Healthcare Australia’s Commitment to Privacy
Healthcare Australia Pty Ltd, its subsidiaries and affiliates in Australia (collectively referred to as HCA) are committed to managing personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act) and in accordance with other applicable privacy laws.
Healthcare Australia (HCA) is a diversified healthcare provider. Through its workforce of healthcare professionals, the business provides:
- Staffing solutions (nurses of all levels, support workers and doctors) to large hospital groups, residential care facilities, disability support providers and governments
- Supports residential aged care residents directly through providing a range of allied health services
- Provides direct care to aged and disabled Australians in their homes through the NDIS and Home Care program
- Works with governments and corporates on initiatives such as annual flu and covid vaccinations, and emergency response projects such as Covid 19 travel hotel health management and flood response projects
- The above activities, herein referred to as the “HCA Services”.
What information does HCA collect about you?
Clients and prospective clients
When you enquire about our services or when you become a client of HCA, a record is made which includes your personal information. Information Collected and Retained by HCA is generally, but not limited to, Personnel Records and Information, Medical Records and Information, and Electronic Media and Communication.
The type of personal information that we collect will vary depending on the circumstances of collection and the kind of service that you request from us. Where relevant, we may also collect your medical or health information (discussed further below).
We collect personal information when recruiting personnel, such as your name, contact details, qualifications, work history, your next of kin or your primary contact. Generally, we will collect this information directly from you.
We may also collect personal information from third parties in ways which you would expect. Before offering you a position, we may also collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions (for example, positions that require extra qualifications or a working with children check). Sources of information could include as examples, recruitment agencies or referees you have nominated, AHPRA, CrimTrac, Company Insurers, Regulators, Government Agencies e.g. Australian Tax Office, Social Security, Department of Foreign Affairs etc, Law enforcement, Legal Firms, Business partners and Clients, Medical Practitioners and Medical Facilities (e.g. Hospitals), Courts and Tribunals.
HCA may collect personal information about other individuals who are not clients or employees of HCA. This includes customers and members of the public who participate in events we are involved with; agencies, individual service providers and contractors to HCA; and other individuals who interact with HCA on a commercial basis. The kinds of personal information we collect will depend on the capacity in which you are dealing with HCA. Generally, it would include your name, contact details (including email, phone number and street address where relevant, financial details, date of birth, and information regarding our interactions and transactions with you. Where relevant, we may also collect your medical or health information.
If you are participating in an event we are managing or delivering, or enter a premise we own or manage, we may take images or audio-visual recordings which identify you (subject to applicable law).
In limited circumstances, HCA may collect information which is considered sensitive information.
You can always decline to give HCA any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about personal information we have requested, please let us know.
Visitors to our websites
The way in which we handle the personal information of visitors to our websites is discussed below.
Medical Records and Information
HCA collects medical “sensitive” information about its Clients or Employees where it is lawful to do so. The information may relate to compulsory and or elective inoculations, medical restrictions, medical reports, sick leave absenteeism, and workers compensation reports from medical practitioners and or agents of the respective regulator.
HCA collects medical “sensitive” information about its clients directly related to HCA’s function or activities (e.g. direct care – medical, allied, personal care). This information may relate to current and past medical history, medications, past surgeries/operations, medical reports, current level of functioning and support/assistance required.
In concert with HCA general standards that apply to Private Information, more rigorous controls of the collection, holding and disclosure of sensitive medical information is required, HCA Confidentiality and Access to Patient Information Directive.
The information collected and held includes, but not limited to: Identifying information, Residential information, Medical history/records, Medications and regimes, Medical certificates, Certificates of Capacity, Medical Reports and Assessments, Summaries of claim information, Claim reports. What is not collected is the individuals Medicare number.
How and why does HCA collect and use your personal information?
HCA collects personal information reasonably necessary to carry out our business, to assess and manage our clients’ needs, and provide the HCA Services. We may also collect information to fulfil administrative functions associated with the HCA Services, for example billing, entering into contracts with you and/or third parties and managing client relationships.
The purposes for which HCA usually collects personal information depends on the nature of your interaction with us, but may include recruitment and/or employment, responding to requests for information and other general inquiries, managing, planning, advertising and administering the HCA Services, managing, planning, advertising and administering programs, events etc., researching, developing, and expanding HCA facilities and the HCA Services, responding to enquiries and complaints.
HCA generally collects personal information directly from you. We may collect this information:
- Over the phone, by email, over the internet, via an app, or in person.
- We may also collect personal information about you from other sources, for example:
- recruitment agencies or referees you have nominated, AHPRA, CrimTrac, Company Insurers, Regulators, Government Agencies e.g. Australian Tax Office, Social Security, Department of Foreign Affairs etc, Law enforcement, Legal Firms, Business partners and Clients, Medical Practitioners and Medical Facilities (e.g. Hospitals), Courts and Tribunals, our affiliated and related companies; and third-party suppliers and contractors who assist us to operate our business
How HCA collects and holds personal medical information
For Employees – The information is in the first instance provided by the employee through an application for employment, as part of ongoing certification and through an application for compensation.
For Clients – The information is in the first instance provided via a referral and directly from the client through an initial consultation. If further information is required from other sources (e.g. the client’s General Practitioner), with the client’s consent, this information is sought. Records that relate to their employee’s employment are maintained in personnel records, with physical or electronic. Electronic personnel records and medical information is held in the Booking system, Elumina and in certain instances a physical file.
Collection, Retention and Disclosure of Medical Information (Purpose)
For Employees – The information is obtained and retained generally relates to the individuals professional requirement in the declaring of certain medical information eg inoculations, notifiable diseases, where the individual has permanent medical restriction that impacts on their employment, a claim for compensation of injury at work, or a claim of bullying and harassment.
Only that information that is required for the individual employment and or managing a claim of injury is disclosed to those who the information was intended for and the release of the information is authorised by the individual. In respect to workers compensation claims the application for workers compensation has the declaration and authorisation to exchange information between HCA, the individual, their medical practitioners, rehabilitation providers, the insurers and the regulators.
The purpose of why the information collected is to manage the individuals: recruitment processes, employment, managing a claim of injury, managing adverse actions, or required by law.
For clients – Information obtained and retained generally relates to the individuals health, medical and functional status, level of impairments and impact, a claim for compensation or allowance (e.g. Lifetime Support Authority, Workers Compensation, National Disability Advisory Scheme), notifiable or communicable diseases, functional status and level of impairment.
Only information necessary for the direct delivery of services is disclosed to those who the information was intended for and the release of the information is authorised by the individual (e.g. personal care workers to undertake necessary care).
The purpose of why the information collected is to manage the individuals direct delivery of services, manage and support overall health and wellbeing, monitor clients’ wellbeing and heath and identify any areas for concern/follow-up, determine the impact of service delivery of client outcomes, or as required by law.
How does HCA interact with you via the internet?
A cookie is a text string that is included with Hypertext Transfer Protocol (HTTP) requests and responses. Cookies are used to maintain state information as is navigated in different pages on a web site or return to the web site at a later time. Cookies cannot be used to execute code (run programs) or deliver viruses to a computer.
Persistent vs. Session Cookies – Cookies are either stored in memory (session cookies) or placed on a hard disk (persistent cookies). HCA does use a persistent cookie for saving the login id (if the user selects this option) on the login screen. All cookies, whether persistent or session based are encrypted using SSL.
- Log-on and log-off administration – Persistent cookies help with the log-on and log-off processes for those users who have decided to register to use one of our online services. The cookies enable us to recognize the user ID when a person log on so that person does not have to re-type the user ID each visit.
- Transactions and site usability – We use session cookies to improve how navigate through our website and conduct transactions. As examples, session cookies are used to maintain the online session as the browse over several pages; to store and pre-populate information so that person does not have to re-enter the same information twice.
How to Access Cookies Settings in the Browser – Any person has the ability to enable or disable cookies, or have Internet Explorer or Opera prompt before accepting cookies. Note that disabling cookies may prevent some web services from working correctly, and disabling cookies does not make the person anonymous or prevent web sites from tracking the browsing habits. HTTP requests still include information about where it came from (HTTP Referrer), the IP address, browser version, operating system, and other information.
Internet browser can be configured to accept all cookies, reject all cookies or be notified when a cookie is sent. Most browsers accept cookies by default.
Links to other sites
The HCA site contains links to other sites. We are ultimately not responsible for the privacy practices or the content of such web sites. We encourage to read and understand the privacy policies on those websites prior to providing any information to them.
Some of the content appearing on the HCA website may be supplied by third parties, for example, by framing third party web sites or the incorporation through “framesets” of content supplied by third party application service providers. In such cases HCA will ensure that our contractual arrangements with these third parties protect personal information in compliance with privacy laws.
Search terms are collected by our search engine, but they are not associated with any other information that we collect. We use these search terms for the purpose of aggregated statistical analyses so we can ascertain what people are looking for on our website, and to improve the services that we provide.
We may use external companies to provide us with detailed aggregate statistical analyses of our website traffic. At no time is any personal information made available to these companies, nor is the aggregate information ever merged with personal information such as name, address, email
address or other information that would be considered sensitive or would compromise the privacy of a person.
Can you deal with HCA anonymously?
HCA understands that where an individual chooses to not provide personal information when requested that is their entitlement, however we may not be able to deliver the service requested. We will endeavour to make this as clear as possible for each service.
If someone chooses to deal with us anonymously or using a pseudonym, this may affect our ability to provide services to our clients, and/or our ability to deal with issues that have been raised. While HCA will not demand that a notifier identify themselves, a refusal to give their name and contact details may mean that an investigation cannot be commenced or completed, any claims made may be less easy to establish, and it may be impracticable for the relevant national law entity to continue to deal with or contact an anonymous notifier.
How does HCA hold information?
HCA is committed to maintaining the trust of person they deal with by protecting and securing personal information.
We employ appropriate technical, administrative and physical procedures to protect personal information from unauthorised disclosure, unauthorised access, unauthorised modification, interference, loss, misuse, or alteration.
We limit access to personal information to individuals with a business need consistent with the reason the information was provided.
Where we amend a personal record or information or add new personal information to a record any redundant information, or information history will be assessed for either destruction or de-identify the information, with the exception where the information is contained in a Commonwealth record or the entity is required by or under an Australian law, or a court/tribunal order, consideration for archiving as per the Archival legislation for records within the jurisdiction. Reasonable steps could include taking steps and implementing strategies to manage governance, IS security, data breaches, physical security, personnel security and training, workplace policies, the information life cycle, standards, regular monitoring and review.
Where HCA has identified information that is to be destroyed or de-identified, we will take reasonable steps to destroy or de-identify all copies of that personal information, including copies that have been archived or are held as back-ups.
Where HCA has records in hard copy, disposal through garbage or recycling collection would not ordinarily constitute taking reasonable steps to destroy the personal information, unless the personal information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.
Where information is held in electronic form, reasonable step to dispose or destroy will vary depending on the kind of hardware used to store the personal information. In some cases, it may be possible to ‘sanitise’ the hardware to completely by remove stored personal information with the use of drive scrubbers.
For hardware that cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it the drive or disk the information is stored on, and may include secure shredding of the hard drive or other storage device.
Where it is not possible for HCA to irretrievably destroy personal information held in electronic format, we will take reasonable steps to de-identify the personal information or disable the application or put the information beyond use by taking but not limited to the following steps:
- ensuring the information is not able to, and HCA will not attempt, to use or disclose the personal information
- will not give any other entity access to the personal information
- isolates the personal information with appropriate technical and organisational security. This should include, at a minimum, access controls together with log and audit trails, and
- take reasonable steps to irretrievably destroy the personal information if, or when, this becomes possible.
Where such information is on a third party’s hardware, such as cloud storage, where the organisation has instructed the third party to irretrievably destroy the personal information, reasonable steps would include taking steps to verify that this has occurred.
De-identification of personal information may be more appropriate than destruction as de-identified information could provide further value or utility to HCA or a third party as part of it business analysis.
We keep personal information only for as long as it is required for business purposes or by the law.
HCA protects personal information by complying with Information Security Standards, Industry Schemes and Statutory obligations. We regularly conduct targeted internal and external audits on our security systems to validate the currency of our security practices.
Does HCA use or disclose your personal information for direct marketing?
From time to time HCA may use the personal information we collect to identify particular HCA products and services which we believe may be of interest to the owner of the information. We may then contact owner of the information to let them know about the products and services and how they may benefit them. We will generally only do this with prior consent (where practical) and we will always give a choice to opt out of receiving such information in future. If you opt-out of receiving marketing material from us, HCA may still contact you in relation to its ongoing relationship with you (where such contact is necessary to facilitate a Service).
Direct Marketing from HCA generally takes the form of Direct Mail, Electronic Marketing or Telemarketing. Each of these channels is handled as follows:
Direct mail – Where we use personal information to send marketing information via the post we may do so with the implied consent or, if this is impracticable, we will ensure that is provided with an opportunity to opt out of receiving future such communications. By not ticking a clearly displayed “opt out” box, we will assume we have implied consent to receive similar marketing communications in the future. We will always ensure that our opt out notices are clear, conspicuous and easy to take up.
Electronic marketing – Where we use personal information to send marketing information by e-mail, SMS, MMS or other electronic means we may do so with express or implied consent. We may collect express consent by, for example, ticking a box on an electronic or paper form where we seek the permission to send the electronic or other marketing information. Consent may be implied from our existing business relationship or where there is a reasonable expectation of receiving an electronic marketing communication. Every directly addressed marketing contact sent or made by HCA will include a means by which customers may unsubscribe (or opt out) of receiving further marketing information.
Telemarketing – HCA does not usually engage in telemarketing activities to our consumer customers. Generally, such marketing is only used in relation to our business customers. Should any consumer telemarketing be undertaken or authorised by HCA, we will, to the extent that it applies, comply with the relevant legislation (see above). Every directly addressed marketing contact sent or made by HCA will include a means by which customers may unsubscribe option in email (opt out) of receiving further marketing information.
Additionally, a person may instruct us at any time to remove any previous consent that was provided to receive marketing communications from us. Requests should be directed to the HCA Privacy Contact Officer via the channels provided under ‘How to contact us’.
How does HCA use and disclose personal information?
We use the personal information for purposes consistent with the reason it was provided, or for a directly related purpose. We may also use personal information where required or permitted by law.
We may also use information where it has been provided to us with the express or implied consent of the owner of the information.
We do not share personal information with other organisations unless:
- the owner of the personal information provides express consent, or
- sharing is otherwise required or permitted by law, or
- this is necessary on a temporary basis to enable our contractors to perform specific functions. When we temporarily provide personal information to companies who perform services for us, such as specialist information technology companies, mail houses or other contractors to HCA we require those companies to protect personal information as diligently as we do. Strict contractual and other quality assurance measures are used to ensure personal information is protected.
We have a strict duty to maintain the privacy of all personal information we hold. However, certain exceptions do apply. For example, where disclosure of personal information is:
- authorised or required by law (e.g. disclosure to various government departments and agencies such as the Australian Taxation Office, CentreLink, Child Support Agency, or disclosure to courts under subpoena)
- in the public interest (e.g. where a crime, fraud or misdemeanor is committed or suspected and disclosure against the customer’s rights to confidentiality is justified)
- with consent – consent may be implied or express and it may also be verbal or written.
- HCA can disclose personal information (excluding sensitive information) with its other companies and brands where the purpose for sharing is related to the reason the personal information was originally collected. This excludes companies operating outside Australia.
Use and disclosure for administration and management
HCA will also use and disclose personal information for a range of administrative, management and operational purposes which may include:
- administering billing and payments and debt recovery;
- planning, managing, monitoring and evaluating our services;
- quality improvement activities;
- statistical analysis and reporting;
- training of staff, contractors and other workers;
- risk management and management of legal liabilities and claims;
- responding to enquiries and complaints regarding our services; and
- obtaining advice from consultants and other professional advisers.
Other uses and disclosures
Does HCA disclose your personal information overseas?
HCA is an Australian based organisation. However HCA may transfer personal information to countries outside Australia (for example when a candidate requests for a work application to be lodged with one of our HCA international offices. We will only do so in compliance with all applicable Australian data protection and privacy laws and where the owner of the information is expressly informed and has consented.
HCA will take reasonable steps to protect personal information no matter what country it is stored in or transferred to. Those reasonable steps may include ensuring the recipient does not breach the APP’s and or the recipient is subject to similar law or binding scheme.
Disclosing personal information to an overseas recipient as required or authorised by law where a permitted general situation exists:
- Lessening or preventing a serious threat to life, health or safety
- Taking appropriate action in relation to suspected unlawful activity or serious misconduct
- Locating a person reported as missing
- Necessary for a diplomatic or consular function or activity
- Necessary for certain Defence Force activities outside Australia
How can you access or seek correction of your personal information?
A person who is able to confirm their identity has the right to request access to the personal information we hold about them. This right is subject to certain exceptions allowed by law.
HCA will, upon someone’s request, and subject to applicable privacy laws, provide access to personal information that is held by us. However, we ask them to identify, as clearly as possible, the type (or types) of information requested. HCA will deal with their request in a reasonable time – usually within 30 days.
Depending on the breadth of the request, we may recover from reasonable costs incurred in supplying with access to this information.
Exceptions – The right to access to the personal information is not absolute. In some circumstances, the law permits us to refuse the request to provide with access to the personal information, such as circumstances where:
- access would pose a serious threat to the life or health of any individual
- access would have an unreasonable impact on the privacy of others
- the request is frivolous
- the information relates to a commercially-sensitive decision-making process
- access would be unlawful
- access may prejudice enforcement activities, a security function or commercial negotiations.
Freedom of information laws – In addition to privacy laws, a person may have rights to access their personal information contained in certain HCA documents. Details on how to apply for access to these documents are contained in the Freedom of Information Act 1982 (FOI Act).
It is inevitable that some personal information which we hold will become out of date. We will take reasonable steps to ensure that the personal information which we hold remains accurate. Where the owner of the information advises us of a change of details, we will amend our records accordingly.
Agency personnel records that have been inactive for a period of excess of 12 months, will not be actively checked or audited to ascertain their accuracy. The records will be frozen in time as at their last update. When an Agency Worker has not been engaged in a contract for in excess of 12, a fresh application or update of details will be required prior to recommencing agency work. Personnel Records held in the Booking System that have been inactive for a period of 7 years are archived in the Booking System with the records tagged as hidden.
Where an agency worker recommences casual work with HCA after the 12 month period, the record can be reactivated and updated upon receipt of a fresh application.
For clients, with whom HCA has an ongoing relationship with, personal information will be checked (and updated accordingly) at least annually on reviews, or when prompted by the client.
Where information has been disclosed to a third party, HCA will take reasonable steps to notify the third party of the correction.
Where we are unable to update information, we will provide an explanation in writing as to why the information cannot be corrected.
What should you do if you have a complaint about the handling of your personal information?
You may make a complaint about privacy to the Privacy Officer (Chief People Officer / HR Business Partner) at the contact details set out below.
The Privacy Officer will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally respond to your complaint within a week.
If your complaint requires more detailed consideration or investigation, we will acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly. We may ask you to provide further information about your complaint and the outcome you are seeking. We will then typically gather relevant facts, locate and review relevant documents and speak with individuals involved.
In most cases, we will investigate and respond to a complaint within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.
If you are not satisfied with our response to your complaint, or you consider that HCA may have breached the APPs or the Privacy Act, a complaint may be made to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted by telephone using contact details below or by using the contact details on the OAIC website.
HealthCare Australia – HR Department
Phone: +61 2 9024 3241
Email: [email protected]
Office of the Australian Information Commissioner
Phone: 1300 363 992
Teletypewriter (TTY): 133 677 then ask for 1300 363 992.
Speak and Listen users: 1300 555 727 then ask for 1300 363 992
Where the complaint relates to a registered Health Practitioner, privacy complaints may also be lodged with that body.
National Health Practitioners Privacy Commissioner
Phone: 03 9674 0421
Email: [email protected]
How can you contact HCA?
The contact details for HCA are:
HCA Privacy Officer
Address: Level 22, 201 Elizabeth Street, Sydney 2000
Email address: [email protected]
Telephone number: +61 2 9024 3241
Privacy Management Standard