This policy applies to the collection, retention and dissemination of personal information (whether past, present or future) obtained from individuals in the course of its business and is not limited to clients, their families or significant others.
Purpose and Objectives
The Bone Bus acknowledges and respects the privacy of individuals and protects the privacy of clients and their families, in line with relevant Commonwealth and State legislation. It is the policy of The Bone Bus that information is managed appropriately with regard to collection, security, storage, use and disclosure, as identified throughout all processes.
In abiding by the Australian Privacy Principles (APP’s) and the Freedom of Information Act, The Bone Bus aims to provide effective and efficient services, whilst respecting the confidentiality and privacy rights of the organisation’s clients and staff, and clearly demonstrates The Bone Bus’ commitment to the wellbeing of all persons.
This Policy pertains to Personal Information and Health Information and excludes information about staff contained in Personnel Records.
Collection of personal information
The Bone Bus considers the collection of relevant, personal data as fundamental to the provision of individualised quality care and relevant to perform our service. Information is collected throughout each phase of health intervention, treatment, and health research initiatives that often extend beyond the client contact. This may be taken in the form of direct contact, telephone enquiries, email, internet & web interactions, surveys and other forms of communication.
Typically, the information collected by The Bone Bus includes but is not limited to:
• Telephone numbers
• Email addresses
• Personal details relating to items such as gender, Date of Birth etc.
• Details of emergency contact details
• Relevant medical, health & exercise histories
This information is only collected from individuals with their prior knowledge and consent and for the primary purpose for which it was collected.
Use of personal information
The main purposes for which The Bone Bus collects, holds and uses personal information is:
• to provide required services to its clients;
• to send our clients reports and results to them or their GP’s
• in responding to individual requests;
• to be able to maintain contact with clients and duly authorised persons such as doctors and personal trainers;
• provision of online email subscription services i.e. The Bone Bus’ email alert service;
• to comply with duties imposed by legislation.
Additionally, The Bone Bus may use personal information about individuals in marketing and promoting our services, including email, however individuals always have the opportunity to elect not to receive marketing materials or have their information used by writing/emailing to The Bone Bus (email@example.com).
Use of aggregate data
When visiting The Bone Bus’ web site a record is logged capturing the following non personal information:
• the users server address and operating system (e.g. Windows, Mac etc.)
• the users top level domain name (e.g. .com, .gov, .au, .uk etc.)
• the type of browser used
This data is captured for statistical purposes only and enables the enhancement, optimisation and interaction of The Bone Bus’ web pages with different systems and web browsers.
At no stage does The Bone Bus attempt to identify users or their browsing activities, except in the unlikely event of an investigation by a law enforcement agency exercising its legal authority within the laws of Australia.
Cookies are pieces of information that a website can transfer to your computer when you access information on that site. Cookies can make websites easier to use by storing information about your preferences on a particular website. This information remains on your computer after you close your browser. The only exception being where session specific cookies are used. These types of cookies are used for basic web metrics and only last until the browser is closed.
Individuals can choose to remove or block cookies by changing their settings within their browser – refer to the browsers’ Help feature.
Disclosure of personal information
The Bone Bus does not disclose personal information to other third parties or organisations unless:
• use and disclosure is required under this policy
• is required or permitted by law
• prior consent has been given by the individual(s) concerned
• to reasonably protect the rights or safety of any member of the public or client(s) of The Bone Bus
The Bone Bus in the normal course of its operations does not provide personal information to third parties. Any information used for the purposes of research shall be de-identified and limited to items such as age, gender, body composition results or bone density results, and other generic information.
Security of personal information
The Bone Bus will take all reasonable steps to protect personal information collected, held and stored from misuse, interference, loss and unauthorised access whether it be in electronic or hard copy form. Destruction of personal records is performed in accordance with The Bone Bus’ Retention and Disposal of Records procedure. All personal information not actively being used is stored in accordance with the prescribed periods contained within legislative instruments.
Access to personal information
The APP’s provide individuals with an enforceable right of access to their information held by The Bone Bus. All requests for access to information should proceed through the The Bone Bus in writing to firstname.lastname@example.org. The Bone Bus will provide access to personal information held by it to an individual, provided it is authorised to do so, upon request. When making a request to access personal information we will require the individual to provide evidence of their right to access the information, unless otherwise previously provided. The Bone Bus will respond to all such requests within 30 days of the date upon which it was made. If The Bone Bus refuses to provide an individual with personal information it will do so stating why in writing within the above specified time frame. In providing the information, The Bone Bus may also charge a reasonable administrative fee to cover the access or provision of copies of the documentation requested.
Dealing with Data Breach
We will manage the process of dealing with an actual or suspected Data Breach in accordance with the Notifiable Data Breach (NBD) Scheme pursuant to Part IIIC of the Privacy Act.
An NBD will be considered to have occurred when the following three criteria are satisfied:
1. suffer a Data Loss, meaning accidental or inadvertent loss of Personal Information likely to result in Unauthorised Access or Unauthorised Disclosure (ie a laptop containing Personal or Sensitive information is lost or stolen). If data the subject of the Loss can be deleted remotely or is encrypted it will not constitute an NDB; or
2. suffer or are suspected to have suffered an Unauthorised Disclosure, meaning we release or make visible Personal or Sensitive Information in a way not permitted by the Privacy Act (ie an email is sent to the wrong address or employee accidently publishes a confidential data file containing personal information on the internet); or
3. suffer or are suspected to have suffered an Unauthorised Access, meaning Personal or Sensitive Information is accessed by someone who is not permitted to have access (ie a database is hacked by the third party);
• The Data Loss, Unauthorised Access or Unauthorised Disclosure is likely to result in serious harm to a person to whom the Personal Information relates; and
• We have not been able to prevent the likely risk of serious harm.
Within 30 days of a suspected Data Breach occurring, we will assess the breach to determine if it is likely to cause serious harm, using the NDB Scheme list of relevant matters, including:
• The Sensitivity of the Personal Information or Sensitive Information (ie loss of medical records or details of sexual orientation would be more likely to be assess as capable of causing Serious Harm);
• The type of Personal Information or Sensitive Information (ie loss of credit card numbers or drivers’ licences may be more likely to result in serious harm);
• Whether security matters, such as encryption, protect the Personal Information following the Data Breach thereby limiting the likelihood of Serious Harm; or
• The nature of the harm (ie credit card details being released are more likely to harm serious and immediate consequences than other information).
We will take all reasonable steps to ensure an assessment is completed within 30 days and a notification submitted to the Office of the Australian Information Commissioner (OAIC).
As soon as is practicable after a Notifiable Data Breach is confirmed, we will provide a statement to each individual whose data was breached or who are at risk, including details of the breach and recommendations of the steps you should take in the circumstances.
Additionally, Where we collect and/or hold Heath Information (within the meaning of section 6 of the Health Records and Information Privacy Act 2002 (Cth) as a result of our contractual relationships with Health Provider Organisations (being those organisations that are a health service provider or that collects, holds or uses health information and are required to comply with the Health Records and Information Privacy Act 2002 (Cth)) (Health Provider Organisations) we will treat Health Information in compliance with the Privacy Act and all applicable State and Territory legislation governing privacy of Health Information. We will only use or disclose health information for the purpose for which it was collected or a directly related purpose that is expected.
In the event of a Data Breach or suspected Data Breach, we will provide the Health Provider Organisation within 14 days of the Data Breach of suspected Data Breach:
The identity and contact details of the relevant client/s of the Health Provider Organisation (if identifiable by us);
• A description of the data breach;
• The kinds of information concerned (if identifiable by us);
• Recommendations about the steps that those affected should take in response to the data breach; and
• Steps taken by us to secure our systems against further breach;
Unless otherwise agreed between us and the Health Provider Organisation in writing, we will not identify whether the Data Breach is an NDB in circumstances where we are in possession of Health Information as a result of providing services to a Health Provider Organisation. The Health Provider Organisation will be responsible for making an assessment as to whether the Data Breach constitutes an NDB and to report the NDB in compliance with the NDB Scheme.
We are not otherwise bound by the privacy policies and procedures of Health Provider Organisations unless we have had prior notice of the same and provided written acceptance of those policies and procedures to the Health Provider Organisation.
Corrections and concerns
If you believe information held by The Bone Bus is incorrect or out of date please contact us in writing to email@example.com to have the record amended or corrected.
If you wish to have personal information held about you deleted, we will require this request be made in writing, unless The Bone Bus is required to maintain such records as prescribed in legislation or for litigation purposes.
Specific complaints or concerns relating to the handling of personal information may be referred internally to the The Bone Bus COO Jarrod Meerkin (firstname.lastname@example.org) or externally to the New South Wales Privacy Commissioner.
Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001 Tel: 1300 363 992, email@example.com