This policy outlines the way the RANZCP collects, uses, stores and discloses personal information, the procedures concerning management of privacy complaints and the procedures that allow access to personal information.
2. Body of policy
The RANZCP is committed to ensuring the privacy of individuals, in accordance with privacy principles, such as the Australian Privacy Principles set out in the Australian Privacy Act 1988 and the Information Privacy Principles contained in the New Zealand Privacy Act 1993. When information is collected directly from individuals the RANZCP may provide relevant privacy information to the individual at the point of collection, in which case, such information should be read in conjunction with this policy.
Use of information collected by the RANZCP will be in accordance with privacy legislation, respect the privacy of individuals and the reputation of the RANZCP.
This policy encompasses requests for information that are explicitly considered in RANZCP privacy statements and consent to release forms as well as those which are not covered by an existing consent to release information.
All personal and health information collected by the RANZCP is dealt with in a uniform manner and every reasonable effort is made to maintain its security.
The RANZCP may collect personal and health information about Fellows, Affiliates, Trainees, International Medical Graduates, applicants for registration, previous Fellows, suppliers, conference delegates, staff and other individuals who interact with the RANZCP. This information includes name, address, phone number, and email address, and may also include other personal information and financial information. This information facilitates the provision of RANZCP services such as education and training, enables the RANZCP to procure goods and services from suppliers and generally interact with third parties, allows the RANZCP to contact individuals and others and ensures access to member only services on the RANZCP website.
Functions of the RANZCP may require the disclosure of personal information to related or joint service providers.
Wherever possible every effort will be made to inform the individual of the type of personal information held, the purpose for which information is collected, and the type of individuals and organisations to whom it is usually disclosed. Personal information will be collected for primary and secondary purposes (as referred to in this policy), and disclosed in connection with those purposes and where required or authorised by law.
The Legal Counsel will act as the RANZCP Privacy Officer, in consultation with the Chief Executive Officer. An individual may contact the Privacy Officer on telephone +61 3 9601 4984 or at email@example.com.
The RANZCP will only collect personal information from individuals when it is reasonably necessary for the activities of the RANZCP, and all such collection will be subject to this policy and any other notifications. The information collected will depend on the individual’s relationship with the RANZCP. Sensitive information will only be collected if the individual gives consent, or if it is required or authorised by law.
'Sensitive information' means information about an individual’s professional conduct matters or investigations, attributes, membership of a professional association, racial or ethnic origin or criminal record.
The RANZCP has certain obligations when collecting personal, health and sensitive information about individuals. Generally, the RANZCP is required to inform individuals of:
- the identity and contact details of the RANZCP;
- the purpose for which the RANZCP is collecting their personal or health information;
- the names and types of organisations the RANZCP usually discloses information of that kind;
- the consequences to the individual of not providing the information; and
- how the individual can access and correct the information held by the RANZCP.
The RANZCP must also make sure that we collect personal information in a fair and lawful way, and that the personal information we hold is accurate, up-to-date and secure.
When collecting personal and/or health information, the RANZCP may require individuals to give additional acknowledgements concerning the collection of such information, although the absence of additional statements does not preclude or limit the operation of this policy.
2.2 Updating personal information
The RANZCP may be requested to update, correct or delete the personal information it holds about a member at any time. The RANZCP will take reasonable steps to verify the identity of the member before granting access or making any corrections to or deletion of the information.
The RANZCP will uphold the regulatory obligations to take reasonable steps to correct personal information held when it is satisfied that it is inaccurate, out- of-date, incomplete, irrelevant or misleading for the purpose for which it is held.
2.3 Web information collection
Without limiting the means by which information is collected by the RANZCP, the usage analysis software used by the RANZCP in connection with the RANZCP website records (amongst other things):
- unique visitors and sessions;
- requested pages, downloads, search terms used, posted forms, status and errors, hits and bytes downloaded per directory, file, and file type;
- entrance pages, exit pages, click paths, click to and click from and length of session;
- domains, countries, and IP addresses; and
- browsers, platforms, and robots.
The statistics are de-identified at the time of recording. This information is used for administrative purposes, including to improve and assess services, and to monitor usage patterns in order to improve navigation and design features - helping users to get information more easily.
The RANZCP collects personal information for a number of purposes (being the primary purposes of collection), including but not limited to:
- provide membership services and benefits and maintain records;
- provide continuing professional development and education and training;
- enable planning, policy and service development, including to inform individuals of special offers or additional services provided by the RANZCP (where appropriate the individual will be provided with the option of not receiving further communication of this nature);
- monitor and investigate conduct; and to appropriately interact with government and regulatory bodies relating to the profession;
- implement and maintain quality assurance processes and systems, as well as processes and systems concerning regulatory matters, registrations, accreditation, audits, risk and claims management (including dealings with insurers);
- procure funding, donations or other support for the activities of the RANZCP;
- enable internal administration, training, assessments and reviews;
- provide or undertake any of the other activities referred to in this policy; and
- conduct or facilitate research or surveys for purposes related to the RANZCP.
Information may also be used for secondary purposes which directly relate to the primary purpose of collection or any other purpose which is authorised by the individual or which are required or authorised by law. For example, if an individual completed a form to register for the Annual Scientific Congress and the RANZCP may use the individual’s contact details for the purposes of issuing a Congress Program. All information may be shared and used by all RANZCP staff, officers, committees and sub-committees connected to RANZCP activities where access to such information is warranted, as determined by the RANZCP.
If an individual does not supply information to the RANZCP, the RANZCP may not be able to deal with them or adequately provide services, in which case, additional requirements and conditions may be notified by the RANZCP.
The RANZCP will only disclose personal information for the primary purpose for which it was collected, for a secondary purpose if it directly relates to the primary purpose or for any other lawful purpose.
The RANZCP does engage third parties to perform certain business functions. Therefore, it is sometimes necessary to disclose personal information to those suppliers.
Disclosures may also be made to other third parties, including:
- the RANZCP’s consultants, auditors, lawyers, contractors and contracted staff or others providing goods or services in connection with the activities of the RANZCP;
- RANZCP Fellows involved in relevant RANZCP activities, including supervisors and directors of training, RANZCP Boards and Committees and related societies and associations;
- entities and institutions who provide services or undertake activities in conjunction with or in association with the RANZCP;
- regulatory authorities and bodies, professional or specialist societies and associations, hospitals and health centres and relevant complaints tribunals and government departments and agencies;
- where the law requires or permits the RANZCP to do so (such as to law enforcement agencies); and
- an individual’s agent (with an individual’s authority).
Where disclosure takes place, the RANZCP seeks to ensure that personal information is handled appropriately and is documented.
When the RANZCP receives requests from commercial organisations seeking to advertise products and conferences to Fellows and Trainees, the RANZCP will assess the merit of the request.
If staff are unsure about the request in relation to this policy they should seek direction from the Executive Manager of the area that ‘holds’ the requested information. If it is a repeat request whereby it has been established that release of the information is in alignment with this policy then it is not necessary to confirm with your Executive Manager. If there is any doubt, the matter can be referred to the RANZCP’s Privacy Officer.
When access to information held by the RANZCP has been denied to a person or organisation then if practical and reasonable some suggestions or assistance may be offered to find an alternative source of information.
The RANZCP undertakes to protect personal information from unauthorised use, access, disclosure and alteration. Staff must comply with the RANZCP’s policy on the handling of personal and confidential information. IT protection systems and internal procedures are also utilised to protect the personal information held by the RANZCP. This includes the website where the RANZCP endeavours to ensure the website is secure through the use of firewalls. Personal data is maintained under strict security and is to only be accessed internally by those RANZCP employees who have permission to do so.
Information will be held until there is no longer a need or obligation to retain it, after which time it will be deleted, destroyed or de-identified.
The RANZCP seeks to maintain the accuracy of personal information. Individuals are encouraged to contact the RANZCP if the information held is incorrect or to notify the RANZCP if personal information has changed, this should be directed to Membership Services. Changes to personal details can also be made on the RANZCP website www.ranzcp.org.
The Privacy Officer may be contacted at any time by an individual to access personal information about themselves. They will be required to provide their request to access this information in writing. Access will be provided unless the request is unreasonable or the applicable privacy laws permit or require the RANZCP to decline that access. As permitted by law, a fee may be requested to cover the cost of access.
Any queries regarding an individual’s personal online information should be checked by that individual prior to any such request.
3. Particular provisions and information use
In addition to the above, the following provisions apply:
3.1 International Medical Graduate assessment
The RANZCP is involved in the assessment of international medical graduates’ training, qualifications and experience, and the Medical Board of Australia, Medical Council of New Zealand and the Australian Medical Council (AMC) discloses applicants’ personal information to the RANZCP for this purpose.
Without limiting the scope of the authorised uses, the RANZCP may need to clarify this information with external institutions or individuals, and gather additional information in order to complete the assessments. Information may also be sought from any area of the RANZCP including the New Zealand National office. As part of the specialist assessment process, the RANZCP’s recommendation(s) will be provided to the AMC and, in the case of Area of Need specialist assessments, to the relevant Medical Board or Medical Council. The RANZCP may also disclose personal information where required to do so by law.
3.2 Fellows and Trainees
The RANZCP holds personal information about Fellows and Trainees which is used to conduct RANZCP business, including for the purpose of education, training and assessment and for continuing professional development. Information may, without limitation, be disclosed to RANZCP staff, RANZCP Boards and Committees, supervisors and directors of training, external suppliers, and societies and associations of which the individual is a member. General information may be provided to members of the public if requests are made about the status of a Fellow or Trainee, or otherwise. Personal information may be disclosed where required by law.
Further information regarding the use and disclosure of personal information may be provided at the point of collection.
3.2.1 Public complaints regarding a Fellow or Trainee
These are covered in the RANZCP’s Complaints and Enquiry Handling Procedure and are usually referred to the Legal Counsel, in consultation with the Chief Executive Officer. Complainants are able to make complaints anonymously.
The RANZCP reserved the right to inform its Members when a complaint or enquiry has been received by the RANZCP referring to one of its Members unless expressly specified otherwise.
3.2.2 Communication with Fellows and Trainees by associated bodies
These requests usually involve assistance with mail-outs to Fellows or Trainees advising of a conference or specific event that may be of interest. The RANZCP will not, in the usual course, provide labels with names and addresses directly to the requester.
The RANZCP may deal with a number of mail houses with appropriate controls. The RANZCP will provide the appropriate list of names to the mail house for a 'once only use'. It will be the responsibility of the external organisation concerned to pay all costs.
3.2.3 Continuing Professional Development Program
The RANZCP receives enquiries from hospitals, day surgery units and the general public regarding the participation of individual Fellows in the RANZCP’s Continuing Professional Development (CPD) Program. Fellows who do not participate in the program, or participate but do not comply will be declared a ‘non participant’. The non-participant status of the Fellows will be communicated in response to any appropriate enquiry regarding CPD Program participation.
3.2.4 Medico Legal
The RANZCP may respond to enquiries from members of the public or legal firms requesting the name of a Fellow in a particular region or specialty who is familiar with medico-legal work.
3.2.5 Information requests from Fellows and Trainees regarding other Fellows and Trainees
Requests for the names, practice addresses and email addresses of Fellows may be provided. The RANZCP can also confirm that a person is a Fellow or a Trainee of the RANZCP. Any other information about a Fellow or Trainee will not be provided without their permission (unless required or authorised by law).
In response to a request for information the RANZCP may pursue one of two options:
a) the RANZCP may elect to contact the Fellow or Trainee and advise them that information is being requested about them and seek their express consent to release it; or
b) the RANZCP may elect to obtain the contact details of the requester and provide this to the Fellow or Trainee allowing them to contact the requester directly.
3.2.6 Providing information to RANZCP boards and committees
Records indicating examination performance, work performance and other information on individual Trainees and/or Fellows will be available to RANZCP Boards and committees and supervisors of Trainees, where such information is required for review of an individual’s performance in their work environment, in an examination, in the CPD Program or for other authorised RANZCP purposes. Subject to this policy and other RANZCP documents, this information will be treated in confidence by RANZCP Boards, committees and supervisors.
Trainee details and information about Trainee performance may also be provided to the Employer, Medical Registration Board and/or Australian Medical Council and/or New Zealand Medical Council.
3.3 External suppliers
The RANZCP discloses information to external suppliers when entering into transactions for the purpose of RANZCP business. Failure to provide this information may impede the process of transacting business. This information will be handled in accordance with the Australian Privacy Principles or New Zealand Information Privacy Principles. It will not be utilised for any other purpose and only disclosed to suppliers for the contacted purpose.
Information supplied in such circumstances is disclosed to suppliers for the contracted purpose. Failure to act in accordance with this policy and other contractual obligations may result in termination of the relationship with the RANZCP.
Some external commercial organisations provide sponsorship to the RANZCP. This does not give them the right to access RANZCP information but may mean, amongst other things, that the RANZCP is prepared to support a mail-out. This includes requests for the RANZCP to distribute research and/or surveys.
3.4 External medical organisations to which the RANZCP is required to disclose details (Australian Health Practitioners’ Registration Authority, Medical Council of New Zealand, hospitals, health departments)
The RANZCP discloses information to external organisations when required by law and for the purpose of RANZCP business. Requests from these organisations must be in writing and should be channeled to the appropriate Executive Manager.
Ad hoc reports on RANZCP activities and data will not be provided without approval of the Chief Executive Officer.
3.5 Requests from media
These are covered in the RANZCP’s Media and Communications Policy and are usually referred to the Communications Department in consultation with the Chief Executive Officer. No member of staff, unless specifically authorised to do so, can make public statements on behalf of the RANZCP to the media.
3.6 The RANZCP website and publications
Information on the RANZCP website is public and if names, photos or any identifier of a Fellow or Trainee are published then consent for this should be obtained (express or implied). This also applies to RANZCP publications.
3.7 Broadcast emails
The RANZCP, and in particular its regional offices, often receive requests to distribute information on RANZCP related activities, events, education and training, or issues perceived to be of interest to Fellows and Trainees in general or selected groups of Trainees and/or Fellows.
Any email to Fellows and Trainees must be specifically approved by the Chief Executive Officer and/or Executive Manager of the RANZCP.
In the ordinary course, broadcast emails should be sent as ‘blind copies’ i.e. with undisclosed recipients. Alternatively, and if there are no attachments to the email, it may be sent as an ‘email merge’ as this also protects the identity of recipients.
3.8 Complaints and concerns
Should an individual wish to make a complaint about a breach of privacy, the complaint should be made in writing to the Privacy Officer on +61 3 9601 4984 or at firstname.lastname@example.org.
Receipt of the complaint will be acknowledged, and the RANZCP will endeavour to deal with the complaint and provide you a response within 30 days. Some matters may require detailed investigation, and may accordingly take longer to resolve. The RANZCP will provide progress updates if this is the case, and may seek further information. The RANZCP may refuse to investigate and deal with a complaint if it is considered to be abusive, trivial; or vexatious.
If an individual is dissatisfied with the outcome of a privacy complaint after an initial decision has been made by the College, they may seek internal review of the decision. Internal review will be conducted by a different officer of the College who has not previously been involved in the complaint. If an individual is still dissatisfied with the outcome of the complaint after internal review, they are able to take the complaint to the Office of the Australian Information Commissioner (OAIC) for resolution.
Should an eligible data breach occur, the RANZCP will prepare a prescribed statement and provide a copy to the OAIC as soon as practicable and in accordance with the RANZCP Data Breach Procedure and Response Plan.
4. Monitoring, evaluation and review
This policy will be effective from its publication date.