Effective Date: 18 March 2014
The purpose of this Medical Oriented Personal Information Policy and its associated procedures is to specify how CEPL will treat all personal & sensitive information it receives verbally (via phone) or in writing (email, fax, mail) or face to face during the delivery of medically orientated projects or services (MOP) on behalf of our clients.
This policy specifically covers the collection, storage and use of personal information during the delivery of medical orientated projects or services (MOP Personal Information) for clients (MOP Clients) in those specific cases where client policies and procedures have not been provided to CEPL.
Upon subsequent receipt of the MOP Client’s policy and procedure, CEPL will cease using this policy and immediately commence using the MOP Client’s policy and procedure.
CEPL Personal Information Collection, Storage and Use Procedure
1. THE TYPE OF MOP INFORMATION THAT CEPL MAY COLLECT
The MOP Personal and / or sensitive Information that CEPL may collect and retain on behalf of a MOP Client could include:
- Personal identification information such as:
- Name (first, middle, surname)
- Postal or email address
- Telephone numbers
- Date of birth, age, age group,
- Occupation, employment category (e.g. patient, HCP).
- Sensitive health related information such as a medical history, medical test results, treatments and Medical opinion(s).
- Product or service related information
- Information that may be necessary in order to carry out the delivery of CEPL contracted services.
2. ANONYMITY and/or the use of a PSEUDONYM
An individual may choose to remain anonymous or choose to be identified by a pseudonym.
CEPL may not be able to interact with an individual who chooses to remain anonymous or be identified using a pseudonym.
3. POTENTIAL Consequence of not providing PERSonal information
If individuals don’t provide personal information to CEPL, CEPL may not be able to:
- provide the required service levels agreed with the Client;
- verify an individual’s identity or protect against fraud;
4. COLLECTION AND USE OF UNSOLICITED MOP PERSONAL INFORMATION
Individuals may choose to share personal information that has not been requested by CEPL during an interaction (referred to as ‘unsolicited information’).
5. INFORMED CONSENT
When CEPL receives MOP Personal Information directly from an individual, CEPL will take reasonable steps to notify the individual how and why their information has been collected; who it may be disclosed to; along with providing details regarding how the individual can access the information in the future, request a change to the information or make a complaint.
Sometimes CEPL will collect MOP Personal Information from individuals other those of which the information relates (e.g. a MOP Client’s Sales Representative or a Health Care Professional or carer). In these cases, CEPL will attempt to verify if consent has been provided before retaining the MOP Personal Information.
If CEPL cannot verify if consent has been provided or in those cases where consent has not been provided, CEPL will ensure that the MOP Personal Information is de-identified.
6. STORAGE OF MOP PERSONAL INFORMATION
CEPL stores MOP Personal Information in hard copy and in electronic format.
CEPL will take reasonable steps to protect MOP Personal Information from unauthorised access or disclosure, misuse, interference, modification or loss.
CEPL requires all staff to sign confidentiality agreements, has specific document storage security policies and employs a range of physical and electronic security systems to protect personal information.
In some cases CEPL uses third party data storage providers. In these cases CEPL requires that contractual arrangements are in place with the providers to ensure that the provider takes appropriate measures to protect that information.
What happens when we no longer need MOP Information?
CEPL only stores MOP Personal Information for as long as it is required in order to meet contractual obligations. At the conclusion of the service all MOP Personal Information is returned to the MOP Client or if requested by the client, destroyed using an accredited secure destruction service.
CEPL is required by legislation to retain some MOP Personal Information for a specified time period (e.g. Health Records Act). At the conclusion of this time period the MOP Personal Information is returned to the MOP Client or destroyed using an accredited ‘secure destruction’ service.
7. USING PERSONAL INFORMATION
Why is Personal Information collected, stored and how is used?
CEPL collects and stores MOP Personal Information as part of the service delivery requirements as set out by the MOP Client.
8. SHARING PERSONAL INFORMATION
During the course of carrying out the project, CEPL may be directed by a MOP Client to share MOP Personal Information with a third party.
If CEPL is directed by a MOP Client to share MOP Personal Information with a third party it will be de-identified unless explicit consent to share that MOP Personal Information has been obtained from the individual to whom the MOP Personal Information pertains.
Sharing MOP Personal Information with third parties
CEPL may be directed by the MOP Client to disclose MOP Personal Information to third parties including but not limited to:
- those involved in providing, managing or administering the service;
- authorised representatives of the MOP Client who manage aspects of the service on their behalf;
- medical professionals, medical facilities or health authorities who verify any health information provided;
- mailing houses and telemarketing agencies who assist the MOP Client to communicate with specific individuals;
- other organisations involved in the MOP client’s normal business practices, including our agents and contractors;
Overseas Disclosure: Sharing outside of Australia
CEPL is located in Australia and provides MOP services to clients within Australia and New Zealand. CEPL clients may have subsidiaries or affiliated businesses overseas.
CEPL may be directed by our MOP Client’s to share MOP Personal Information with organisations outside Australia.
If CEPL is required to share MOP Personal Information to the subsidiary or affiliate of our MOP Client overseas, the MOP Personal Information will be de identified before it is transmitted.
MOP Clients with overseas subsidiaries or affiliates may be required to disclose information that CEPL shares with them under a foreign law. In such instances CEPL is not responsible for disclosure.
9. ACCESSING MOP PERSONAL INFORMATION
CEPL will provide an individual with access to their MOP Personal Information upon their written request and subsequent written approval of the relevant MOP Clients.
CEPL will attempt to provide access to MOP Personal Information in the format requested by requestor.
CEPL may charge MOP Clients a retrieval fee to cover and deliver such MOP Personal Information.
CEPL’s MOP Clients are not always required to provide access to personal information.
MOP Clients may not provide access to MOP Personal Information when:
- there is perceived threat to life or public safety
- access would be deemed unlawful
- the information wouldn’t be ordinarily accessible because of legal proceedings
- there is an unreasonable impact on other individuals
- it would be likely to harm the activities of an enforcement body (e.g. the police)
- the request is frivolous or
- it would harm the confidentiality of CEPL’s commercial information.
10. CORRECTING MOP PERSONAL INFORMATION
If an individual has been involved in a MOP project and believes that the stored MOP Personal Information is incorrect, CEPL will only attempt to correct the MOP Personal Information if it is deemed inaccurate; out of date; incomplete; irrelevant; or misleading.
If an individual is concerned that CEPL has provided incorrect MOP Personal Information to another party, CEPL will advise the party to make the correction.
When CEPL corrects MOP Personal Information
If CEPL is able to amend the information, CEPL will advise the individual in writing within five business days. At the MOP Client’s request, we’ll also let the relevant third parties know as well as any others. If there are any instances where we can’t do this, then we’ll let the MOP client know in writing.
If CEPL can’t correct MOP Personal Information
If we’re unable to correct the information, we’ll explain why in writing within five business days. If the individual has any concerns, they can make a complaint to the Office of the Australian Information Commissioner.
Time frame for correcting MOP Personal Information
If CEPL can correct information, it will be completed within 30 days from the date of request, or a longer period that’s been agreed between our MOP client and the individual.
If CEPL can’t make corrections within a 30 day time frame or the agreed time frame, CEPL must:
- let the client /individual know about the delay, the reasons for it and when we expect to resolve the matter;
- ask the client to agree in writing to give us more time; and
- let the client/ individual know that a complaint can be made to the Office of the Australian Information Commissioner.
11. RESOLVING PRIVACY ISSUES
If there is a complaint about how CEPL handles personal information, we want to hear about it. Clients are always welcome to contact us.
Call us: 03 9251 0777
We are committed to resolving complaints and doing the right thing by our clients and their customers. MOP complaints should be resolved within five business days.
The next step is to contact our Privacy Officer.
Send an email: [email protected]
Write to us at:
Commercial Eyes Pty Ltd
Level 11, 500 Collins St.
Melbourne, Victoria, 3000
Need more help?
If individuals still feel any issue relating to their personal information hasn’t been resolved to their satisfaction, then they can raise their concern with the Office of the Australian Information Commissioner: