As a trusted provider of health and associated services to the community, Mercy Health and its constituent facilities are committed to the protection of personal (including health information) privacy and have adopted a set of privacy principles based on: 

• relevant State and Federal privacy laws; and 

• its longstanding adherence to a range of existing legal and ethical obligations regarding privacy, security and confidentiality of personal matters, including health information. 

Who Must Comply
All Staff

The principles of this policy deal with the entire ‘lifecycle’ of personal information and personal privacy. They consist of: 

• Collection
• Use & Disclosure
• Data Quality
• Data Security & Data Retention
• Openness
• Access and Correction
• Identifiers
• Anonymity
• Transborder Data Flows
• Closure or Transfer of a Facility
• Providing Written Information to another Health Service Provider
• Use of Surveillance Devices 

For detailed information refer to Appendices A and B 
All Mercy Health staff will adhere to the Privacy Procedures for all issues relating to personal privacy


Term Definition
Personal Information  This is information or an opinion (including information or an opinion forming part of a database) whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion
Health Information This consists of: 
(a) information or opinion about: 
(i) the health (whether physical, mental or psychological) or a disability (at any time) of an individual: or 
(ii) an individual’s expressed wishes about the future provisions of health services to him or her; or 
(iii) a health service provided, or to be provided to an individual that is all personal information. 
(b) Other personal information collected to provide, or in providing, a health service; 
(c) Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances 
(d) Other personal information that is genetic information about an individual in a form which is, or could be, predictive of the health (at any time) of the individual or of any of his or her descendants
Consent Consent means the voluntary agreement of the individual (or the authorised representative of that individual where the individual lacks the capacity to the consent) concerning a proposed action. Consent can be either express or implied. Express consent means consent provided explicitly, either verbally or in writing. Implied consent arises where the consent may be reasonably inferred from the action or inaction of the individual
Primary Purpose This is the main reason the individual would expect their information to be used. For Mercy Health patients the primary purpose is the provision of relevant care and treatment of their presenting problem(s). For Mercy Health Foundation (hereinafter referred to as ‘the Foundation’) clients the primary purpose is the provision of information concerning the Foundation and other Mercy Health entities
Secondary Purpose A secondary purpose is the use of information that may or may not be apparent to the individual at the time the information was collected. Some secondary purposes are directly linked to the primary purpose whereas others are not. An example of a directly linked secondary purpose relevant to Mercy Health and Mercy Health Foundation is the use or disclosure of information for billing purposes.
Use “Use” means use within the organisation. An example is sharing information between members of the Mercy Health team that need to use the information for the purpose of treating the patient. For Mercy Health Foundation this may be the need to use the information for the purpose of issuing a newsletter
Disclosure “Disclosure” means provision of information to external bodies, persons or organisations . In the case of the Foundation, this would only occur if an external service was contracted to provide services to the Foundation; in such an event the employees of this external organisation would be subject to the same privacy requirements as all Mercy Health employees and volunteers
Employer “Employer” means a person, unincorporated body or firm
Washroom This includes a room fitted with bathing or showering facilities
Workplace This means any place where workers perform work

Key Legislation, Acts, Standards & References
• Information Privacy Act (Vic) 2000
• Health Records Act (Vic) 201
• Health Records Regulations (Vic) 2002
• Privacy Amendment (Private Sector) Act (Cth) 2000
• Surveillance Devices (Workplace Privacy) Act 2006
• Child Wellbeing & Safety Act (Vic) 2005
• Children, Youth and Families Act (Vic) 2005
• Privacy Legislation Amendment (Emergencies & Disasters) Act (Cth) 2006
• Tax File Number Guidelines (Cth) 1992 

Link with Organisational Values

This policy promotes respect for the dignity of each individual through its emphasis on openness, integrity and justice in our practice. 


Links to Related Documents
• Mercy Health Privacy Procedure 

Version History / Author / Contributors

V. Date Created (MM/YYYY) Sections Changed Created/Amended by (position title)
1 June 2002   Risk Manager
2 Oct 2007 All except Policy Statement Risk Manager
2.1 Oct 2008 Replace MHAC with Mercy Health Risk Manager
2.2 Sept 2011 Included foundation examples in definitions General Manager, Quality



Appendix A

Principle 1 – Collection

How We Collect Personal Information 
Mercy Health will only collect personal information that is necessary for one or more of its legitimate functions or activities. 
Mercy Health will only collect personal information by lawful and fair means, not in an unreasonably intrusive way.
As soon as practicable, Mercy Health will provide patients and other persons in respect of whom Mercy Health collects personal information with a copy of its Privacy Brochure. That Brochure will set out a range of rights and obligations in relation to the information practices which Mercy Health undertakes or may undertake.
Where Mercy Health collects information from a third party, Mercy Health will, subject to the exceptions permitted by law, attempt to provide the Privacy Brochure (or the information contained in it) to the subject of the information.

When We Collect Information
Mercy Health will not collect personal or health information about an individual except in the 
following circumstances: 

with their consent, or
where required/permitted by law, or
to prevent or lessen a serious and imminent threat to the life or health of any individual, subject to the relevant legislative requirements, or
in defence of a legal claim, or
to provide a health service, so long as the information collected is required to be obtained by law or is collected in accordance with rules established by the bodies referred to in relevant privacy legislation;
public health and public safety research or statistical analysis, subject to the relevant legislative requirements, or
management, monitoring or funding of the health service provided, subject to the relevant legislative requirements, or
provision of health service in relation to individuals who are incapable of giving consent, subject to the relevant legislative requirements, or
collection by or on behalf of a law enforcement agency, subject to the relevant legislative requirements, or
where Mercy Health collects health information from a person (other than the patient or the patient’s treating health professional) who asks or confirms that the information is to remain confidential, Mercy Health will only record the information if it is relevant to the provision of health services to, or care of, the patient. It will also take reasonable steps to ensure that the information is accurate and not misleading. It will also take reasonable steps to record that the information was given in confidence and is to remain confidential.


Principle 2 & 3 – Use & Disclosure
Mercy Health will only use or disclose personal information (including health information) in the following circumstances:

for the primary purpose for which it was collected, or 
for a directly related secondary purpose within the reasonable expectation of the individual to whom it relates, or 
where the individual consents, or for public health/public safety research or statistical analysis subject to the relevant legislative requirements, or 
for lessening or preventing certain threats to individual health or safety or public health or safety, subject to the relevant legislative requirements, or 
for certain investigations into suspected or actual unlawful activity, subject to the relevant legislative requirements, or 
uses/disclosures that are permitted or required by law including but not limited to, notifiable neoplasms, inquiries by the Child Safety Commissioner, emergencies and disasters, genetic information; or 
use/disclosure linked to certain activities of law enforcement bodies, subject to the relevant legislative requirements (where that occurs, a note must be made of the use/disclosure), or 
communicating with the person responsible for the patient where the patient cannot give or communicate their consent, subject to the relevant legislative requirements, or 
funding, management, planning, monitoring, improvement or evaluation of health services, or training of employees or persons working with Mercy Health subject to the relevant legislative requirements, or |
such other use as permitted or required by law including relevant privacy laws and any regulation/guidelines to be introduced in the future. 

Principle 4 – Data Quality 
Mercy Health will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Principle 5 – Data Security and Data Retention
Mercy Health will take reasonable steps to protect personal and/or health information it holds from:

misuse and loss;
unauthorised access;
unauthorised modification;
unauthorised disclosure.

Mercy Health will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose, subject to relevant legal requirements regarding document retention and deletion.

Principle 6 – Openness 

This Privacy Policy will be made available to anyone who asks for it.
On request by a person, Mercy Health will take reasonable steps to let the person know, in general terms, what sort of personal and/or health information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

Principle 7 – Access and Correction
(a) Access Where Mercy Health holds personal and/or health information about an individual, it will provide the individual with access to the information in a form or manner suitable to the individual’s reasonable needs. These access rights are subject to the following exemptions and exceptions recognised by law:

providing access would pose a serious risk to the life or health of any individual, subject to the relevant legislative requirements.
providing access would have an unreasonable impact upon the privacy of other individuals. the request for access is frivolous or vexatious.
the information is subject to legal privilege. providing access would reveal Mercy Health’s intentions in relation to negotiations with the individual in such a way as to prejudice those negotiations, subject to the relevant legislative requirements.
providing access would be unlawful.
denying access is required or authorised by law.
providing access would be likely to prejudice the investigation of possible unlawful activity for various investigations of improper conduct, more fully described in the relevant privacy legislation. the information was given in confidence, subject to the relevant legislative requirements.
providing access would reveal evaluative information generated within Mercy Health in connection with a commercially sensitive decision-making process.

Mercy Health will not charge for the lodgement of an application which requests access. Mercy Health may, however, render charges for providing access to personal and/or health information. Those charges will not be excessive and will be consistent with specific legal requirements regarding charges for records access.
(b) Correction
Mercy Health will take reasonable steps to correct information it holds about an individual where the individual establishes that the information is either not:

or up-to-date.

Where Mercy Health and the individual can not agree as to whether the information is in fact accurate, complete or up-to-date, Mercy Health will associate with the information a statement recording that dispute, where the individual asks for it. Mercy Health will also take such further steps as are required by the relevant privacy legislation.

Principle 8 – Identifiers
An identifier includes a number assigned by Mercy Health to an individual to identify uniquely that individual for the purposes of Mercy Health’s operations but does not include the individual’s name or an ABN (as defined in the New Tax System – Australian Business No. Act 1999).

Mercy Health will not adopt as its own identifier of an individual an identifier of an individual that has been assigned by a Commonwealth agency, an agent of an agency acting in its capacity as agent, or by a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract. Mercy Health will therefore not adopt as its own identifier a Medicare number, a Department of Veterans Affairs’ number, a Tax File number (and other forbidden identifiers).

Such forbidden identifiers may, however, be used where they are specifically permitted to be used under the relevant privacy legislation.

Mercy Health will not use, disclose or keep a record of the forbidden identifiers except in the circumstances outlined in the relevant legislation. Those circumstances are similar to the circumstances outlined in Principle 2 dealing with use/disclosure of personal information (see Principle 2).

Principle 9 – Anonymity 
Wherever it is lawful and practicable, individuals will have the option of not identifying themselves when entering transactions with Mercy Health.

Principle 10 – Transborder Data Flows
Mercy Health will not undertake the cross-border transfer of personal information save in the circumstances permitted under the relevant legislation. The permitted circumstances include (but are not limited) to the following situations: where the individual consents; where Mercy Health reasonably believes that the recipient of the information is subject to privacy laws that are at least as strong as those which govern Mercy Health ’s information practices; transfer is required to give effect to a contractual arrangement, subject to the relevant legislative requirements.

Principle 11 – Procedure upon closure of a facility and transfer to another health service.
Where a health facility of Mercy Health is either: sold; closed down; or otherwise transferred, (including where Mercy Health or one of its facilities is amalgamated with another organisation and the successor organisation which is the result of the amalgamation is a private sector organisation); in circumstances where the Mercy Health facility will not be providing health services in the new practice or business, Mercy Health will take the steps required by the relevant legislation to notify patients and the general public with a view to making arrangements for the retention or transfer of the relevant health information.

Principle 12 – Making written information available to another Health Service Provider upon the individual’s request/authorisation
For the purposes of this Principle, “Health Service Provider” means an organisation that provides a health service in Victoria to the extent that it provides such a service but does not include a Health Service Provider, or a class of Health Service Provider, exempted under the Health Records Act. if an individual either:

(a) asks Mercy Health to make health information it holds about the individual available to another Health Service Provider, or
(b) authorises another Health Service Provider to ask Mercy Health to make such information available to the requesting Health Service Provider,

then Mercy Health will, upon payment of a fee (which must not exceed the prescribed maximum fee and subject to the regulations, if any) and as soon as practicable, provide a copy or written summary of that health information to that other Health Service Provider