Privacy policy

1. Purpose

The purpose of this policy is to:

  • ensure that employees, contractors and volunteers of the RACGP understand their obligations under applicable legislation when dealing with Personal Information;
  • enable Members and others who interact with the RACGP to understand what types of Personal Information we collect, and what we do with such information in performing our functions and to comply with our privacy obligations; and
  • set out RACGP’s obligations in relation to responding to complaints about potential privacy breaches.

The RACGP is committed to protecting the privacy of the Personal Information we collect and receive. We have a strong commitment to maintaining the security and integrity of Personal Information within our care.

The RACGP takes active steps to comply with applicable legislative obligations relevant to privacy.

2. Application

This policy applies to all employees, contractors, volunteers and Members of the RACGP and any member of the public who provides information.

3. Types of Information held by the RACGP

The RACGP will hold a variety of types of Personal Information about its Members, volunteers, employees and contractors and in some cases the general public. Information which the RACGP may routinely gather as part of its normal operations includes for example:

  • People’s names, addresses, birthdates and gender;
  • Areas of specific interest and Faculty membership;
  • Membership category and services accessed, provided and offered;
  • Employee salaries, super contributions, personnel records and performance information;
  • Business prices, quotes, invoices and contracts; and
  • Member exam results.

3.1 Personal Information

Personal Information is information or an opinion whether true or not, about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

For example, a person’s home address, their telephone number, their exam results or their Medicare Card number will be Personal Information.

3.2 Sensitive Information

Sensitive Information is a type of Personal Information. Sensitive Information includes health and genetic information and information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record and some types of biometric information.

For example, a person’s self-identification as Aboriginal, a person’s status as a member of the Australian Medical Association, a person’s status as an atheist or a person’s conviction for theft will all be Sensitive Information.

3.3 Health Information

Health Information is a type of Sensitive Information. Health Information includes health and genetic information about a person.

For example, an employee’s medical certificate for a day of sick leave, or a record of a person suffering a workplace injury will be Health Information.

4. The purposes for which the RACGP collects, holds, uses and discloses Personal Information

The RACGP collects, holds, uses and discloses Personal Information as a result of carrying out its normal operations consistent with the purposes and functions under its Constitution as reasonably necessary. These purposes and functions include for example:

  • operational functions related to the services provided to members such as admission, administration, disciplinary functions and technical support;
  • matters related to collegiality such as participation in peer groups, specific interest networks, Faculties, events and activities;
  • purposes described in the Objects of the RACGP in Clause 2 of the Constitution;
  • educational functions to do with training, assessment and examinations, professional development, faculty operations and quality standards;
  • RACGP governance such as board secretariat, compliance, audit and policy; and
  • business as usual corporate functions such as finance, contracting, media and communications, publications, research, innovation, events management, IT, advisory functions, and advocacy.

5. The kind of Personal Information we collect and hold

The kind of Personal Information we collect and hold about individuals depends on the circumstances of collection and the nature of the dealings with the RACGP.

For example, if a person:

  • is an RACGP member, we collect information including name, address, contact number, gender, date of birth, address, email address and other information related to membership and participation within the RACGP, for example membership of a specific interest network;
  • applies for an RACCGP educational program or Fellowship pathway, we collect demographics, qualifications, training to date, eligibility to work in Australia, past and current employment and other information relevant to administration of the program;
  • works for the RACGP, we collect contracting details including your Australian Business Number, tax file number and superannuation details where relevant and other information related to your engagement;
  • applies for a job in the RACGP, we collect the information included in an application for employment, including a cover letter, resume, contact details and referee reports; or
  • is a member of the general public who contacts the RACGP who elects not to rely on anonymity or pseudonymity, we collect contact address details, usually including but not limited to email addresses and phone numbers and details about the reason for the contact.

In all cases where we collect Personal Information, we seek to keep it updated and accurate.

5.1 Sensitive Information

The RACGP’s policy is only to collect Sensitive Information where it is reasonably necessary for our functions or activities and either:

  • the individual has consented; or
  • we are required or authorised by or under law to do so.

For example, we may collect:

  • information about an individual’s membership of other professional associations; 
  • information about dietary requirements or mobility needs when we conduct examinations or events such as conferences and seminars; or
  • information about medical conditions in the context of exams, as part of a special consideration application or so that we can implement special exam arrangements.

6. How we collect and hold Personal Information

6.1 Methods of collection

The RACGP only collects Personal Information by lawful and fair means. If it is reasonable and practicable, we will collect Personal Information we require directly from the individual.

The RACGP collects Personal Information in a number of standard ways, including:

  • by email or other electronic means such as websites, cookies, mobile applications or other electronic systems;
  • over the telephone including recordings;
  • through written correspondence including letters, faxes, hard copy emails, applications, registration and other forms, examinations, and surveys;
  • in person;
  • through surveillance cameras in our premises;
  • from third parties, including:
    • Regional Training Organisations and other educational providers and contractors that assist us in running our educational programs (including organising and conducting assessments);
    • Past and current employers, medical educators and supervisors;
    • Australian Government Authorities such as the Commonwealth Department of Health, Medicare, ASIC and the ATO;
    • Professional associations such as the Medical Board of Australia (MBA);
    • Overseas registering authorities including Medical Council of New Zealand and the General Medical Council of the UK;
    • insurers in relation to professional indemnity insurance;
    • public sources, such as telephone directories, membership lists of business, professional and trade associations, public websites, ASIC searches, bankruptcy searches and searches of court registries;
    • indirectly, through social media sites like Facebook, Twitter, Google and others (to whom you have provided consent); and
    • RFID technology Radio Frequency Identification (RFID) technology generally consists of a transponder which transmits data and a reader which collects that data. RFID technology assembles this data to provide information on user travel within an event.

6.2 Collection notices

Where the RACGP collects Personal Information directly from an individual, the RACGP’s policy is to take reasonable steps to notify them, including: 

  • our identity and how to contact us;
  • the purposes for which we are collecting the information;
  • whether the collection is required or authorised by law or a court or tribunal order;
  • the third parties (or types of third parties) to whom we would normally disclose information of that kind;
  • whether any information will be held or accessed overseas and, if practicable to specify, the countries; and
  • the fact that this Privacy Policy contains information about how to access and correct Personal Information and make privacy complaints (and how we will deal with those complaints).

We do this at or before the time of collection, or as soon as practicable afterwards. 

The RACGP will generally include these matters in a collection notice. For example, where Personal Information is collected on a paper or website form, we will generally include a collection notice, or a clear link to it, on the form. 

Collection notices may provide more specific information than this Privacy Policy in relation to particular collection of Personal Information. The terms of this Privacy Policy are subject to any specific provisions contained in collection notices and in the terms and conditions of particular offers, products and services. We encourage you to read those provisions carefully. 

Where the RACGP collects information about an individual from a third party, our policy is to take reasonable steps to make sure that the individual is made aware of the collection details listed above and, if unaware that that we have collected the information, of the fact and circumstances of the collection.

6.3 Unsolicited Personal Information

Unsolicited Personal Information is Personal Information the RACGP receives that we have taken no active steps to collect (such as an employment application sent to us by an individual on their own initiative, rather than in response to a job advertisement).

Unless the unsolicited Personal Information is reasonably necessary for one or more of our functions or activities, the RACGP’s approach is to destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.

7. Use and disclosure of Personal Information

7.1 Use of Personal Information

Personal Information is kept until we are no longer legally obliged to keep it, or when the need for the Personal Information has passed (at which point it will be destroyed, deleted or de-identified). Our purpose for collecting Personal Information will to a degree depend on the interaction with us.

For example, for members, our primary purposes for collection is to administer and provide Members with the full benefits of and administering membership, providing services, sending related information, or as a record of confirmation of attainment of academic qualifications, and to advocate on behalf of general practice as a profession. For other individuals, Personal Information may be collected to respond to enquiries or comply with other legal obligations.

Other than in limited circumstances that are prescribed by law, we will not use an individual’s Personal Information without consent. Permitted exceptions, include where we are legally required to disclose, or to protect the personal safety of any individual or the public.

7.2 Disclosure of Personal Information to Third Parties

Under the RACGP’s policy, Personal Information will not be disclosed without consent, other than in certain limited circumstances. Those circumstances include where the disclosure is required or authorised under a legal obligation or where the individual might reasonably expect disclosure. It may therefore be necessary to disclose Personal Information to bodies such as the Commonwealth Department of Health, Medicare, ASIC and the ATO, or other bodies to enable the RACGP to carry out its functions.

In the case of contracted service providers, the RACGP may disclose Personal Information to the service provider and the service provider may in turn provide us with Personal Information collected from an individual in the course of providing the contracted products or services.

We will not ordinarily disclose Personal Information to anyone outside of Australia. Where the RACGP is permitted to disclose Personal Information to an overseas organisation, it will take all reasonable steps to ensure that organisation complies with the Australian Privacy Principles under the Privacy Act 1988 (C’th). The RACGP will also advise any individual of the countries where the Personal Information is to be disclosed if practicable.

8. Direct marketing

Where we have consent, the RACGP may use Personal Information it has collected for receiving direct marketing from the RACGP. For example, where the RACGP has consent, we may send individuals information about RACGP products and services, competitions and promotions and offers relating to the products and services of other organisations.

Unless an individual has given us consent, we will not provide, rent or sell information to other organisations so that they can direct market.

8.1 Communication of Consent

An individual may communicate consent or withdrawal of a previous consent to the RACGP’s use of their Personal Information for direct marketing in writing, verbally or electronically. The RACGP will clearly identify when an individual is choosing to consent or withdraw consent to receive direct marketing.

9. Data quality and security

The RACGP stores Personal Information in a number of ways, including in electronic databases and contact lists, and in paper files held in secure drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.

The RACGP’s policy is to take reasonable steps to:

  • make sure that the Personal Information that we collect, use and disclose is accurate, up to date and complete and in the case of use and disclosure relevant;
  • protect the Personal Information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure; and
  • destroy or de-identify information that is no longer required.

An individual can also help us keep information up to date by letting us know about any changes to Personal Information, such as email address or phone number. The steps we take to secure the Personal Information we hold include ICT security (such as endpoint detection response, anti-virus software, event monitoring, encryption, firewalls, authentication and authorisation controls), secure office access, personnel security and training and workplace policies.

10. Access and correction of Personal Information

An individual has a right to request access to the Personal Information that the RACGP holds about them and also to request its correction.

Some information may be directly accessed and amended through the RACGP website. For any Personal Information that cannot be accessed and corrected through the website, the Privacy Officer can be contacted at privacy@racgp.org.au to access or correct the Personal Information that we hold. We may ask to verify an individual’s identity before processing any access or correction requests to ensure that the Personal Information we hold is properly protected.

The RACGP will provide access to Personal Information subject to some exceptions permitted by law, including protecting others’ privacy. We may provide access in the manner requested provided it is reasonable and practicable for us to do so. We may however charge a fee to cover our reasonable costs of locating the information and providing it.

In the case of RACGP employees, the employee must make a written request for access to HR. Employees may take notes from or photocopy material in their personnel file but must not remove any documents permanently.

If an individual asks the RACGP to correct Personal Information that we hold about them, or if we believe the Personal Information we hold is inaccurate, irrelevant or misleading, we will take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

If the RACGP corrects Personal Information about an individual, and we have previously disclosed that information to another agency or organisation that is subject to the Privacy Act 1988 (C’th), the individual may ask us to notify that other entity. If so, the RACGP’s policy is to take reasonable steps to do so, unless this would be impracticable or unlawful.

Except in the case of more complicated requests, the RACGP will endeavour to respond to access and correction requests within 30 days.

If the RACGP refuses an access or correction request, or if we refuse to give access in the manner requested, we will provide an individual with a written notice setting out:

  • the reasons for our refusal (except to the extent that it would be unreasonable to do so); and
  • available complaint mechanisms.

In addition, if we refuse to correct Personal Information in the manner requested, an individual may ask us to include in the information a statement that the individual considers the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

11. Complaints

For complaints about how the RACGP has collected or handled Personal Information, please contact the Privacy Officer (details below).

Our Privacy Officer will endeavour in the first instance to deal with the complaint and take any steps necessary to resolve the matter within 10 working days.

If the complaint can't be resolved at the first instance, we will ask the individual to email privacy@racgp.org.au and provide details of the date, time and circumstances of the matter that is being complained about, how you believe privacy has been interfered with and how you would like your complaint resolved (Complaint).

We will endeavour to acknowledge receipt of the Complaint within five business days of receiving it and to complete our investigation into the complaint in a timely manner. This may include, for example, gathering the facts, locating and reviewing relevant documents and speaking to relevant individuals.

In most cases, we expect that complaints will be investigated and a response provided within 30 days of receipt of the Complaint. If the matter is more complex and our investigation may take longer, we will write and let you know, including letting you know when we expect to provide our response.

Our response will set out:

  • the Privacy Officer's findings; and
  • what action, if any, the RACGP will take to rectify the situation.

If an individual is unhappy with our response, a complaint can be made to the Office of the Australian Information Commissioner.

12. Retention of Personal Information

All Personal Information that has been collected from by the RACGP will be kept for the time that is relevant to the purpose for which the Personal Information is to be used and for as long as required by applicable law.

When the Personal Information that we collect is no longer required, we destroy, delete or de-identify it in a secure manner.

In the case of RACGP job applicants, all job applications and interview notes are retained for a period of six months after which they are securely destroyed. If an applicant consents, the RACGP may retain applications and interview notes for a longer period for consideration of further positions.

13. Further inforamtion

Please contact the RACGP for any queries about the Personal Information that we hold or the way we handle that Personal Information. Our contact details for privacy queries and complaints are set out below.

For queries about the application or interpretation of this Policy or the APPs more generally, or if you are unsure as to whether particular information can be disclosed, please contact the RACGP’s Privacy Officer.

Privacy Officer 
RACGP
100 Wellington Parade 
East Melbourne VIC 3002 
Australia 
E: privacy@racgp.org.au
P: + 61 3 8699 0300

This policy is also available on the RACGP website at www.racgp.org.au.

14. Amendment of this Policy

From time to time, our policies are reviewed and may be revised. We reserve the right to update or amend this Policy at any time. We will notify of any changes by posting an updated version of the Policy on our website. The amended policy will be effective on and from its uploading.

The General Counsel may, without the consent of the CEO, make Minor Amendments to this policy at any time.

If the General Counsel makes Minor Amendments, he/she must advise the CEO of those amendments as soon as practicable.

Major Amendments require the consent of the CEO.

15. Responsibilities

CEO

Responsible for approval of policy and Major Amendments

General Counsel

Responsible for implementing this policy and making Minor Amendments.

Members

Must comply with the policy


16. Glossary

Personal Information

Personal Information is information or an opinion whether true or not, about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

Minor Amendment

An amendment to style, to correct grammatical mistakes, to change overall formatting, to make updates which do not materially change meaning, or any other amendment, which in the opinion of the xx, does not materially alter the operation of the policy.

Major Amendment

An amendment which materially changes the operation of the policy which is not otherwise a Minor Amendment.

17. Related Documents, Legislation and Policies

Privacy Act 1998 (C’th)

Spam Act 2003 (C’th)

Do Not Call Register Act 2006 (C’th)

General Data Protection Regulation ((EU) 2016/679)

Compliance

This policy complies with all relevant legislation, in particular:

  • Privacy Act 1988 (C’th);
  • Spam Act 2003 (C’th); and
  • Do Not Call Register Act 2006 (C’th)

General Data Protection Regulation ((EU) 2016/679).

Guidance

Guidance may be issued by the General Counsel regarding compliance with this Policy.

18. Policy Review and Currency

This policy will be reviewed every two years from the last approval date. This policy supercedes the Whistleblowers Policy dated May 2017.

Version History

Release notice

Version

Date of effect

Amendment details

Amended by

1.0

 

Initial release

 

Record no.:

 

Policy Type

Operational

Policy owner:

General Counsel

Approved by:

CEO

Approved on:

10 Mar 2020

Next Review Due:

Feb 2022

 

 

Download

 Privacy policy (PDF 824 KB)