GPTT
GPTT

Privacy Policy

Purposes

General Practice Training Tasmania Inc. (GPTT) is committed to complying with the Privacy Act 1988, and the privacy provisions of all applicable legislation.

This privacy policy covers all personal information we hold, that is, information, or an opinion, about an individual, whose identity is apparent, or can be reasonably ascertained, from that information or opinion.

The policy also covers personal information that we have sourced from third parties.

OUR CONTACT DETAILS

We may be contacted in any of the following ways:

  • by telephoning 03 6215 5000;
  • by writing to us at RACT Building, Level 3, 179 Murray Street, Hobart, 7000;
  • by visiting us at the above address;
  • via our website gptt.com.au.

Definitions

APP means Australian Privacy Principle, as set out in the Privacy Act 1988 (Cth).

Disclosure means, in relation to personal information, a release of that personal information from the effective control of GPTT, including but not limited to:

  • an automatic release, to a person or body that GPTT knows has a general authority to access that personal information; or
  • in response to a specific request.

Employees includes volunteers and third parties undertaking duties on behalf of General Practice Training Tasmania Inc.

Notification laws means the data breach notification laws (being those introduced by the Privacy Amendment (Notification Data Breaches) Act 2017 (Cth).

Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

Sensitive Information is a subset of personal information, which is information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, health information genetic information, biometric information and biometric templates.

Use means, in relation to personal information, any accessing by an agency of personal information in its control, including searching records for any reason, using personal information in a record to make a decision and passing a record from one part of the organisation to another part

COLLECTING INFORMATION

When we collect personal information from an individual, we will ensure that we do so in a fair manner and that we let the individual know where and how to contact our organisation.  We will only collect information that is necessary for one or more of our functions or activities.

Where possible, employees should collect personal information directly from the individual.  However, it is permissible to obtain personal information from third parties where necessary.   We will advise individuals of the purposes for which their personal information is collected, and of those third parties to whom the information is usually disclosed.

If personal information about an individual is collected from a third party and it is unclear that the individual has consented to the disclosure of his or her personal information to GPTT, employees should take reasonable steps to contact the individual and ensure that he or she is aware of the collection.  In most cases, this can take place simultaneously with the first use of the information by GPTT.

If we collect sensitive information we will treat it with the utmost security and confidentiality.   We will ensure that it is not collected for any purposes other than those for which we have obtained the individual’s consent, unless the law requires otherwise, or other exceptional circumstances prevail as described under the Act.

Where an individual chooses not to provide requested information, we will advise that individual of what impact this non-disclosure may have. For example, withholding certain information may limit our ability to make relevant offers or services to individuals.

We will take all reasonable steps to ensure that the data we collect, use or disclose is accurate, complete and up to date, and has been obtained directly from individuals or other reputable sources.

 

DISCLOSING INFORMATION

We will only disclose personal information in accordance with the Privacy Act and with the prior approval of funding providers as required.

This means that personal information may be disclosed:

  • for the purposes for which we have advised that we are collecting it, and for related purposes that the individual would reasonably expect,
  • where we have the consent of the individual so to do,
  • as part of the arrangements for training to be done by an outside organisation or individual,
  • as required by law, or
  • under other circumstances where permitted under the Act.

Additionally, personal information may be disclosed:

  • where the employee, where practicable in consultation with the CEO, reasonably believes that the disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety, or
  • where the employee, in consultation with the CEO, has reason to suspect that unlawful activity has been, or is being, engaged in.

In the course of our business and training activities, we may need to disclose some of your personal information to relevant individuals and organisations.

GPTT will not send any Personal Information outside Australia without the prior written approval of its funding providers.

 

UNAUTHORISED DISCLOSURE OR ACCESS

As GPTT is committed to protecting the privacy of individuals, we will view unauthorised disclosure of, or access to, personal information by our employees, contractors or agents, as a serious breach of this policy.  Appropriate action (which may include disciplinary or legal action) will be taken in such cases.

 

USE OF INFORMATION

Employees must only use individuals’ personal information for the primary purpose for which it was collected, a secondary purpose to which the individual has consented, or:

  • for a purpose related to the primary purpose of collection and the individual would reasonably expect the personal information to be used for such a purpose
  • where the employee, where practicable in consultation with the CEO, reasonably believes that the use is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety, or
  • where the employee, in consultation with the CEO, has reason to suspect that unlawful activity has been, or is being, engaged in.

 

BUSINESS-TO-BUSINESS RELATIONSHIPS

Where an individual provides their business contact details (such as a business card), this should be treated as implied consent to be contacted for business purposes.  However, the individual should not be contacted in relation to marketing activity in their individual capacity unless he or she has provided specific consent.

 

OPT-OUT

We will always provide individuals with a way of contacting us to register a request to ‘opt-out’ from receiving further promotion material or any marketing offers.

Employees must take all necessary steps to opt such individuals out of promotion materials or marketing offers.  Requests to opt out will in the first instance be treated as a request to opt out of the particular promotion, event or campaign to which the communication relates.  However, individuals must be given the opportunity to contact GPTT (for example, by phone or email) to opt out of all direct marketing communications, across all promotions, events, or campaigns.

Individuals who have opted out of direct marketing may still receive administrative emails to assist GPTT to comply with its regulatory obligations.

 

ACCESS AND CORRECTION TO PERSONAL INFORMATION

Individuals are entitled to access any personal information held by GPTT about them, except in some exceptional circumstances provided by law.  Where an individual requests access to their personal information, employees should verify the individual’s identity (for example, by checking name, address and date of birth of the individual) and subject to the exceptions described below, should provide the personal information requested.

However, GPTT is not required to provide access to personal information where:

  • access would pose a serious threat to the life, safety or health of any individual or to public health or public safety
  • access would have an unreasonable impact on the privacy of other individuals
  • the request is frivolous or vexatious
  • denying access is required or authorised by a law or a court or tribunal order
  • access would be unlawful, or
  • access may prejudice commercial negotiations, legal proceedings, enforcement activities or appropriate action being taken in respect of a suspected unlawful activity or serious misconduct.

If there is an operational reason why the employee does not wish to provide the information or the request is not straightforward and the employee is unsure how to handle the request, the employee should seek advice from the CEO.

Any decision to refuse a request for personal information should be handled by the CEO.  GPTT will provide the individual with a written notice setting out the reasons for the refusal or for why the request has been handled in a particular way and notify the individual about the complaint mechanisms available (see under Complaints below).

Individuals are entitled to seek to have personal information about them corrected.  If an individual makes such a request, employees should correct the information.  However, if there is an operational reason why the employee does not wish to correct the information or the request is not straightforward and the employee is unsure how to handle the request, the employee should seek advice from the CEO.

Due to the nature of GPTT’s operations, individuals’ personal information may be stored simultaneously in more than one database or location.  Employees must use reasonable endeavours to update all known instances where a request for correction of personal information by an individual is able to be fulfilled.

GPTT’s policy is to respond to requests for correction in a timely manner.

Any decision to refuse a request to correct personal information should be handled by the CEO. GPTT will provide the individual with a written notice setting out the reasons for the refusal or for why the request has been handled in a particular way and notify the individual about the complaint mechanism available (see under Complaints below).

 

SECURITY

GPTT will take reasonable steps to help ensure the security of personal information, including by:

  • making sure that personal information is accurate, complete and up to date;
  • ensuring that only those employees needing access to the personal information are authorised to access and can access the personal information;
  • ensuring no copies of the personal information or any material containing personal information are made, unless otherwise authorised;
  • ensuring that all employees are aware of the requirements of notification laws;
  • maintaining internal controls to monitor and identify any data breach in a prompt manner, with appropriate reporting capacity;
  • protecting personal information from misuse, loss, unauthorised access, modification or disclosure both physically and through computer security methods, and
  • destroying or permanently de-identifying personal information if it is no longer needed for any authorised purpose.

 

BREACH NOTIFICATION

The CEO is responsible for responding to the unauthorised access or disclosure of personal information in a manner which constitutes a data security breach.

As soon as GPTT is aware of an alleged, potential or actual data breach (including deliberate third party breaches and inadvertent supplier disclosures) or a breach of privacy obligation under the Privacy Act it will notify the relevant funding provider.

Each data security breach is assessed on a case-by-case basis and the CEO, in consultation with the relevant funding provider, will determine an appropriate outcome.  The exact nature of the response will depend on the circumstances but is likely to include:

  • taking reasonable steps to contain the data security breach
  • undertaking a preliminary assessment of the data security breach (and evaluation of the risks associated with the breach),
  • provide all reasonable assistance to support the relevant funding provider:
    • in determining whether the data breach is an eligible data breach under the notification laws,
    • and if so eligible, reporting the data breach; and
  • investigating the breach and provide the relevant funding provider with a written report as soon as possible or in the event that it is determined to be an eligible data breach within 14 days of the breach occurring;
  • GPTT will not make a public statement concerning individuals affected by any data breach without relevant funding provider’s prior written consent, unless required by law;
  • Where appropriate following the results of that assessment (and evaluation), implementing appropriate procedures and changes.

Where required by law, the CEO will seek legal advice and will assist employees to notify individuals affected by a data security breach.

 

AVAILABILITY AND REVIEW OF POLICY

We will make our Privacy Policy available on request and will provide a link to this policy from our GPTT internet site. This Privacy Policy will be reviewed from time to time and any amendments will be incorporated in the updated policy.

 

WHAT TO DO IF YOU THINK WE HAVE MADE AN ERROR

GPTT is committed to the protection of your privacy, and our policies, processes and systems have been developed with this intent.   However, sometimes human errors do occur.  If you think we have not lived up to our commitment, we invite you to email us at [email protected] or phone our office.

 

COMPLAINTS

All individuals who have been refused access or refused correction (see above) or have been subject to some other decision by GPTT regarding their personal information which they are not agreeable with, must be advised of the complaints mechanisms available to the individual, as follows:

  • a complaint should firstly be made in writing to the CEO of GPTT by email on [email protected], by telephone on (03) 6215 5000, or by post to Level 3 RACT House, 179 Murray Street, Hobart 7000
  • GPTT will respond in a timely manner and will generally respond within 30 days,
  • the complaint may then be taken to an externally recognised dispute resolution scheme (if any), and
  • lastly, a complaint may be made to the Information Commissioner.

It is the CEO’s responsibility to handle all complaints and to determine whether the complaint concerns a breach of the APPs, a privacy law or other applicable law.

General Practice Training Tasmania Inc. is bound by the Australian Privacy Principles for the handling of personal information. Contact the Office of the Australian Information Commissioner for information about the Australian Privacy Principles.