We may collect personal information from you. When we do, we will:
- only collect information we need to carry out the functions of the Health Complaints Commissioner under the Health Complaints Act 2016 (Vic) and the Health Records Act 2001 (Vic)
- ensure you know why we are collecting the information and how we will use the information
- use and disclose your information only in accordance with the primary purpose or a directly related secondary purpose that you would expect. If we use the information for another purpose, we will ask your permission first (unless we are authorised by law to use the information as required)
- store your information securely and protect it from unauthorised access
- retain your information for the period authorised by the Public Records Act 1973 (Vic)
- give you access to your own information, and ensure you can request corrections to the information.
Personal and health information held by the HCC
You can access and browse our website without disclosing personal information. We will only record your email address, contact details and other personal information if you:
- send us a message or communicate with our office
- send us a complaint including these details
- make a request under the FOI Act
- register for or enquire about our education programs.
We may use de-identified personal and health information in our Annual Report and education programs.
The personal and health information we collect mostly relates to considering and, where appropriate, resolving or investigating complaints under the HCA or the HRA. We will only collect the personal and health information that is necessary to perform these functions. We will ensure any personal and health information you provide will not be disclosed, except when this is consistent with the HCA, with the provisions in the PDPA or any other law.
If you make a complaint to us, that complaint may be forwarded on to another body for appropriate action, including to the organisation that is the subject of the complaint. We may forward your complaint on as part of our investigation or complaint resolution processes, or if the law requires us to do so. If you make a complaint and do not wish your identity to be disclosed (to anyone, or to a specific person or body), you should let us know. All requests for anonymity will be considered. But note that if you ask to be anonymous, we may be unable to resolve or investigate your complaint. By law, we are required to notify the Australian Health Practitioner Regulation Agency (AHPRA) of all complaints involving registered health practitioners and to share a copy of the complaint with AHPRA.
We provide educational programs and we collect personal information as part of this process. If you register for or enquire about our education programs, your information may be provided to the individuals or organisations responsible for organising and delivering these programs.
We usually collect personal and health information from you, or from your authorised representative, to help us carry out our functions or activities under the HCA, HRA and other laws. When collecting personal and health information we take reasonable steps to advise you of the information we are seeking and how we will use it. We sometimes collect personal and health information from other people/organisations under specific provisions in the HRA and the HCA.
Our staff are legally obliged to maintain confidentiality of information gained in the course of their employment under s.90 of the HRA and ss 150 – 152 of the HCA. Staff are also subject to the Victorian Public Service Code of Conduct for special bodies.
Data quality and security
We have technology and security policies, rules and measures to protect the personal information we have under our control from unauthorised access, improper use, alteration, unlawful or accidental destruction and accidental loss.
But you should be aware that there are risks in sending information online. While we try to protect this information, we cannot ensure the security of any information sent to us online and individuals do so at their own risk. If you are concerned about sending sensitive material to us over the internet, contact us.
Access and correction
We take reasonable steps to make sure the information we hold is accurate, complete, up-to-date and relevant to our functions and activities by checking information with individuals and organisations at relevant points in the progress of a complaint, investigation or other process. We also rely on you to let us know when your contact details have changed.
We use a number of procedural, physical and hardware safeguards, together with access controls and back-up systems to protect information from misuse and loss, unauthorised access, modification and disclosure.
You have a legal right to request access or correction of your personal information held by us. Requests are handled under the FOI Act. Requests need to be in writing and should be sent to [email protected] or mailed to the FOI Officer, Health Complaints Commissioner, Level 26, 570 Bourke Street, Melbourne, Vic 3000. You need to include the relevant application fee or give evidence of hardship if you are asking for a waiver. Photocopying fees will be charged for copies of documents released.
We will not assign – or adopt from another organisation – unique identifiers for an individual, and we will not ask for unique identifiers unless it is necessary for complaint handling or required by law. Each complaint we receive is given its own record number.
Retention and destruction of personal and health infomation
We retain and destroy records according to the requirements of the Public Records Act. Destruction of personal and health information takes place by way of a secure shredding process.
Trans-border data flows
Generally, we will not send personal health information outside Victoria without obtaining your consent or as required by law. In the case of prohibition orders about non-registered practitioners, we may send information to other states and territories as part of a national mutual recognition scheme.
Complaints about us
If you are concerned about the manner in which the HCC has handled your personal health information then you can complain to the Commissioner by writing to [email protected].
If the matter is not resolved you can make a complaint about how the HCC has handled your personal information under the Privacy and Data Protection Act 2014 to Victoria's Commissioner for Privacy and Data Protection, GPO Box 5057, Melbourne 3001.