General Practice Training Tasmania Inc. (GPTT) is committed to complying with the Privacy Act 1988, and the privacy provisions of all applicable legislation.
The policy also covers personal information that we have sourced from third parties.
We may be contacted in any of the following ways:
APP means Australian Privacy Principle, as set out in the Privacy Act 1988 (Cth).
Disclosure means, in relation to personal information, a release of that personal information from the effective control of GPTT, including but not limited to:
Employees includes volunteers and third parties undertaking duties on behalf of General Practice Training Tasmania Inc.
Notification laws means the data breach notification laws (being those introduced by the Privacy Amendment (Notification Data Breaches) Act 2017 (Cth).
Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Sensitive Information is a subset of personal information, which is information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, health information genetic information, biometric information and biometric templates.
Use means, in relation to personal information, any accessing by an agency of personal information in its control, including searching records for any reason, using personal information in a record to make a decision and passing a record from one part of the organisation to another part
When we collect personal information from an individual, we will ensure that we do so in a fair manner and that we let the individual know where and how to contact our organisation. We will only collect information that is necessary for one or more of our functions or activities.
Where possible, employees should collect personal information directly from the individual. However, it is permissible to obtain personal information from third parties where necessary. We will advise individuals of the purposes for which their personal information is collected, and of those third parties to whom the information is usually disclosed.
If personal information about an individual is collected from a third party and it is unclear that the individual has consented to the disclosure of his or her personal information to GPTT, employees should take reasonable steps to contact the individual and ensure that he or she is aware of the collection. In most cases, this can take place simultaneously with the first use of the information by GPTT.
If we collect sensitive information we will treat it with the utmost security and confidentiality. We will ensure that it is not collected for any purposes other than those for which we have obtained the individual’s consent, unless the law requires otherwise, or other exceptional circumstances prevail as described under the Act.
Where an individual chooses not to provide requested information, we will advise that individual of what impact this non-disclosure may have. For example, withholding certain information may limit our ability to make relevant offers or services to individuals.
We will take all reasonable steps to ensure that the data we collect, use or disclose is accurate, complete and up to date, and has been obtained directly from individuals or other reputable sources.
We will only disclose personal information in accordance with the Privacy Act and with the prior approval of funding providers as required.
This means that personal information may be disclosed:
Additionally, personal information may be disclosed:
In the course of our business and training activities, we may need to disclose some of your personal information to relevant individuals and organisations.
GPTT will not send any Personal Information outside Australia without the prior written approval of its funding providers.
As GPTT is committed to protecting the privacy of individuals, we will view unauthorised disclosure of, or access to, personal information by our employees, contractors or agents, as a serious breach of this policy. Appropriate action (which may include disciplinary or legal action) will be taken in such cases.
Employees must only use individuals’ personal information for the primary purpose for which it was collected, a secondary purpose to which the individual has consented, or:
Where an individual provides their business contact details (such as a business card), this should be treated as implied consent to be contacted for business purposes. However, the individual should not be contacted in relation to marketing activity in their individual capacity unless he or she has provided specific consent.
We will always provide individuals with a way of contacting us to register a request to ‘opt-out’ from receiving further promotion material or any marketing offers.
Employees must take all necessary steps to opt such individuals out of promotion materials or marketing offers. Requests to opt out will in the first instance be treated as a request to opt out of the particular promotion, event or campaign to which the communication relates. However, individuals must be given the opportunity to contact GPTT (for example, by phone or email) to opt out of all direct marketing communications, across all promotions, events, or campaigns.
Individuals who have opted out of direct marketing may still receive administrative emails to assist GPTT to comply with its regulatory obligations.
Individuals are entitled to access any personal information held by GPTT about them, except in some exceptional circumstances provided by law. Where an individual requests access to their personal information, employees should verify the individual’s identity (for example, by checking name, address and date of birth of the individual) and subject to the exceptions described below, should provide the personal information requested.
However, GPTT is not required to provide access to personal information where:
If there is an operational reason why the employee does not wish to provide the information or the request is not straightforward and the employee is unsure how to handle the request, the employee should seek advice from the CEO.
Any decision to refuse a request for personal information should be handled by the CEO. GPTT will provide the individual with a written notice setting out the reasons for the refusal or for why the request has been handled in a particular way and notify the individual about the complaint mechanisms available (see under Complaints below).
Individuals are entitled to seek to have personal information about them corrected. If an individual makes such a request, employees should correct the information. However, if there is an operational reason why the employee does not wish to correct the information or the request is not straightforward and the employee is unsure how to handle the request, the employee should seek advice from the CEO.
Due to the nature of GPTT’s operations, individuals’ personal information may be stored simultaneously in more than one database or location. Employees must use reasonable endeavours to update all known instances where a request for correction of personal information by an individual is able to be fulfilled.
GPTT’s policy is to respond to requests for correction in a timely manner.
Any decision to refuse a request to correct personal information should be handled by the CEO. GPTT will provide the individual with a written notice setting out the reasons for the refusal or for why the request has been handled in a particular way and notify the individual about the complaint mechanism available (see under Complaints below).
GPTT will take reasonable steps to help ensure the security of personal information, including by:
The CEO is responsible for responding to the unauthorised access or disclosure of personal information in a manner which constitutes a data security breach.
As soon as GPTT is aware of an alleged, potential or actual data breach (including deliberate third party breaches and inadvertent supplier disclosures) or a breach of privacy obligation under the Privacy Act it will notify the relevant funding provider.
Each data security breach is assessed on a case-by-case basis and the CEO, in consultation with the relevant funding provider, will determine an appropriate outcome. The exact nature of the response will depend on the circumstances but is likely to include:
Where required by law, the CEO will seek legal advice and will assist employees to notify individuals affected by a data security breach.
GPTT is committed to the protection of your privacy, and our policies, processes and systems have been developed with this intent. However, sometimes human errors do occur. If you think we have not lived up to our commitment, we invite you to email us at [email protected] or phone our office.
All individuals who have been refused access or refused correction (see above) or have been subject to some other decision by GPTT regarding their personal information which they are not agreeable with, must be advised of the complaints mechanisms available to the individual, as follows:
It is the CEO’s responsibility to handle all complaints and to determine whether the complaint concerns a breach of the APPs, a privacy law or other applicable law.
General Practice Training Tasmania Inc. is bound by the Australian Privacy Principles for the handling of personal information. Contact the Office of the Australian Information Commissioner for information about the Australian Privacy Principles.