Our Privacy Policy

Privacy & Information Governance Policy

WHĀNAU TAHI LIMITED (WTL) PRIVACY & INFORMATION GOVERNANCE POLICY

1       Purpose of this document

1.1        Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources. It plays a key part in clinical governance, service planning and performance management.

1.2        Through the provisions in this policy, Whānau Tahi Limited (WTL) ensures that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.

1.3        WTL is committed to protecting the privacy of individuals that are involved in, or the subject of, services we provide. This policy outlines the types of personal information we collect and the specific processes and procedures that are in place to protect this information in line with the principles and legislative requirements of the geographical areas we operate in:

·       New Zealand: NZ Privacy Act (1993) and NZ Health Information Privacy Code (1994).

·       Australia: Australian Privacy Principles as per Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), Privacy Act 1988 (Cth).

·       Singapore: Personal Data Protection Act 2012 (PDPA)

·       United Kingdom: Data Protection Act 1998 and Freedom of Information Act 2000

1.4        In this document the words “WTL”, “We”, “us” and “our” refers to Whānau Tahi Limited and all its subsidiaries.

2       Information Governance Principles

2.1        WTL recognises the need for an appropriate balance between openness and confidentiality in the management and use of information. WTL supports the principles of corporate governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information.

2.2        With regards to patient information, WTL acts as an agent (aka data processor) on behalf of our customers. In this context we support our customers to enable them to share patient information with other health organisations and other agencies in a controlled manner consistent with the appropriate legislation, the interests of the patient and, in some circumstances, the public interest.

2.3        We recognise 4 key interlinked strands to the information governance policy:

  • Openness

  • Privacy, Confidentiality and Legal compliance

  • Information security

  • Quality assurance

 

2.4        We have established an Information Governance Group as part of the Senior Management Team who approves and define policy in respect of Information Governance and Privacy, taking into account legal and health sector requirements across the geographical jurisdictions we operate in. The IG Group is also responsible for ensuring that sufficient resources are available to support the requirements of the policy.

2.5        We have appointed a Privacy Officer within our organisation whose duty it is to ensure this privacy policy is appropriately implemented and reviewed regularly to ensure it continues to meet expectations of the relevant legislation. The Privacy Officer also has the ability to escalate privacy and security measures to the WTL Executive Team and Board for due consideration.

2.6        A designated Information Governance Lead for each subsidiary (e.g. WTL Australia, WTL Singapore, WTL UK) is responsible for overseeing day to day Information Governance issues; maintaining policies, standards, procedures and guidance, coordinating Information Governance activities, raising staff awareness of Information Governance and ensuring that there is ongoing compliance with the policy and its supporting standards and guidelines.

2.7        All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis. To support this, we have put in place a Staff Information Confidentiality and Security Policy that lists specific responsibilities for all staff. This policy is regularly reviewed, and new versions are reviewed and accepted by all WTL staff and contractors.

3       Our commitment to Openness

3.1        Non-confidential information about WTL and its services will be made available to the public through a variety of media, including a public Internet website.

3.2        Queries from the public about WTL and our services can be submitted via our Internet website, email or our phone. Any questions will be routed to the appropriate department and we will aim to respond to such queries in less than 5 working days.

3.3        If an organisation, agency, media or member of the public approaches us with a query about patient information we will refer the requestor on to the relevant contact point in the relevant Customers’ organisation on whose behalf we hold/process this information. Please refer to section 9.3 for more details.

4       Our commitment to protecting privacy

4.1        As an active participant in the health care services sector in various countries, we understand the importance of ensuring that personal information is appropriately managed and protected in line with the relevant laws, regulations and policies.

4.2        WTL regards all person identifiable information, including that relating to staff and patients as confidential.

4.3        We design, develop, implement, host and support health information systems that are used by our Customers to collect, manage, and share health information of individuals who are under their care. In this context our Customer is the formal holder (aka data controller) of the patient/personal information that is collected and managed in their instance of the CCMS system while we act as an Agent on behalf of our Customer to assist with the technical and operational management of the system. 

4.4        We will implement reasonable levels of controls and system security measures to ensure the privacy of individuals whose information we collect and manage in the process of conducting our business is protected.

4.5        We will also provide our Customers with a set of services and system options that can assist our Customers with establishing reasonable levels of control to protect the privacy of individuals under their care and whose information is managed through the systems we provide and manage as their Agent.

5       Our Customers’ commitment to protecting privacy

5.1        Our Customers are organisations that contract with us for our services; they may be a health care provider themselves or represent a collective of healthcare service providers that use our systems and services to manage information about the people who are under their care.

5.2        We expect, and we will seek confirmation, that our Customers understand their privacy and security obligations as holders of the information contained in the systems we operate as their Agent, including the establishment of an appropriate data governance structure and a set of security and privacy policies and procedures in line with the laws and regulations of the geography they operate in.

6       Personal Information about staff

6.1        We receive information from prospective employees and agencies to support the recruitment process. This information will be used for the purpose of the recruitment function. We may hold some names and CVs for future recruitment initiatives.

6.2        We collect and hold staff information to support regular HR and Payroll functions. This information is collected directly from (prospective) employees during the recruitment and staff induction process. Staff are asked to provide the Corporate Services team with updates if/when this information changes. 

6.3        We may collect information related to the use of WTL systems and resources to support security and audit processes.

6.4        Where staff related information is collected from third parties (for example references of previous employment, criminal vetting), we will advise staff of this ahead of time.

6.5        All personal identifiable data is stored securely in password protection systems.  Files are only accessible to individuals directly involved in the HR and payroll related processes for an individual.

6.6        We will not disclose personal staff information to any third party other than what is required to fulfil our obligations relation to HR and Payroll processes (ACC (NZ), IRD (NZ), HMRC (UK), etc.) or in exceptional circumstances such as specific authorisations under law or court/tribunal order.

6.7        We may share names and contact details of people in Customer facing roles with Customers to support daily Customer support processes. The nature and details of this contact information will be shared with the relevant staff member.

6.8        Based on current regulations, staff information, including pay information, is held for 7 years after the pay period. After this period electronic information is permanently deleted and paper files are destroyed through a secure document destruction service.

6.9        Staff can request a copy of the personal information that WTL holds in relation to their employment. Requests for this should be directed to the Corporate Services Manager.

7       Personal Information about Customers and suppliers

7.1        We may from time to time collect names and contact details of staff who work for Customer and Supplier organisations for the purpose of supporting effective communication processes. To this effect, this contact information is generally made available to all employees in our organisation. From time to time WTL may share contact information with other third parties for the sole purpose of ensuring effective communication among all parties involved in the end-to-end Customer support process.

7.2        Customer and supplier contact information is generally provided by the person or the person’s employer and we expect that the employer is advising the individual that this information is being shared.

7.3        Customer contact information is held for the duration of the support contract. After this period electronic information is permanently deleted and paper information is destroyed through a secure document destruction service.

8       Personal information collected on our Internet site

8.1        Users of our Internet site www.whanautahi.com have the ability to access general public information about our services. Internet users also have the ability to register their name and contact details to request additional information and/or demonstrations. This information is securely stored in internal email and website management systems and will only be used for the sole purpose of responding to the Internet user’s request for information.

8.2        Our Internet website logs information such as which pages are visited and which links lead to the website.  Information may also be gathered from data stored locally on a browser (commonly known as "cookies").  We from time to time use third parties to collect and analyse this data for the purpose of improving the use ability and effectiveness of the website. This information does not include any personally identifiable information.

9       Personal identifiable information held by WTL Customers

9.1        In the process of delivering our services, our staff may from time to time require access to personal health information that is contained in the systems we manage as an Agent on behalf of our Customers.

9.2        Our staff are instructed to only access, copy or use personal identifiable patient information where this is critical to support the activities necessary to ensure optimal operation and audit of these systems. Such information will only be shared between staff who are directly involved in the systems support process and this information will be appropriately discarded once the system support process is completed.

9.3        Request for access to personal information contained in the health information systems we operate as an Agent of our Customer, should be submitted to the designated person in the Customer’s organisation. Where such a request is submitted to us directly, we will redirect this request to our Customer for consideration. As an Agent of our Customer, we will only provide access to personal information through the express instruction of the nominated individual(s) within the Customer organisation. This principle applies to Customer and other health care provider employees seeking access to the system as well individuals requesting access to, or a copy of, their own personal information.

9.4        We will retain and delete information in line with our Customers instructions and the Customers’ stated information retention policies. When our services finish, a copy of the information that is stored in our systems will be transferred to the Customer to ensure they can comply with relevant information retention policies.

10   Information Security

10.1     We have established a security framework that provides technical details about what technical measures we have in place to secure our systems and the technical solutions and services we make available to assist our Customers with fulfilling their privacy and security commitments.

10.2     WTL will undertake or commission annual assessments and audits of its information and IT security arrangements.

10.3     WTL will promote effective confidentiality and security practice to its staff through communication to and training of staff in relation the Staff Confidentiality and Security Policy.

10.4     WTL will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security (refer to section 12 for details)

11          Information Quality Assurance

11.1     WTL believes that accurate, timely and relevant information is essential to deliver the highest quality health care. As such it is the responsibility of everyone in WTL to ensure and promote the quality of information processed in our systems.

11.2     WTL has established a Records Management Policy to guide the appropriate management of records held by the organisation.

12   Incidents, Complaints and Breaches Process

12.1     Any incidents related to information governance, information security and management of personal related information should be reported to info@whānautahi.com for Whānau Tahi Service Desk to ensure these issues are managed and if necessary escalated using the standard Whānau Tahi incident management process.

12.2     Information Governance Incidents that may result in breach of an individual’s privacy will be triaged and prioritised in the same manner as Clinical Risk related incidents; i.e. Priority 1 or Priority 2 (refer to WTL Incident Management Process for details).

Any complaints related to management of personal related information should be directed to the WTL Chief Operating Officer. 

Lewis Holden

WTL Chief Operating Officer

13 Edsel Street, Henderson

Auckland 0612

Email: lewis.holden@whanautahi.com

 

12.3     The WTL Chief Operating Officer will contact the person making the complaint within 10 working days of learning about the complaint or breach, and inform the complainant of the course of action that will be followed to investigate and resolve the complaint.

12.4     Complaints related to personal information contained in the health information systems we operate as an Agent of our Customer, should be submitted to the designated person in the Customer’s organisation. Where such a request is submitted to us directly, we will redirect this request to our Customer for consideration and collaborate with our Customer to investigate and address the complaint in a timely manner.

12.5     Where we become aware of a potential or actual breach of privacy, either through a third party complaint or investigations of our own, we will pro-actively contact our Customer(s) as soon as is practical to discuss the nature of (potential) breach to agree an appropriate set of activities to address the breach and communicate with relevant stakeholders including the individuals concerned.