ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

Transcription

1 1. SCOPE This policy details the College s privacy policy and related information handling practices and gives guidelines for access to any personal information retained by the College. This includes personal information collected via the College website. It addresses the necessary Australian legislation but applies to NZ as well subject to any further obligations placed on the College by NZ legislation. Personal information means information or an opinion about an individual whose identity is apparent or can be ascertained from the information or opinion. 2. KEYWORDS Privacy, information, collection, disclosure, access. 3. BODY OF POLICY The Royal Australasian College of Surgeons is committed to ensuring the privacy of individuals, in accordance with applicable privacy legislation, such as the 2014 Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and the Information Privacy Principles contained in the Privacy Act 1993 (NZ). When information is collected directly from individuals the College may provide further relevant privacy information to the individual at the point of collection, in which case, such information should be read in conjunction with this policy. In order for the College to effectively fulfil its principal roles as a provider of surgical training, a Fellowship organisation and an employer it is necessary for the College to collect personal information from people participating in these activities. The College may collect personal information about Fellows, Trainees, International Medical Graduates, applicants for registration, suppliers, conference delegates, staff and other individuals who interact with the College. This information includes name, address, phone number, and address, and may also include other personal information and financial information. The collection of this information facilitates the provision of College services such as training and scholarships, enables the College to procure goods and services from suppliers and generally interact with third parties, allows the College to contact individuals and others and ensures access to member only services on the College website. Functions of the College may necessitate the disclosure of personal information to related or joint service providers. Reasonable effort will be made to inform the individual of the type of personal information held, the purpose for which information is collected, and the type of individuals and organisations to whom it is usually disclosed. Personal information will be collected for primary and secondary purposes (as referred to in this policy), and disclosed in connection with those purposes and where required or authorised by law or otherwise where permitted by the privacy legislation. One College employee (usually the PA to the and Director, Relationships & Advocacy) will act as the College Privacy Officer. This individual will have undergone appropriate privacy training and be the primary College source of information regarding privacy matters. In consultation with the College Chief Executive Officer, the Privacy Officer may refer matters forlegal advice for complex privacy enquiries. An individual may contact the Privacy Officer on telephone or at [email protected]. Page 1 of 10 Review Date: July 2017

2 3.1. Collection The College will only collect personal information from individuals when it is reasonably necessary for the functions or activities of the College, and all such collection will be subject to this policy and any other notifications. The information collected will depend on the individual s relationship with the College. Sensitive information will only be collected if the individual gives consent, or if it is required or authorised by law. Sensitive information means information about an individual s attributes, such as racial or ethnic origin, membership in a political, professional or trade association or union, sexual orientation or criminal record. It also includes health information. The College has certain obligations when collecting personal, health and sensitive information about individuals. Generally, the College is required to take reasonable steps in the circumstances to inform individuals of: the identity and contact details of the College; the purpose for which the College is collecting their personal information; the names and types of organisations to which the College usually discloses information of that kind; the consequences to the individual of not providing the information; and how the individual can access and correct the information held by the College. The College must also make sure that personal information is collected in a fair and lawful way and stored securely. The College must also take reasonable steps to ensure that the personal information held is accurate, up-to-date and relevant. When collecting personal information, the College may require individuals to give additional acknowledgements concerning the collection of such information, although the absence of additional statements does not preclude or limit the operation of this policy Web information collection Without limiting the means by which information is collected by the College, the usage analysis software used by the College in connection with the College website records (amongst other things) Unique visitors and sessions; Requested pages, downloads, search terms used, posted forms, status and errors, hits and bytes downloaded per directory, file, and file type; Entrance pages, exit pages, click paths, click to and click from and length of session; Domains, Countries, and IP addresses; and Browsers, platforms, and robots. The statistics are de-identified at the time of recording. This information is used for administrative purposes, including to improve and assess services, and to monitor usage patterns in order to improve navigation and design features - helping users to get information more easily. The College website will also use cookies to manage login and logout. Page 2 of 10 Review Date: July 2017

3 3.2. Use Unsolicited personal information If the College receives personal information it did not solicit, the information will be analysed whether it could have been collected lawfully under privacy legislation and if so it will be retained. If it is retained, the College must generally inform the individual about the matters listed in clause 3.1 above, taking reasonable steps in the circumstances to do so. Otherwise, such unsolicited information will be destroyed, subject to any legal requirements to the contrary. In general, if the College receives unsolicited information from a third party which does not relate to the functions or activities of the College or members/people who have regular contact with the College in connection with its activities, the College will destroy or de-identify the information if lawful to do so. The College collects personal information for a number of purposes (being the primary purposes of collection), including: to provide membership services and benefits and maintain membership and service/benefits records; to assist, support, provide and improve continuing professional development and education and training; to enable planning, policy and service development and to market, advertise or otherwise promote the College, including to inform individuals of special offers or additional services provided by the College; to monitor and investigate conduct; to implement, monitor and maintain quality assurance processes and systems, as well as processes and systems concerning regulatory matters, registrations, accreditation, audits, risk and claims management (including dealings with insurers); to procure funding, donations or other support for the activities of the College; to recruit suitable applicants to vacancies within the College to enable internal administration, training, assessments and reviews; to provide or undertake any of the other activities referred to in this policy; and to conduct or facilitate research or surveys for purposes related to the College, surgery and/or one or more of the above. Information may also be used for secondary purposes which directly relate to the primary purpose of collection or any other purpose which is authorised by the individual or which are required or authorised by law. For example, if an individual completed a form to register for the Annual Scientific Congress the College may use the individual s contact details for the purposes of issuing a Congress Program. Page 3 of 10 Review Date: July 2017

4 If an individual does not supply information to the College, the College may not be able to deal with them or adequately provide services, in which case, additional requirements and conditions may be notified by the College Adoption and use of Government related identifiers The College will not use Government related identifiers to identify individuals unless legislated by law Disclosure The College will only disclose personal information for the primary purpose for which it was collected, for a secondary purpose if it directly relates to the primary purpose or for any other lawful purpose. The College does engage third parties to perform certain business functions. Therefore, it is sometimes necessary to disclose personal information to those suppliers. Disclosures may also be made to other third parties, including: the College s consultants, auditors, lawyers, contractors and contracted staff or service providers that provide goods or administrative or other services in connection with the activities of the College; entities and institutions who provide services or undertake activities in conjunction with or in association with the College; regulatory authorities and bodies, professional or specialist societies and associations, hospitals and health centres and relevant complaints tribunals and government departments and agencies; where the College collects an individual s information from someone else, or another entity, then that person or entity; where the law requires or permits the College to do so (such as to law enforcement agencies); and an individual s agent (with an individual s authority). Where disclosure takes place, the College seeks to ensure that personal information is handled appropriately. All specific requests for information from a third party (including a specialty society) must be documented. Occasionally the College may consider acceding to such a request depending on its merit. In assessing the merit of the request the College will consider matters including: I. Who is requesting the information? II. III. IV. What type of information is being sought? In what form? Individual names, numbers? Why is the information being requested? When is the information required? V. Where will the information ultimately reside? VI. VII. VIII. What is the value to Fellows/Trainees of granting the request? Is the disclosure permitted? Is an opt out option supplied as part of the information? Page 4 of 10 Review Date: July 2017

5 In general, the College will not accept requests to market products or to advertise training courses directly to Fellows and Trainees and will therefore not disclose contact information to organisations requesting its use for these purposes. If staff are unsure about the request in relation to this policy they should seek direction from the Director of the area that owns the requested information. If it is a repeat request whereby it has been established that release of the information is in alignment with this policy then it is not necessary to confirm with your Director or Manager. If there is any doubt, the matter can be referred to the College s Privacy Officer Refusal 3.4. Storage and Security When access to personal information held by the College has been denied to a person or organisation then if practical and reasonable some suggestions or assistance may be offered to find an alternative source of information. The College stores personal information either electronically or in hard copy. The College has comprehensive and secure record-keeping systems. The College takes reasonable steps to protect personal information from unauthorised use, access, disclosure and alteration. Staff must comply with this policy. IT protection systems and internal procedures are also utilised to protect the personal information held by the College. This includes the website where the College endeavours to ensure the website is secure through the use of firewalls. The College may store electronic information on remote servers or in the cloud directly or through contracted agencies (such as payroll companies) in Australia and New Zealand. In such instances, the College has performed due diligence and is satisfied that adequate security measures are in place by any third party organisations and their privacy policy guidelines are compatible with our requirements. Personal data is maintained under strict security and is only to be accessed internally by those College employees who require access as part of their role or to complete a task. Information will be held until there is no longer a need or obligation to retain it, after which time it will be deleted, destroyed or de-identified. E-payment security on our site is achieved through encryption and system design. Additionally, the e-payment system does not store customers' credit card details on a server or database. These payments are processed in the United States Correction The College seeks to maintain the accuracy of personal information. Individuals are encouraged to contact the College if the information held is incorrect or to notify the College if personal information has changed (reference should also be made to any additional Collection Statements). This should be directed to the appropriate department that routinely manages that data. If any updates to information are refused by the College, the reason for the refusal must be supplied where it is reasonable to do so and provide information regarding the complaints process. Changes to personal details can also be made on the College website by the individual. Page 5 of 10 Review Date: July 2017

6 3.6. Access An individual may contact the Privacy Officer at any time to access personal information about themselves. They will be required to provide their request to access this information in writing. Access will be provided unless the request is unreasonable or the applicable privacy laws permit or require the College to decline that access. If access is denied, the College must provide an explanation for the refusal where it is reasonable to do so and provide information regarding the complaints process. As permitted by law, a fee may be requested to cover the cost of access. Regarding the web, the College will not knowingly make an attempt to identify users or their browsing activities. However, in the unlikely event of an investigation, a law enforcement agency or other government agency may exercise its legal authority to inspect the College s Internet Service Provider's logs, and thus gain information about users and their activities. Website users who have login access can view and change their personal details online Specialist Assessment The College is involved in the assessment of international medical graduates surgical training, qualifications and experience, and the Australian Medical Council (AMC) discloses applicants personal information to the College for this purpose. For example, applicants for assessment for Area of Need specialist positions disclose personal information to both the AMC and the College in parallel. Without limiting the scope of the authorised uses, the College may need to clarify this information with external institutions or individuals, and gather additional information in order to complete the assessment. Information may also be sought from any area of the College including the New Zealand National office. As part of the specialist assessment process, the College s recommendation(s) will be provided to the AMC and, in the case of Area of Need specialist assessments, to the relevant Medical Board of Australia. The College may also disclose personal information where required to do so by law Fellows and Trainees Without limiting the generality of section 3.2, personal information about Fellows and Trainees is used to conduct College business, including for the purpose of training and assessment and for continuing professional development. Information may, without limitation, be disclosed to external suppliers and surgical Societies and Associations of which the individual is a member. Requests from non-commercial external organisations (government agencies, hospitals, health departments and health agencies eg. AMC, AMWAC, ACCC, NGOs) for letters confirming a Fellow s standing with the College will only released if a Fellow is compliant in the Continuing Professional Development (CPD) program. General information may be provided to members of the public if enquired as to the fellowship status of a Fellow. Where the College collects information about membership of other professional associations, this information will not be disclosed without consent. Personal information may be disclosed where required by law. Further information regarding the use and disclosure of personal information may be provided at the point of collection Enquiries by the public regarding a Fellow or Trainee a. Enquiries regarding a Fellow Page 6 of 10 Review Date: July 2017

7 3.9. External suppliers The College website makes available the Find a Surgeon and Practice Card facility. The Find a Surgeon and Practice Card directory is a listing of Fellows of the College who meet the requirements of the College's Continuing Professional Development program and have opted to be on the list. Information retrieved by the Find a Surgeon directory on the College website will, unless notified otherwise, be limited to the practice address, phone, specialty, areas of practice and website URL of Fellows who are listed. The Practice Card listing has the same information retrieved by the Find a Surgeon directory, with additional information completed by the Fellow responsible. Further, the College regularly receives queries from the public requesting confirmation of the status of a Fellow. The College is able to advise that a surgeon has been awarded Fellowship of the College and the specialty practiced. The address of the practice and CPD compliance status may also be provided. It is important that the recipient of this information is aware that it is a confirmation of the status of a Fellow and not an endorsement. If applicable, defined scope of practice will be noted. No other information on a Fellow may be divulged. Other enquiries (e.g. a query to Finance from a practice manager or spouse concerning subscriptions) are difficult to categorise into a clear yes or no and must be assessed on a case-by-case basis. The principles about disclosure will require an assessment of the primary purpose for which the relevant information was collected and of related secondary purposes. The Privacy Officer is available to advise on these issues. b. Enquiries regarding a Trainee The College is able to confirm that a Trainee is registered as a surgical Trainee. Unless otherwise agreed, the College will not publicly publish names of Trainees who have successfully completed an examination or components of their training. Trainees will be identified by a number or some other anonymous medium. The College discloses information to external suppliers when entering into transactions for the purpose of College business. Failure to provide this information may impede the process of transacting business. Information supplied in such circumstances is disclosed to suppliers for the contracted purpose. Failure to act in accordance with this policy and other contractual obligations may result in termination of the relationship with the College Non-commercial external organisations (government agencies, hospitals, health departments and health agencies eg. AMC, AMWAC, ACCC, NGOs) Requests from these organisations should be channelled to the appropriate Director. The College publishes reports and information on its selection, training and accreditation activities and international medical graduates assessment as well as Page 7 of 10 Review Date: July 2017

8 general information on surgical workforce on the College website and requestors should be referred to them. The primary source for workforce and training information is the College s Activities Report. Most requests can be handled by reference to this report. In the ordinary course, ad hoc reports on College activities and data will not be provided without approval of the Chief Executive Officer Requests from the media These are covered in the College Delegations Policy and are usually referred to the President or a member of the College Council or the Chief Executive Officer. It is important that information provided to the media is carefully constructed and not be detrimental to the College, or individual Fellows or Trainees. No member of staff, unless specifically authorised to do so, can make public statements on behalf of the College to the media. Exceptions include the Dean of Education and the Executive Directors of Surgical Affairs in Australia and New Zealand Requests for information regarding staff Personal information related to staff members may not be divulged unless consent is received from the staff member (or disclosure is authorised or required by law). Without limitation, a staff member can authorise the Department of Human Resources to release information pertaining to their employment in relation to enquiries from credit agencies, real estate agents and banks. All staff have access to their own personnel files. All Managers and Directors have access to files on their staff. Human Resources may release information on staff to the appropriate statutory authority, e.g. Australian Taxation Office, New Zealand Inland Revenue Department The College website and publications Information on the College website is public and if names, photos or any identifier of a Fellow or Trainee are published then consent for this must be obtained (express or implied). This also applies to College publications. See also the Website - Photos Policy and the College s photo permission form Broadcast s All information related to broadcast s is contained in the College s ed Newsletter policy Complaints and concerns Any concerns about the College s handling of personal information should be directed to the Privacy Officer on or at [email protected]. Requests may be required in writing and resolution of concerns will be sought as promptly as possible in accordance with the Service Standards Manual. The websites of the Office of the Australian Information Commissioner and the office of the New Zealand Privacy Commissioner are an additional source of information and Changes to College Privacy Policy The College may modify or amend this policy at any time provided the policy still complies with applicable laws. Information will be held and used in accordance with the Privacy Policy, as amended from time to time. Formal notice of amendments will not Page 8 of 10 Review Date: July 2017

9 ordinarily be given, but the current Privacy Policy will be available via the College website or by contacting the College on Retention/destruction of Information Information is kept and disposed of in accordance with the College s Records Retention Schedule 4. ASSOCIATED DOCUMENTS Australian Privacy Principles set out in the Privacy Act 1988 (Cth) Privacy Principles contained in the Privacy Act 1993 (NZ) Research Facilitation Policy Privacy and information collection procedure Collection Statement form Website - Photos policy Photo permission form Sponsorship Policy ed Newsletter policy Office of the Privacy Commissioner - Approver Authoriser Chief Executive Officer Council Page 9 of 10 Review Date: July 2017

10 Page 10 of 10 Review Date: July 2017