NAVIGATING THIS POLICY

Capitalised phrases in this Policy are defined at the end of the Policy.

PURPOSE

1.     This Privacy Policy sets the framework for HWI Personnel to comply with, and explains to people whose Personal Information is or may be held by HWI how HWI manages its Privacy Obligations.

SCOPE

2.     The Policy applies to: 

(a)   all HWI Personnel in their dealings with Personal Information in connection with their employment or engagement with HWI; and

(b)   any person who deals with HWI and, in the course of those dealings, HWI Handles their Personal Information.

TYPES OF INFORMATION COLLECTED AND HELD BY HWI

3.     HWI Handles a broad range of Personal Information. An overview of the situations leading to collection or receipt, and types of information and the primary purposes involved, are described below:

4.     HWI does not generally collect Sensitive Information but may receive this type of information from HWI Personnel (e.g. in the form of a medical certification, or medical declaration as to health needs), or volunteered by a person.

5.     If HWI receives or collects Personal Information as part of a dataset:

(a)   It takes the industry standard approach to de-identification (i.e. removing names, dates of birth, specific contact details, etc.); and

(b)   If a person remains identifiable after the standard de-identification process (e.g. there is only one practitioner of a certain type within a region), will not publish or make publicly available the information in a way that means they are identifiable, unless they have provided their consent.

6.     Conditions or commercial contracts relating to data Handling are complied with, e.g. specific requirements as to collection, de-identification, storage and disposal. 

7.     HWI does not collect financial information other than HWI Personnel and creditor bank details, for the purposes of making payments to HWI Personnel and creditors. HWI uses third party platforms to process all payments, which are compliant with the Payment Card Industry Data Security Standard (PCI-DSS).

8.     HWI will only use Personal Information for direct marketing purposes if permitted to do so under the Privacy Act, i.e. where the marketing relates to HWI’s core services, or if HWI provides an opt-out or unsubscribe option. HWI does not direct market to people outside of Australia or New Zealand.

ANONYMOUS AND PSEUDONYMOUS DEALINGS

9.     Subject to Clause 10, people have a general the right to contact HWI anonymously or using a pseudonym. However, depending on the context (see table in Clause 3), HWI may not be able to provide the service, or respond to the complaint or enquiry if that occurs.

10.  HWI conducts data collection for commercial contracts, when the context allows, in a manner to enable anonymity and/or pseudonymity. Data is de-identified to the extent possible as described in Clause 5.

11.  HWI Personnel, creditors and debtors cannot generally remain anonymous or use pseudonyms, except if (e.g.) volunteering feedback. However, they are encouraged to identify themselves in such situations, to enable the feedback to be contextualised and for resolution to be achieved. 

COLLECTION NOTICES

12.  HWI uses a privacy notice when collecting Personal Information. This will be, depending on the context, provided in/on:

(a)   The website used to procure the service or make the enquiry or complaint; 

(b)   The event registration form; or

(c)   The survey tool or in the context of the discussion or feedback session – in the case of collecting Personal Information due to a commercial contract for services.

13.  Other collections and receipts are subject to this Privacy Policy.

COOKIES

14.  The HealthWork International websites use cookies. Cookies are very small files which a website uses to identify a user when they return to the site and to store details about use of the site. Most web browsers automatically accept cookies. 

15.  Sometimes a website user is reasonably identifiable from the information collected by the site. In those cases, HWI will include a specific notice about cookies in the privacy statement on the site and include a cookie consent as required by the GDPR. 

16.  A user can choose, at any time, to reject cookies by changing their browser settings, but this may prevent the user from taking full advantage of HWI’s websites. 

17.  HWI websites may use cookies to analyse website traffic and help HWI provide a better website visitor experience. For example, HWI uses Google Analytics to understand website user behaviour. In addition, cookies may be used to identify and provide advertisements to website visitors through third party services, such as Google Adwords and Facebook. These ads may appear on this website or other websites you visit. HWI does not share any personal information with third party providers to facilitate this marketing. Users can opt out of these types of arrangement by visiting the provider’s webpage and turning off the "Ads based on your interest" (or similar) setting. 

USE OF PERSONAL INFORMATION

18.  The primary purpose for which Personal Information is collected will be described in the collection notice specific to the collection or generally described in Clause 3 of this Privacy Policy (see Clause 3).

19.  Subject to Clause 17, HWI may use personal information for a purpose which is secondary to the one for which it was collected if: 

(a)   the person from which it was collected would reasonably expect HWI to do that; and 

(b)   the secondary purpose is related to the primary purpose. 

20.  As described in Clause 4, HWI does not normally collect Sensitive Information but, if HWI has collected this information from the person, HWI may use it for a secondary purpose provided that secondary purpose is directly related to the primary purpose for which it was collected, or if HWI has the person’s consent. 

21.  HWI may use, or aggregate and use, information about the people to whom it provides services, or receives complaints/feedback, to enable it to improve its services or dealings with people.

WITHDRAWING CONSENT FOR USE OF PERSONAL INFORMATION

22.  People have a general right to withdraw their consent for HWI to use their Personal Information. For example, marketing and other communications include an unsubscribe option. If a specific option is not available for a given context, a person whose Personal Information is held by HWI can contact HWI (see “Contacting HWI”, below).

DISCLOSURES

23.  HWI may need to disclose Personal Information to contractors to meet the purpose for which the Personal Information was collected. All HWI contractors comply with the Privacy Act. Personal Information will only be shared to the extent reasonably necessary to meet the purpose of the collection, with no authorisation provided by HWI for any other use or function.

24.  HWI does not generally disclose Personal Information to any individual or organisation outside Australia. If HWI transfers Personal Information to an overseas person or organisation, HWI will comply with its Privacy Obligations relating to overseas disclosures. 

25.  HWI does not use or disclose Personal Information without the person’s consent other than as outlined in this Policy or if one of the exceptions from the Privacy Act applies. E.g. if HWI is authorised or required by law to make the disclosure.

STORAGE AND SECURITY OF PERSONAL INFORMATION

26.  HWI takes all reasonable steps to keep Personal Information secure, safe and protected from misuse, interference, loss or unauthorised access. 

27.  With limited exceptions (e.g. if a contract was required to be signed in hard copy), HWI does not maintain paper records. Paper records are stored securely at its offices, each with swipe card or key access.

28.  Personal Information is generally contained in electronic records and stored on secure servers supplied by industry standard third party platforms and software, using industry standard data protection appropriate for the type of Personal Information. Some platforms may use servers located overseas (e.g. Microsoft has servers located in many countries internationally). 

29.  Access to different HWI systems, and parts of systems, is limited to HWI staff on a “need to know” basis. I.e. employee records are stored in a section of Microsoft Teams, and in Xero, which only the HWI Executive and management can access. 

30.  HWI utilises increased security requirements for Personal Information which is more sensitive or for which the consequences for the people whose Personal Information is being Handled by HWI if there was a Personal Information Breach, are greater.

ACCESS TO PERSONAL INFORMATION

31.  People have a general right to access Personal Information HWI holds about them. Access can be requested by contacting HWI (see “Contacting HWI”, below).

32.  HWI may refuse a person access to the Personal information HWI holds about them, in the limited circumstances where this is permitted under the Privacy Act. For example, if the request would pose a serious threat to that person or another person’s health, would unreasonably impact on another person, or is frivolous or vexatious.

CORRECTION OR DELETION OF PERSONAL INFORMATION

33.  HWI takes reasonable steps to ensure Personal Information held by HWI is accurate, up-to-date and complete. The exception to this is Personal Information not in use but held for audit or other record-keeping purposes, as the primary use is no longer relevant (e.g. information held in connection with a commercial contract, which has ended, but which has a specific retention period).

34.  People can request that their Personal Information held by HWI is updated or corrected by contacting the specific HWI company with which they are dealing (e.g. if receiving emails from The Allied Health Academy, contacting The Allied Health Academy at the email address on the correspondence). If, for some reason, HWI does not agree to amend a person’s Personal Information at their request, the person can request that HWI records a statement with their Personal Information to the effect that the person believes it is inaccurate, out-of-date, incomplete, irrelevant or misleading. This request will be complied with. 

35.  Depending on the context for which the Personal Information was collected or received, if a person requests that HWI deletes or pseudonymises their Personal Information, this request may or may not be able to complied with. For example, for audit purposes and due to contractual requirements, some Personal Information may need to be retained in its original form. The request will be complied with as far as possible while still complying with HWI’s other obligations.  

PERSONAL INFORMATION BREACHES

36.  HWI takes privacy seriously. If HWI Personnel become aware of a real or potential Personal Information Breach, they must immediately report the issue to the Chief Executive Officer and Chief Operating Officer.

37.  The Chief Operating Officer will then immediately (same or following work day) investigate the matter. If there has been a data breach involving Personal Information, the Chief Operating Officer will determine:

(a)   Whether there actually has been a Personal Information Breach;

(b)   Whether any Personal Information has been inappropriately accessed or disclosed; and

(c)   The nature of HWI’s Privacy Obligations in respect of any affected Personal Information,

and will, if there has been a Personal Information Breach:

(d)   Take all reasonable steps to mitigate the Personal Information Breach; and

(e)   Make recommendations to the Chief Executive Officer as to any action that should be taken to:

i.               Advise and support affected people; and

ii.              Prevent further Personal Information Breaches of the same or a similar nature.

CONTACTING HWI

38.  Email is HWI’s preferred mechanism of contact about privacy matters: 

[email protected]

but a person can also contact HWI at:

Lauren Schneider – Chief Operating Officer - 07 3067 7298

or

HealthWork International Privacy Officer

Level 8, The Annex

12 Creek Street

Brisbane QLD 4000

COMPLAINTS AND QUESTIONS

39.  If a person has a question or complaint about HealthWork International’s privacy practices, they should contact HWI (see above section). 

40.  HWI takes all aspects of privacy seriously. Feedback is welcomed. 

41.  Questions or complaints will be handled at the executive level, by the Chief Operating Officer. 

42.  Complaints will be investigated promptly and the person who makes the complaint will be kept informed of its progress, and the outcome including any action taken (subject to maintaining the privacy of HWI Personnel, as required to comply with HWI’s Privacy Obligations). 

43.  If a person who makes a complaint are not satisfied with HWI’s response or the outcome of an investigation of a privacy complaint, the person may contact the Office of the Australian Information Commissioner at www.oaic.gov.au

CONTINUOUS IMPROVEMENT

44.  HWI takes a continuous improvement approach. The Chief Operating Officer will annually review how it Handles Personal Information, and this Privacy Policy, making recommendations to the HWI Executive (which approves policies of this nature) about any changes that should be made.

DEFINITIONS

GDPR mean the European Union’s (EU) General Data Protection Regulation, which applies to HWI activities to the extent that the subjects of the Personal Data subjects are in the EU, and those activities either relate to offering goods or services to them, or to monitoring their behaviour which takes place in the EU (e.g. through cookies).

Handles means collects, receives, stores, uses and discloses;

Health Information means information or an opinion about a person’s physical or mental health or disability, or a person’s express wishes about the future provision of his or her health services or a health service provided or to be provided to a person (or any subsequent definition from the Privacy Act);

HWI means the HealthWork International Pty Ltd (ABN 67 651 761 723) and its group of related entities, all with common ownership and management, being:

·      AHP Workforce Pty Ltd (ABN 41 650 186 593)

·      Healthwork Solutions Pty Ltd (ABN 69 651 498 109)

·      Healthwork IP Pty Ltd (ABN 82 651 761 849)

·      Healthwork Mapping Pty Ltd (ABN 45 656 886 154

·      The Allied Health Academy Pty Ltd (ABN 35 661 494 113)

·      Healthwork Publishing Pty Ltd (ABN 38 656 886 501)

HWI Executive means the Chief Executive Officer, Chief Operating Officer and Chief Financial Officer of HWI;

HWI Personnel means HWI staff, board members and contractors;

Personal Data has the same meaning as that phrase in the GDPR at a given time which, at the time this Policy was written or revised, is:

any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Information is defined in section 6 of the Privacy Act, at the time this Policy was written or revised, this is:

… information or an opinion about an identified individual, or an individual who is reasonably identifiable:

 (a)  whether the information or opinion is true or not; and

 (b)  whether the information or opinion is recorded in a material form or not.

For ease of interpreting this Policy, Personal Information includes Personal Data.

Personal Information Breach means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information Handled by HWI or a contractor on HWI’s behalf.

Privacy Act means the Privacy Act 1988 (Cth), which includes the Australian Privacy Principles.

Privacy Obligations mean HWI’s obligations to appropriately handle Personal Information in accordance with the Privacy Act and, where the GDPR applies, Personal Data.

Sensitive Information has the same meaning as that phrase in the Privacy Act which, at the time this Policy was written or revised, is:

                     (a)  information or an opinion about an individual’s:

                              (i)  racial or ethnic origin; or

                             (ii)  political opinions; or

                            (iii)  membership of a political association; or

                            (iv)  religious beliefs or affiliations; or

                             (v)  philosophical beliefs; or

                            (vi)  membership of a professional or trade association; or

                           (vii)  membership of a trade union; or

                          (viii)  sexual orientation or practices; or

                            (ix)  criminal record;

                            that is also personal information; or

                     (b)  health information about an individual; or

                     (c)  genetic information about an individual that is not otherwise health information; or

(d)  biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or