Privacy Compliance Policy 2002

Pathrec is committed to conducting its affairs in compliance with all applicable laws and regulations and in accordance with the highest ethical standards.

Our Privacy Policy

The Federal Privacy Amendment (Private Sector) Act 2000 and the Victorian Health Records Act 2001 ("the Acts") will commence on 21 December 2001 and 1 March 2002 respectively. The Acts regulate the way Pathrec will need to handle personal information about individuals, including health information about prospective insureds (clients). The Victorian Act is relevant to Pathrec's Victorian operations only. The Acts will affect Pathrec's policies regarding the collection, handling, use, disclosure, transfer and the management of personal information, including health information. The new laws impose responsibilities on all Pathrec staff who come into contact with or collect, use or disclose personal information about individuals, including health information about prospective insureds with whom Pathrec deals.

The Acts will also affect health and other professionals outside of Pathrec with whom we and the insureds interact, including insurance companies. Those professionals will therefore confront similar obligations and will have to discharge similar responsibilities, including the provision of relevant information to insureds.

Pathrec must now take reasonable steps to make individuals (including prospective insureds) aware that it is collecting personal information about them, the purposes for which it is collecting the information, and the sorts of external organisations or persons to whom the information might be or will be disclosed.

Pathrec has introduced a new privacy compliance system and training program to assist Pathrec and its employees to comply with the new legislation.

Protecting the Privacy of Personal Information

The new Acts are designed to protect the privacy of an individual's "personal information" including their "health information" – terms which are defined widely and which cover virtually any information about an identifiable individual, including information stored or transmitted electronically.

Pathrec is responsible for all personal information, regardless of how it is acquired. This includes information that has not been requested from an individual or that has been obtained by accident, so long as that information is kept.

National Privacy Principles / Health Privacy Principles

The foundation of the new Federal privacy legislation is a set of 10 National Privacy Principles (NPPs) which is set out requirements governing the "life cycle" of personal information. The equivalent provisions in the Victorian legislation are the Health Privacy Principles (HPPs) which set out similar, but slightly different, standards. All Victorian-based Pathrec facilities are required to comply with both sets of Principles. Pathrec facilities outside of Victoria are required to comply with the Federal Principle only (NPPs).

The principles deal with the following issues:

1. Collection
   The Principles require the collection of personal information to be fair, lawful, and non-intrusive. This involves a requirement to obtain the individual's (usually the prospective insured's) consent to Pathrec's collection of the information. Such consent does not necessarily need to be documented in writing. Often implied consent is all that is required. Pathrec must provide the individual, as soon as practicable, with the following information: The primary purpose for which Pathrec is collecting personal information about them; What personal information Pathrec holds about them; How information will be used; Who else will be given the information (in broad terms); and How Pathrec will protect the information. Pathrec does this by providing individuals with the "Pathrec Privacy Statement". You need to familiarise yourself with this document. You also need to understand that the provision of this document does not alone discharge our or your responsibility to respect the individual's privacy rights. You need to ensure that your own practices are equally respectful of those rights and comply with the relevant Principles. If you are not sure whether the individual has given adequate consent to a certain practice, you should discuss it with Olga Tomic.
   
   
2. "Use" and "Disclosure"
   The Principles also limit the purpose for which Pathrec can use or disclose personal information, including health information. "Use" means use within the organisation. "Disclosure" means disclosure to persons or organisations other than Pathrec. Pathrec must only use or disclose personal information, including health information, for:
   • The primary purpose of collection (the primary purpose is the main reason the individual would expect their information to be used. For prospective insureds, the usual purpose is the obtaining of relevant health information to help determine the prospective insured's entitlement to insurance coverage: or
   • A directly related secondary purpose which is within the reasonable expectations of the individual (the prospective insured); (Secondary purpose is the use of the information that may or may not be apparent to the individual at the time of collection and which is not necessary for providing the primary purpose; or
   • A range of other purposes specifically permitted under the Acts, many of which are consistent with longstanding legal and ethical principles.
   
   
3. Storage and Security
   The Principles require Pathrec to ensure that any personal information, including health information, that Pathrec holds is:
   • Accurate – Pathrec has a responsibility to check the accuracy of information collected, particularly where that information is not collected directly from the individual concerned;
   • Complete;
   • Up-to-date; and
   • Stored securely.
   Pathrec must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
   
   
4. Contractors
   Pathrec must also ensure that its contractors comply with the relevant Principles. Pathrec will conduct a review of its existing contract arrangement and implement mechanisms to ensure effective compliance with the Principles by its contractors.
   
   
5. Disposal of Information
   Apart from legal requirements to hold information, Pathrec must take reasonable steps to destroy or permanently de-identify personal information that it no longer needs to hold.
   
   
6. Transborder Data Transfer
   Pathrec cannot transfer information to an organisation or related corporate entity located in a different jurisdiction (even if all the usual requirements for information transfer have been met) unless the organisation in the other jurisdiction is subject to a similar privacy regime, or if the individual about whom the information relates has consented to the transfer. Most private sector organisations throughout Australia (including insurers) will be subject of the new privacy laws. Many public sector organisations throughout Australia may also be subject to the State or Territory-based privacy laws.
   
   
7. Openness, Access and Correction
   The Principles require Pathrec to be open about its information handling policies, and (except in certain specified circumstances) to give individuals access to information held about them, and to allow them to correct the information if it is wrong. The access rights generally apply to records created after 21 December 2001, though in some cases, older records may also be affected. Pathrec must not charge an individual who lodges a request for access but may apply a charge that is not excessive to recover the cost of making the information available. The relevant charges may be contained in guidelines or regulations issued by the Federal or State Privacy regulators.
   
   
8. Compliance Review
   We will regularly review our compliance efforts so that we can maintain our commitment to this policy.
   
   If you have any questions regarding Pathrec's Privacy Compliance Policy, or if you wish to bring to our attention any concerns you may have that a Pathrec practice is not complying with the policy, please contact Olga Tomic, CEO on 1800 066 895 or on Mobile 0149 955 743.
   
   A more detailed outline of the privacy standards, which Pathrec has adopted, is available for inspection and must be available to any persons who seek access to it. The document is available at the Pathrec's Head Office, Level 6, 50 Queen Street Melbourne 3000.
   
   

"Handy Hints" on Privacy Practices

Familiarise yourself with the information leaflet. The prospective insured may want to discuss it with you.

The information leaflet has been designed to deal with a "typical" Pathrec encounter. It therefore has not been and cannot be tailored to suit the needs of all prospective insureds in all circumstances. As a general rule, if you are uncertain as to whether you need "fresh consent, you should seek it. You can do this simply by discussing the matter with the individual or you can seek clarification from Olga Tomic.

• The physical environment in which information is collected should be as conducive as possible to the maintenance of privacy and confidentiality.
• Avoid discussing prospective insureds by name within earshot of other insureds or general public.
• Unless there is some overriding legal reason why information should be collected or disclosed, the focus should always be on consent: that consent can be either express or implied. It can be given verbal or by inference. Sometimes it might need to be written down but many times it will not. If you are in doubt as to whether there is adequate consent for a certain information practice, discuss it with your Supervisor. However, most "routine" information practices in Pathrec should have already been brought to the attention of the prospective insured through, among other practices, the provision of the information leaflet.
• Collection practices must be sensitive to the particular circumstances or cultural needs of the individuals. The prospective insured should not feel that they have been "forced" to provide information. They should be given every opportunity to ask questions and to clarify their privacy rights and Pathrec's obligations.
• Some prospective insureds may suffer from a disability, which interferes with their capacity to give or receive information. In those circumstances, the relevant discussions need to be had with a designated "responsible" person. The new privacy laws set out a range of such persons who might need to be consulted. This is a potentially complex area of law. If you have any doubts, please contact Olga Tomic.
• Privacy is an ongoing obligation. While the processes we are introducing will seek to introduce a level of uniformity and consistency to the information-sharing process, you need to be aware that you have an ongoing obligation with respect both to confidentiality and privacy. You will therefore need to deal with specific privacy concerns, or seek assistance from Olga Tomic as and when they arise.
• The key rule is: the expectations and understanding of the prospective insured should be aligned with those of the organisation and vice-versa.

Contact regarding this policy:

Olga Tomic
CEO
1800 066 895

PATHREC PTY LTD
ACN: 099 204 690

TOPKEY CONSULTANTS PTY LTD
ACN: 065 943 526

Website: www.pathrec.com
Email: medicals@pathrec.com