The RACGP Privacy policy has recently been updated, predominantly to make some minor corrections but also to cover the privacy implications of information collected through visiting the RACGP website. The changes provide details of how information flows occur through the use of Google Analytics. Users are provided with the ability to opt out of data collection and analysis. Read the explanatory notes regarding the update.
1. Purpose
The purpose of this policy is to:
- ensure that employees, contractors and volunteers of the RACGP understand their obligations under applicable legislation when dealing with Personal Information;
- enable Members and others who interact with the RACGP to understand what types of Personal Information we collect, and what we do with such information in performing our functions and to comply with our privacy obligations; and
- set out RACGP’s obligations in relation to responding to complaints about potential privacy breaches.
The RACGP is committed to protecting the privacy of the Personal Information we collect and receive. We have a strong commitment to maintaining the security and integrity of Personal Information within our care.
The RACGP takes active steps to comply with applicable legislative obligations relevant to privacy.
2. Application
This policy applies to all employees, contractors, volunteers and Members of the RACGP and any member of the public who provides information.
3. Types of Information held by the RACGP
The RACGP will hold a variety of types of Personal Information about its Members, volunteers, employees and contractors and in some cases the general public. Information which the RACGP may routinely gather as part of its normal operations includes for example:
- People’s names, addresses, birthdates and gender;
- Areas of specific interest and Faculty membership;
- Membership category and services accessed, provided and offered;
- Employee salaries, super contributions, personnel records and performance information;
- Business prices, quotes, invoices and contracts; and
- Member exam results.
3.1 Personal Information
Personal Information is information or an opinion whether true or not, about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
For example, a person’s home address, their telephone number, their exam results or their Medicare Card number will be Personal Information.
3.2 Sensitive Information
Sensitive Information is a type of Personal Information. Sensitive Information includes health and genetic information and information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record and some types of biometric information.
For example, a person’s self-identification as Aboriginal, a person’s status as a member of the Australian Medical Association, a person’s status as an atheist or a person’s conviction for theft will all be Sensitive Information.
3.3 Health Information
Health Information is a type of Sensitive Information. Health Information includes health and genetic information about a person.
For example, an employee’s medical certificate for a day of sick leave, or a record of a person suffering a workplace injury will be Health Information.
4. The Purposes for which the RACGP collects, holds, uses and discloses Personal Information
The RACGP collects, holds, uses and discloses Personal Information as a result of carrying out its normal operations consistent with the purposes and functions under its Constitution as reasonably necessary. These purposes and functions include for example:
- operational functions related to the services provided to members such as admission, administration, disciplinary functions and technical support;
- matters related to collegiality such as participation in peer groups, specific interest networks, Faculties, events and activities;
- purposes described in the Objects of the RACGP in Clause 2 of the Constitution;
- educational functions to do with training, assessment and examinations, professional development, faculty operations and quality standards;
- RACGP governance such as board secretariat, compliance, audit and policy; and
- business as usual corporate functions such as finance, contracting, media and communications, marketing campaigns, publications, research, innovation, events management, IT, advisory functions, website maintenance and improvement and advocacy.
5. The Kind of Personal Information we Collect and Hold
The kind of Personal Information we collect and hold about individuals depends on the circumstances of collection and the nature of the dealings with the RACGP.
For example, if a person:
- is an RACGP member, we collect information including name, address, contact number, gender, date of birth, address, email address and other information related to membership and participation within the RACGP, for example membership of a specific interest network;
- applies for an RACGP educational program or Fellowship pathway, we collect demographics, qualifications, training to date, eligibility to work in Australia, past and current employment and other information relevant to administration of the program;
- works for the RACGP, we collect contracting details including your Australian Business Number, tax file number and superannuation details where relevant and other information related to your engagement;
- applies for a job in the RACGP, we collect the information included in an application for employment, including a cover letter, resume, contact details and referee reports; or
- is a member of the general public who contacts the RACGP who elects not to rely on anonymity or pseudonymity, we may collect contact address details, usually including but not limited to email addresses and phone numbers and details about the reason for the contact. If a website visitor fills out a form, then other details may also be collected depending on the form.
In all cases where we collect Personal Information, we seek to keep it updated and accurate.
5.1 Sensitive Information
The RACGP’s policy is only to collect Sensitive Information where it is reasonably necessary for our functions or activities and either:
-
- the individual has consented; or
- we are required or authorised by or under law to do so.
For example, we may collect:
-
- information about an individual’s membership of other professional associations;
- information about dietary requirements or mobility needs when we conduct examinations or events such as conferences and seminars; or
- information about medical conditions in the context of exams, as part of a special consideration application or so that we can implement special exam arrangements.
6. How we Collect and Hold Personal Information
6.1 Methods of collection
The RACGP only collects Personal Information by lawful and fair means. If it is reasonable and practicable, we will collect Personal Information we require directly from the individual.
The RACGP collects Personal Information in a number of standard ways, including:
- by email or other electronic means such as websites, cookies, mobile applications or other electronic systems;
- over the telephone including recordings;
- through written correspondence including letters, faxes, hard copy emails, applications, registration and other forms, examinations, and surveys;
- in person;
- through surveillance cameras in our premises;
- from third parties, including:
- Regional Training Organisations and other educational providers and contractors that assist us in running our educational programs (including organising and conducting assessments);
- Past and current employers, medical educators and supervisors;
- Australian Government Authorities such as the Commonwealth Department of Health, Medicare, ASIC and the ATO;
- Professional associations such as the Medical Board of Australia (MBA);
- Overseas registering authorities including Medical Council of New Zealand and the General Medical Council of the UK;
- insurers in relation to professional indemnity insurance;
- public sources, such as telephone directories, membership lists of business, professional and trade associations, public websites, ASIC searches, bankruptcy searches and searches of court registries;
- indirectly, through social media sites like Facebook, Twitter, Google and others (to whom you have provided consent); and
- RFID technology Radio Frequency Identification (RFID) technology generally consists of a transponder which transmits data and a reader which collects that data. RFID technology assembles this data to provide information on user travel within an event.
6.2 Collection notices
Where the RACGP collects Personal Information directly from an individual, the RACGP’s policy is to take reasonable steps to notify them, including:
-
- our identity and how to contact us;
- the purposes for which we are collecting the information;
- whether the collection is required or authorised by law or a court or tribunal order;
- the third parties (or types of third parties) to whom we would normally disclose information of that kind;
- whether any information will be held or accessed overseas and, if practicable to specify, the countries; and
- the fact that this Privacy Policy contains information about how to access and correct Personal Information and make privacy complaints (and how we will deal with those complaints).
We do this at or before the time of collection, or as soon as practicable afterwards.
The RACGP will generally include these matters in a collection notice. For example, where Personal Information is collected on a paper or website form, we will generally include a collection notice, or a clear link to it, on the form.
Collection notices may provide more specific information than this Privacy Policy in relation to particular collection of Personal Information. The terms of this Privacy Policy are subject to any specific provisions contained in collection notices and in the terms and conditions of particular offers, products and services. We encourage you to read those provisions carefully.
Where the RACGP collects information about an individual from a third party, our policy is to take reasonable steps to make sure that the individual is made aware of the collection details listed above and, if unaware that that we have collected the information, of the fact and circumstances of the collection.
6.3 Unsolicited Personal Information
Unsolicited Personal Information is Personal Information the RACGP receives that we have taken no active steps to collect (such as an employment application sent to us by an individual on their own initiative, rather than in response to a job advertisement).
Unless the unsolicited Personal Information is reasonably necessary for one or more of our functions or activities, the RACGP’s approach is to destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.
7. Use and Disclosure of Personal Information
7.1 Use of Personal Information
Personal Information is kept until we are no longer legally obliged to keep it, or when the need for the Personal Information has passed (at which point it will be destroyed, deleted or de-identified). Our purpose for collecting Personal Information will to a degree depend on the interaction with us.
For example, for members, our primary purposes for collection is to administer and provide Members with the full benefits of and administering membership, providing services, sending related information, or as a record of confirmation of attainment of academic qualifications, and to advocate on behalf of general practice as a profession. For other individuals, Personal Information may be collected to respond to enquiries or comply with other legal obligations.
Other than in limited circumstances that are prescribed by law, we will not use an individual’s Personal Information without consent. Permitted exceptions, include where we are legally required to disclose, or to protect the personal safety of any individual or the public.
7.2 Use of Website Information
We routinely collect Personal Information and other information from visitors to our website through the use of cookies, identifiers for mobile devices and other electronic means. This information is used to improve website functionality, provide better services to members and the public and to inform marketing campaigns related to our core functions described in clause 4. The RACGP website utilises Google Analytics which stores the RACGP identifier for authenticated users along with RACGP website addresses visited where a website visitor has consented to their information being collected due to their having an existing google account. Upon entry to the site, visitors can change the settings to opt in or out of data collection and analysis.
This link will provide you with more information about how Google uses data when you use our partners’ sites or apps.
7.3 Disclosure of Personal Information to Third Parties
Under the RACGP’s policy, Personal Information will not be disclosed without consent, other than in certain limited circumstances. Those circumstances include where the disclosure is required or authorised under a legal obligation or where the individual might reasonably expect disclosure. It may therefore be necessary to disclose Personal Information to bodies such as the Commonwealth Department of Health, Medicare, ASIC and the ATO, or other bodies to enable the RACGP to carry out its functions.
In the case of contracted service providers, the RACGP may disclose Personal Information to the service provider and the service provider may in turn provide us with Personal Information collected from an individual in the course of providing the contracted products or services.
We will not ordinarily disclose Personal Information to anyone outside of Australia. Where the RACGP is permitted to disclose Personal Information to an overseas organisation, it will take all reasonable steps to ensure that organisation complies with the Australian Privacy Principles under the Privacy Act 1988 (C’th). The RACGP will also advise any individual of the countries where the Personal Information is to be disclosed if practicable.
8. Direct Marketing
To receive direct marketing, people choose to “opt in” which provides consent to use their information. Where we have consent, the RACGP may use Personal Information it has collected for receiving direct marketing from the RACGP. For example, where the RACGP has consent, we may send individuals information about RACGP products and services, competitions and promotions and offers relating to the products and services of other organisations.
Unless an individual has given us consent, we will not provide, rent or sell information to other organisations so that they can direct market.
8.1 Communication of Consent
An individual may communicate consent or withdrawal of a previous consent to the RACGP’s use of their Personal Information for direct marketing in writing, verbally or electronically. The RACGP will clearly identify when an individual is choosing to consent or withdraw consent to receive direct marketing.
9. Data Quality and Security
The RACGP stores Personal Information in a number of ways, including in electronic databases and contact lists, and in paper files held in secure drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.
The RACGP’s policy is to take reasonable steps to:
- make sure that the Personal Information that we collect, use and disclose is accurate, up to date and complete and in the case of use and disclosure relevant;
- protect the Personal Information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure; and
- destroy or de-identify information that is no longer required.
An individual can also help us keep information up to date by letting us know about any changes to Personal Information, such as email address or phone number. The steps we take to secure the Personal Information we hold include ICT security (such as endpoint detection response, anti-virus software, event monitoring, encryption, firewalls, authentication and authorisation controls), secure office access, personnel security and training and workplace policies.
10. Access and Correction of Personal Information
An individual has a right to request access to the Personal Information that the RACGP holds about them and also to request its correction.
Some information may be directly accessed and amended through the RACGP website. For any Personal Information that cannot be accessed and corrected through the website, the Privacy Officer can be contacted at privacy@racgp.org.au to access or correct the Personal Information that we hold. We may ask to verify an individual’s identity before processing any access or correction requests to ensure that the Personal Information we hold is properly protected.
The RACGP will provide access to Personal Information subject to some exceptions permitted by law, including protecting others’ privacy. We may provide access in the manner requested provided it is reasonable and practicable for us to do so. We may however charge a fee to cover our reasonable costs of locating the information and providing it.
In the case of RACGP employees, the employee must make a written request for access to HR. Employees may take notes from or photocopy material in their personnel file but must not remove any documents permanently.
If an individual asks the RACGP to correct Personal Information that we hold about them, or if we believe the Personal Information we hold is inaccurate, irrelevant or misleading, we will take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
If the RACGP corrects Personal Information about an individual, and we have previously disclosed that information to another agency or organisation that is subject to the Privacy Act 1988 (C’th), the individual may ask us to notify that other entity. If so, the RACGP’s policy is to take reasonable steps to do so, unless this would be impracticable or unlawful.
Except in the case of more complicated requests, the RACGP will endeavour to respond to access and correction requests within 30 days.
If the RACGP refuses an access or correction request, or if we refuse to give access in the manner requested, we will provide an individual with a written notice setting out:
- the reasons for our refusal (except to the extent that it would be unreasonable to do so); and
- available complaint mechanisms.
In addition, if we refuse to correct Personal Information in the manner requested, an individual may ask us to include in the information a statement that the individual considers the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
11. Complaints
For complaints about how the RACGP has collected or handled Personal Information, please contact the Privacy Officer (details below).
Our Privacy Officer will endeavour in the first instance to deal with the complaint and take any steps necessary to resolve the matter within 10 working days.
If the complaint can't be resolved at the first instance, we will ask the individual to email privacy@racgp.org.au and provide details of the date, time and circumstances of the matter that is being complained about, how you believe privacy has been interfered with and how you would like your complaint resolved (Complaint).
We will endeavour to acknowledge receipt of the Complaint within five business days of receiving it and to complete our investigation into the complaint in a timely manner. This may include, for example, gathering the facts, locating and reviewing relevant documents and speaking to relevant individuals.
In most cases, we expect that complaints will be investigated and a response provided within 30 days of receipt of the Complaint. If the matter is more complex and our investigation may take longer, we will write and let you know, including letting you know when we expect to provide our response.
Our response will set out:
- the Privacy Officer's findings; and
- what action, if any, the RACGP will take to rectify the situation.
If an individual is unhappy with our response, a complaint can be made to the Office of the Australian Information Commissioner.
12. Retention of Personal Information
All Personal Information that has been collected from by the RACGP will be kept for the time that is relevant to the purpose for which the Personal Information is to be used and for as long as required by applicable law.
When the Personal Information that we collect is no longer required, we destroy, delete or de-identify it in a secure manner.
In the case of RACGP job applicants, all job applications and interview notes are retained for a period of six months after which they are securely destroyed. If an applicant consents, the RACGP may retain applications and interview notes for a longer period for consideration of further positions.
13. Further information
Please contact the RACGP for any queries about the Personal Information that we hold or the way we handle that Personal Information. Our contact details for privacy queries and complaints are set out below.
For queries about the application or interpretation of this Policy or the APPs more generally, or if you are unsure as to whether particular information can be disclosed, please contact the RACGP’s Privacy Officer.
Privacy Officer
RACGP
100 Wellington Parade
East Melbourne VIC 3002
Australia
E: privacy@racgp.org.au
P: + 61 3 8699 0300
This policy is also available on the RACGP website at www.racgp.org.au.
14. Amendment of This Policy
From time to time, our policies are reviewed and may be revised. We reserve the right to update or amend this Policy at any time. We will notify of any changes by posting an updated version of the Policy on our website. The amended statement will be effective on and from its uploading.
The Manager, Risk and Compliance may, without the consent of the CEO, make Minor Amendments to this policy at any time.
If the Manager, Risk and Compliance makes Minor Amendments, he/she must advise the CEO of those amendments as soon as practicable.
The CEO may make amendments at any time.
15. Responsibilities
|
|
CEO
|
Responsible for approval of policy and amendments
|
Manager, Risk and Compliance
|
Responsible for implementing this policy and making Minor Amendments.
|
Members
|
Must comply with the policy
|
16. Glossary
Major Amendment
|
An amendment which materially changes the operation of the policy which is not otherwise a Minor Amendment.
|
Member
|
means a member under clause 110(a)(xx) of the Constitution.
|
Minor Amendment
|
An amendment to style, to correct grammatical mistakes, to change overall formatting, to make updates which do not materially change meaning, or any other amendment, which in the opinion of the xx, does not materially alter the operation of the policy.
|
Personal Information
|
Personal Information is information or an opinion whether true or not, about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
|
17. Related Documents, Legislation and Policies
Privacy Act 1988 (C’th)
Spam Act 2003 (C’th)
Do Not Call Register Act 2006 (C’th)
General Data Protection Regulation ((EU) 2016/679)
Compliance
This policy complies with all relevant legislation, in particular:
- Privacy Act 1988 (C’th);
- Spam Act 2003 (C’th); and
- Do Not Call Register Act 2006 (C’th)
- General Data Protection Regulation ((EU) 2016/679).
Guidance
Guidance may be issued by the Chief Operating Officer regarding compliance with this policy.
18. Policy Review and Currency
This policy is to be reviewed:
- No later than 2 years from the last approval date; or
- Following any significant legislative change affects this policy; or
- Within 6 months following any significant operational or policy change decided by the CEO.
Version History
Release notice
|
Version
|
Date of effect
|
Amendment details
|
Amended by
|
1.0
|
|
Initial release
|
|
1.2
|
1 Feb 2022
|
Amendments to cater for Google analytics on the RACGP website.
|
|
Record no.:
|
|
Policy owner:
|
Chief Operating Officer
|
Approved by:
|
CEO
|
Approved on: 31 Jan 2022
|
|
Next Review Due:
|
Feb 2024
|
|
|