisations, Medicare Australia, private health insurers and Department of Veterans’ Affairs; and
  6. carry out fundraising activities (where you have consented).

Complete and accurate details

Where possible and practicable, you will have the option to deal with St Vincent’s Health Network on an anonymous basis or by using a pseudonym. However, if the personal information you provide us is incomplete or inaccurate, or you withhold personal information, we may not be able to provide the services or support you are seeking, or deal with you effectively.

CCTV

St Vincent’s Health Network uses camera surveillance systems (commonly referred to as CCTV) in some areas for the purposes of maintaining safety and security of its patients, personnel, visitors and other attendees. Those CCTV systems may also collect and store personal  information and St Vincent’s Health Network will comply with all privacy legislation in respect of any such information.

 

Disclosing your personal information

Disclosure of your personal information

St Vincent’s Health Network will confine its disclosure of your personal information to the primary purpose for which that information has been collected (eg, the provision of health care), or for a related secondary purpose. This includes when disclosure is necessary to provide services to you, to assist us in running our organisation, to facilitate the provision of quality and efficient public health care services in NSW (noting St Vincent’s Health Network is an Affiliated Health Organisation with facilities which provide public health services pursuant to a Service Agreement with NSW Health), or for security reasons.

We may provide your personal information to:

  1. Third parties involved in your care, including healthcare professionals outside of St Vincent’s Health Network, such as:
    1. pathologists and radiologists who have been asked to undertake diagnostic testing;
    2. senior medical experts and specialists who have been asked to assist in diagnosis or treatment;
    3. other health professionals involved in an individual’s furthertreatment (such as general practitioners, physiotherapists and occupational therapists);
  2. Government agencies, such as Defence or Department of Veterans Affairs, where an individual is receiving services with St Vincent’s Health Network under arrangements with those agencies;
  3. Government departments responsible for health, aged care and disability where St Vincent’s Health Network is required to do so;
  4. NSW Health Organisations, where St Vincent’s Health Network is required to do so, or where this is necessary to facilitate the provision of quality and efficient public health care services in NSW;
  5. My Health Record, if you are registered in the My Health Record system (unless you request that a particular document not be uploaded to your My Health Record);
  6. third parties contracted to provide services to St Vincent’s Health Network, such as entities contracted to assist in accreditation or survey processes;
  7. any of the Related Entities listed in the Definitions section;
  8. research institutions and sponsors with which St Vincent’s Health Network collaborates;
  9. private health insurance providers and Medicare Australia;
  10. anyone authorised by you to receive your personal information including relatives, close friends, guardians (unless St Vincent’s Health Network has been informed otherwise and your consent may be express or implied);
  11. fundraising institutions associated with St Vincent’s Health Network, including St Vincent’s Curran Foundation, where you have consented;
  12. anyone St Vincent’s Health Network is required by law to disclose your personal information to which may include NSW Police, NSW Ombudsman, NSW Ministry of Health, NSW Health Organisations, Privacy Commissioner, the Health Care Complaints Commission,and the Coroners Court of NSW.

Third party service providers

Where permissible under the privacy laws we may disclose personal information to external service providers who may use, process and store that information overseas. For example:

  1. we utilise an Australian service provider to provide a digital dictation service and that service provider locates its servers in the United States of America; and
  2. We use overseas service providers to help us provide and improve our services (for example, by hosting data, facilitating payments, tracking website use). These providers may be located in Europe or other international locations which have differing privacy obligations. Where possible, we will take reasonable steps to try to ensure these overseas providers comply with Australian privacy legislation.

Data storage, quality and security

Data quality

St Vincent’s Health Network will take reasonable steps to ensure that your personal information which is collected, used or disclosed is accurate, complete and up to date.

Storage

All personal information held by St Vincent’s Health Network is stored securely in either hard copy or electronic form.

Data security

St Vincent’s Health Network strives to ensure the security, integrity and privacy of personal information, and will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. St Vincent’s Health Network reviews and updates (where necessary) its security measures  in light of current technologies.

Online transfer of information

While St Vincent’s Health Network does all it can to protect the privacy of your personal information, no data transfer over the internet is 100% secure. When you share your personal information with St Vincent’s Health Network via an online process, it is at your own risk.

There are ways you can help maintain the privacy of your personal information, including:

  1. always closing your browser when you have finished your user session;
  2. always ensuring others cannot access your personal information and emails if you use a public computer; and
  3. never disclosing your user name and password to third parties.

Notifiable Data Breaches

Breach legislation

The passage of the Commonwealth Privacy Amendment (Notifiable Data  Breaches) Act 2017 (Cth) established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Privacy Act 1988 (Cth) (which may include the related entities) to notify any individuals likely to be at risk of serious harm by a data breach. In some cases, the Office of the Australian Information Commissioner (OAIC) must also be notified of the data breach. Please note the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) prescribes timelines for the notification process to the OAIC.

Data Breach Response Plan

SVHA has established a Data Breach Response Plan that details how SVHA Group Entities, including St Vincent’s Health Network, must deal with any instance where there has been a potential or actual breach of personal information held by SVHA in either electronic or hard copy form. The Data Breach Response Plan includes information on the assessment and reporting of a data breach, the convening of a Data Breach Response Team and details on the communication processes to be undertaken following a breach.

All staff must familiarise themselves with the Data Breach Response Plan and its processes and ensure the plan is followed whenever a data breach is suspected or discovered.

Use of cookies

A ‘cookie’ is a small data file placed on your machine or device which lets St Vincent’s Health Network identify and interact more effectively with your computer. While cookies allow a computer to be identified, they do not contain personal information about a specific individual.

Cookies are industry standard and are used by most websites, including those operated by St Vincent’s Health Network. Cookies can facilitate a user’s ongoing access to and use of a website. Cookies allow St Vincent’s Health Network to customise our website to the needs of our users. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. However, cookies may be necessary to provide you with some features of our on-line services via the St Vincent’s Health Network website.

Links to other sites

St Vincent’s Health Network may provide links to third party websites. These linked sites may not be under our control and St Vincent’s Health Network is not responsible for the content or privacy practices employed by those websites. Before disclosing your personal information on any other website, we recommend that you carefully read the terms and conditions of use and privacy statement of the relevant website.

Accessing and amending your personal information

You have a right to access the personal information which St Vincent’s Health Network holds about you. If you make a request for access to your personal information, we will ask you to verify your identity and specify the information you require.

You may also request St Vincent’s Health Network make an amendment to any of your personal information if you consider that it contains information which is incomplete, incorrect, out of date, or misleading. St Vincent’s Health Network will consider your application and will respond in accordance with the privacy law.

You can contact St Vincent’s Health Network about any privacy issues as follows:

By telephone via the Hospital Switchboard (02 8382 1111) and ask to speak with the Privacy Officer
By mail addressed To the Attention of the Privacy Officer, St Vincent’s Health Network, 390 Victoria Street Darlinghurst NSW 2010
By email addressed To the Attention of the Privacy Officer at SVHS.Feedback@svha.org.au 

While St Vincent’s Health Network aims to meet all requests for access to personal information, in a small number of cases and where permitted to do so by law, St Vincent’s Health Network may not give access or may do so only under conditions.

Subject to applicable laws, St Vincent’s Health Network may destroy records containing personal information when the record is no longer required by St Vincent’s Health Network.

Complaints

If you have a complaint about St Vincent’s Health Network’s information handling practices or consider we have breached your privacy, you can lodge a complaint with:

  1. The Privacy Officer, on the contact details listed above; or
  2. the Office of Australian Information Commissioner.

St Vincent’s Health Network deals with all complaints in a fair and efficient manner.

Compliance:

Chief Executive Officer

The Chief Executive Officer must ensure that all people falling within the scope of this policy:

  1. are familiar with the St Vincent’s Health Network Privacy Policy and NSW Health Privacy Manual for Health Information;
  2. have access to appropriate privacy training;
  3. have access to and are provided with appropriate material about their privacy obligations.

Privacy Officer

The Privacy Officer:

  1. acts as a point of contact for staff and members of the public for matters related to privacy;
  2. serves as a focal point for all personnel matters related to privacy and StVincent’s Health Network;
  3. acts as point of contact with the NSW Ministry of Health for matters related to privacy.

Managers and Supervisors

Managers and supervisors should:

  1. provide leadership and direction to ensure that the NSW Health Privacy Manual for Health Information is effectively implemented in their area of responsibility;
  2. monitor the quality and effectiveness of management and use of personal and health information and take appropriate action to address any risks, gaps and shortcomings;
  3. ensure personnel responsible for the management and use of personal and health information have the skills and support they need to effectively comply with the Privacy Act and associated legislation;
  4. include privacy provisions in policies, procedures and service project plans, wherever appropriate.

Staff

All staff should:

  1. implement and comply with the Privacy Act, St Vincent’s Health Network Privacy Policy and, where applicable, the NSW Health Privacy Manual;
  2. report potential or actual breaches, risks or other issues that may occur in relation to personal and health information.

For SVHS Annual Privacy Report, CLICK HERE