Return to Policies page
Navigation
    Add a header to begin generating the table of contents

    Collection Management and Retention of Health Data Policy

    Policy name ​Collection, Management, Retention and Release of Health Data Policy
    Policy number HRP004
    Date approved 11 November 2024
    Approving body Council
    Responsible officer CEO and Provost
    Implementation officer Director of Clinical Services
    Associate Dean Research
    Next review date November 2027
    Related policies Privacy Policy
    Related forms and documents
    • Release of Confidential Information Form
    • Human Research Ethics Committee Application Form
    • Human Research Ethics Committee Terms of Reference

    1. Purpose of this policy

    The Cairnmillar Institute (“the Institute”) is required by law to protect the privacy of personal health information and research data and is committed to protecting the information it holds and uses about all individuals who provide personal information to the organisation.

    The Privacy Laws regulate how personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal. This policy applies to any personal health information and research data, the way it is collected, used, disclosed, stored and disposed of.

    2. The Acts

    The Information Privacy Act 2000 (Vic) sets out ten information privacy principles (IPPs) and the Health Records Act 2001 (Vic) sets out 11 Health Privacy Principles (HPPs). These principles concern the way in which information is collected, used, disclosed, stored and disposed of.

    3. Management and Records Storage of Health Records

    3.1 The Institute provides and maintains healthcare records systems that:

    1. support the creation and maintenance of accurate healthcare records
    2. comply with security and privacy legislation and regulations
    3. support the systematic audit of clinical information and the technical operation of the healthcare record
    4. integrate multiple information systems, where they are used.

    3.2 All registered psychologists, provisional psychologists or counsellors providing psychological, counselling and psychotherapeutic services at the Institute are required to keep case notes about matters or information gained in individual, joint, or family sessions.

    3.3 The Institute collects information from the forms that are completed when attending the service, or through information provided by the general practitioner, specialist physician, person or agency referring clients to the service and the information gained in the sessions. All information collected by the Institute is stored as written case records, electronic files and/or computerised data records.

    3.4 The data collected is used to monitor quality of service delivery, contract performance, professional accountability and to provide trends in service delivery and other social indicators. The Institute may, from time to time, enter into contracts with other agencies who might specify similar accountability requirements. Our Privacy Statement also covers those contracts.

    3.5 The Institute may share de-identified data with a third party as per our various funding agreements to provide mental health services. The Institute is obliged to provide information and statistical details about the services provided under this funding agreement, through an electronic data collection system. The data collected is coded to ensure that personal details cannot be identified.

    3.6 Staff who de-identify data have undertaken specific training and remain up-to-date in important privacy concepts to minimise risks of re-identification of personal data.

    4. Use and Disclosure of Health Information

    4.1 The Institute staff members may see personal and health information in the conduct of routine business. All staff at the Institute are contracted and also bound by the Privacy Act 1988 and the Health Records Act 2001.

    4.2 The Institute has a networked computerised system that includes internet and email access. Access to the network is by password and multi-factor authentication methods. The system is regularly maintained and is protected from the data being accessed externally. Data is also protected by cybersecurity controls from external access, and cybersecurity is regularly reviewed at Cairnmillar by our IT teams.  Cairnmillar Staff also receive regular training in cybersecurity to reduce the chance of breaches. If a data breach were to occur, the Privacy Officers will be notified, and individuals affected would be notified as legislated.

    4.3 The Institute’s records are kept in either secured electronic storage, in locked storage, or in locked archived storage. Servers for all of the data that we store are located in Australia.

    4.4 Data will be stored for seven (7) years, or for clients who are under 18, until the client reaches the age of 25, whichever is the greater length of time. All records are destroyed by shredding or disposed of through security document destruction services.

    5. Release of Health Information

    5.1 The Director of Clinical Services is the custodian of all personal health information generated or stored on the clinic systems. The Associate Dean Research is the custodian of all personal health information generated or stored on the research systems. Any application for release of personal health information (i.e. identifiable and non-identifiable) needs to be approved by the data custodian. The details of, and purpose for the release of personal health information needs to be recorded, and the details of the conditions for release of personal health information need to be recorded including the timelines, reporting and security.

    6. Waiver Concerning Release of Health Information

    6.1 The Institute cannot use or disclose an individual's personal health information unless without the written consent of the individual concerned. Service providers disclose confidential health information obtained in the course of the provision of psychological and counselling services only under any one or more of the following circumstances:

    1. If there is an immediate and specified risk of harm to an identifiable person or persons that can be averted only by disclosing information
    2. The information suggests child abuse or neglect has occurred (this includes giving information about children and young people to a non-residential parent, if the other parent or the child has not given consent to access the information). In some cases the service provider is obligated under mandatory reporting legislation to report matters to their clinical supervisor
    3. Is authorised or required by law to be disclosed
    4. Where the service provider is subpoenaed by the courts.

    7. Access to and Procedures for Obtaining Health Information

    Clients of the Institute have an enforceable right of access to their health information under the Victorian Health Records Act 2001 (the Act).

    7.1 What Health Information is an Individual entitled to receive

    7.1.1 An individual has a right of access to their health information under Part 5 and Health Privacy Principle 6 (HPP 6) of the Act. This right applies when the information is held by a private sector organisation. It relates to all health information collected by the organisation on or after 1 July 2002.

    7.2 Forms of Access

    7.2.1 The Act enables an individual to request health information collected on or after 1 July 2002 in a general number of ways. Access can be by way of:

    1. Inspection of the health information or, if the health information is in an electronic form, a print out of that information, and having the opportunity to take notes of its contents
    2. The provision of a copy of the health information
    3. The provision of an accurate summary, instead of a copy, if the organisation and the individual agree that a summary is appropriate; or
    4. An opportunity to view the record, and in the case of health information held by a health service provider, it may be accompanied by an explanation of the information by the health service provider.

    7.2.2  In addition, if the organisation that has received the request for an explanation is not a health service provider, it may agree to allow an explanation to be given by a suitable health service provider, but it is not legally obliged to do so under the Act.7.2.3

    7.2.3 Access may also be granted in any of these ways to health information collected by the organisation before 1 July 2002, where the organisation agrees to this. In the absence of any agreement, the Act entitles the individual to receive an accurate summary of the information.

    7.2.4 In addition, Health Privacy Principle 11 (HPP 11) gives an individual a right to request that their health information be transferred from one health service provider to another. The request can be made on or after 1 July 2002. The health service provider must then consider the request under HPP 11, regardless of whether the information was originally collected by that provider before or after 1 July 2002.

    7.3 Procedure for Access to Health Information

    7.3.1 Request for Release of Confidential Personal Information forms are available from the Institute administration or the individual service provider. Information is normally released within seven working days of receipt of the signed request form.

    7.4 Management of Research Data

    7.4.1 The Institute protects the confidentiality and privacy of individuals by ensuring the security, storage and disposal of confidential data collected during the conduct of research involving human subjects.

    7.5 Relevant Legislation

    7.5.1 Confidential data, files and records must be kept securely and confidentially stored, in accordance with the requirements of the Records and Information Privacy Act 2002 (Vic).

    7.5.2 The Relevant Legislation for the management of research data is as follows:

    • Copyright Act 1968 (Cwlth)
    • Privacy Act 1988 (Cwlth)
    • Electronic Transactions Act 1999 (Cwlth)
    • Public Records Act 1973 (Vic)
    • Information Privacy Act 2000 (Vic)
    • Health Records Act 2001 (Vic)
    • Evidence Act 1958 (Vic) and from 01/01/2010 Evidence Act 2008 (Vic)
    • Protected Disclosure Act 2012 (Vic)
    • Statute 14.1 - Intellectual Property

    7.6 Relevant Guidelines

    8. Management of Human Resources Data Records

    9. Research Conducted in the Clinic

    8.1 The Institute must ensure that research data and records created by students, staff and honorary staff are:

    • accurate, complete, authentic and reliable
    • identifiable, retrievable and available when needed
    • secure
    • compliant with legal obligations and the rules of funding bodies.

    9.1 All clinic research data is stored in the clinic as required by the HREC and in line with NHMRC standards.

    Print a copy