Privacy Policy – Queensland Privacy Principles

1. Policy statement

Darling Downs Health ('Darling Downs Health', 'we', 'us', 'our') is committed to ensuring processes and strategies are in place for the handling and maintenance of information it receives, in accordance with the Information Privacy Act 2009 (Qld) (IP Act) and the Queensland Privacy Principles (QPPs). These strategies include taking reasonable steps to implement practices, procedures and systems in carrying out the agency’s functions and activities.

This policy sets out how Darling Downs Health handles personal information and how we deal with enquiries or complaints from individuals about compliance with the IP Act and QPPs.

2. Scope

This policy applies to the Darling Downs Hospital and Health Board, all permanent, temporary and casual employees, and all organisations and individuals acting as their agents (including visiting medical officers, other partners, contractors, consultants, and volunteers) working within and for Darling Downs Health, and to the personal information it collects, stores, manages, uses and discloses in the provision of healthcare and related functions.

3. Purpose and intent of this policy

The IP Act and QPPs set the rules for how Queensland government agencies – including Darling Downs Health – handle personal information. These rules include a requirement, under QPP 1, that every agency have a QPP privacy policy.

• This policy explains how personal information is managed, including: the kinds of personal information collected and held, how it is collected and held, the purposes for which it is collected, held, used and disclosed, and to whom we disclose it and how
• how complaints may be made about the handling of personal information, and how Darling Downs Health will deal with the complaint.

4. Principles

4.1 How we collect your personal information

The definition of ‘personal information’ is set out in the ‘definitions’ at section 7 of this policy. Darling Downs Health collects personal information required to support the delivery of high-quality care in the provision of public sector health services.

Darling Downs Health may also collect sensitive information. The definition of ‘sensitive information’ is set out in the ‘definitions’ at section 7 of this policy. Generally, Darling Downs Health will only collect sensitive information directly from the individual it is about or with their consent, or otherwise consistently with its obligations under the IP Act.

This personal and sensitive information may be collected in different ways, including:

• Directly from individuals who access services or seek and maintain employment, for example when you:
  • make an application for services or benefits
  • visit the website (www.darlingdowns.health.qld.gov.au)
  • take part in Darling Downs Health surveys
  • fill in a form or provide information to us or our staff
  • apply for a job or contractor or volunteer position
  • attend a meeting, training, or other engagement activity hosted by Darling Downs Health, either in person or online
  • ask a question, make a complaint, or provide feedback
  • request access to, or correction of, personal information
  • are referred for services or consideration of services
• Through closed circuit television (CCTV) or other monitoring systems at our premises
• Photography or videography in the course of providing services, such as during consultations or provision of medical services
• From relatives or other authorised representatives, health service providers, or relevant government agencies
• Through third parties with whom we interact in order to provide our services
• Publicly available sources, including social media
• Personal information generated by artificial intelligence (AI) systems: we might also collect personal information by using AI systems to generate it — the kinds of personal information that may be generated by AI systems include those set out below, under the heading 'Kinds of personal information we collect'.

4.2 What kinds of personal information do we collect and hold?

The kind of personal and sensitive information collected from individuals may include:

Patients and family members

• Name and contact details
• Date of birth
• Signature
• Photographs, video, and audio recordings
• Unique identifying numbers (e.g. Medicare number)
• Medical, health, diagnostic, and treatment information including sexual health information
• Any information you provide us through correspondence, feedback, and complaints
• Legal guardian or decision-maker details and relevant court order information
• Health and personal information of patient family members relevant to patient history
• Details provided in access and correction requests
• Private health insurance information
• Any personal information required to carry out business functions

Website visitors

• Information you provide in correspondence and feedback
• Website analytics data
• Cookies about how you browse our website
• Log and usage data, such as:
  • Your IP address, browser type and operating system
  • The website you came from
  • Pages you visit
  • The time and date of your visit

Employees / prospective employees / contractors / students / volunteers

• Name and contact details such as address, email address and phone number
• Signature
• Photographs that capture your image or other personal information
• Financial or bank details
• Education history
• Cultural background, relationship status and family circumstances
• Information provided via and relating to correspondence, feedback and complaints
• Details of access and correction requests
• Occupation and employment history
• Referee reports
• Health profession registration details
• Tax file number
• Criminal history
• Recruitment information

4.3 The purposes for which we collect, hold, use and disclose personal information

Darling Downs Health uses and discloses personal and sensitive information for the purpose for which the personal information was collected.  Personal information may also be used or disclosed for secondary or alternative purposes, as permitted under the IP Act.

We collect, use and disclose your information for various purposes, including:

• Providing clinical care and services, including virtual treatment and follow-up care
• Considering applications for services or benefits
• Communicating with consumers, receiving feedback, and investigating complaints
• Conducting research to improve healthcare practices
• Undertaking community wellbeing and other surveys
• Processing requests to access other Queensland Health services’ information
• Conducting website analytics
• Arranging financial agreements to bill for services
• Carrying out business functions such as human resource management and recruitment processes
• Releasing of information to another healthcare provider, to facilitate treatment
• Liaising with family, spouse, or guardian, where formally appointed for this purpose
• Disclosure to a court or tribunal, for example responding to a complaint that has been referred to the Office of the Health Ombudsman
• Responding to a request from the Coroner’s office or meeting the legislative obligations of participating in a coronial inquiry
• Information sought by the Queensland Police Service (QPS), either under legislative provision of the Hospital and Health Boards Act 2011 (Qld), the Memorandum of Understanding between Queensland Health and QPS, or pursuant to a legal document such as a subpoena or summons
• To help us manage, develop and enhance our services, including our websites and applications
• To process donations
• To comply with our legal obligations, resolve any disputes and enforce our agreements and rights with third parties
• To consider your suitability for employment or a contractor or volunteer position and (if successful) engaging the applicant or contractor
• Administering the individual's employment or contract
• For insurance purposes.

4.4 Access and correction of personal information

Access and correction rights are contained within the Right to Information Act 2009 (RTI Act). All persons have the right to request access and corrections to their personal information, where they believe it is inaccurate, incomplete, or out of date.

Requests for access or corrections to personal information are managed by the Darling Downs Health Information Access Unit, who can be contacted by phone (07) 4616 6780 or email ddinfoaccess@health.qld.gov.au.

For more information about requests for access and correction of personal information see Your health record | Darling Downs Health.

4.5 Disclosure out of Australia

Darling Downs Health will generally disclose personal information overseas only when necessary to address a complaint or application – for example, where a complainant or applicant is overseas.  We may use online or ‘cloud’ service providers to provide services and limited personal information may be given to these service providers to enable them to authenticate users that access their services and to provide technical support.  This personal information may be stored in the ‘cloud’, which means that it may reside on a cloud service provider’s server, which may be situated outside Australia.

Where Darling Downs Health discloses personal information overseas, this will usually occur with agreement, where authorised or required by law, or otherwise consistently with the obligations under the IP Act.

4.6 Dealing with Darling Downs Health anonymously or using a pseudonym

Where practical, people can deal with Darling Downs Health anonymously or by using a pseudonym.

Complaints about services provided by Darling Downs Health can be made anonymously or by using a pseudonym but, depending on the nature of the complaint, may not be able to be actioned and / or a response provided without a person’s identity (e.g. where a complaint relates to a particular individual’s file).

4.7 Security of personal information

Darling Downs Health holds personal information securely and takes reasonable steps to protect it from misuse, interference, loss, unauthorised access, modification or disclosure.  Darling Downs Health complies with relevant Queensland government Information Standards and security protocols to protect personal information and ensure it can be accessed by authorised staff members only.

Where permitted by the Public Records Act 2023 (Qld), Darling Downs Health will destroy or deidentify unsolicited personal information or personal information no longer required for any of its functions in accordance with the obligations under the QPPs, if it is lawful and reasonable to do so.

In the event that processes and/or systems containing personal information are compromised, Darling Downs Health will respond in accordance with its policies and procedures, relevant to the breach.

4.8 Privacy complaints

You can make a complaint about the handling of your personal information, in writing, to:

Consumer Liaison Service – consumer_liaison_DDHHS@health.qld.gov.au

For staff – darling_downs_human_resources@health.qld.gov.au

A privacy complaint can only be made on behalf of another person if they have provided the authorisation to do so, they are a minor / child and the complainant is their parent or guardian, they lack capacity and their guardian is acting on their behalf or has other legal authority to act for them.

Privacy complaints about Darling Downs Health must be made in writing, within 12 months of becoming aware of the act or practice that is alleged to constitute a breach of the IP Act. Complaints made on behalf of someone else must include the appropriate authority.

Darling Downs Health will respond to the privacy complaint within 45 business days, which can be extended by requesting a further specified period from the complainant.

4.9 Delegation

The Health Service Chief Executive is responsible for the organisation-wide oversight of this policy.

5. Supporting documents – External

• Queensland Privacy Principles

6. Related standards

• NSQHS — Standard 1 – Clinical Governance
• NSQHS — Standard 2 – Partnering with consumers
• NSQHS — Standard 6 – Communicating for safety

7. Definitions

8. References / Compliance requirements and obligations

• Information Privacy Act 2009 (Qld) QPP 1
• Hospital and Health Boards Act 2011 (Qld)
• Right to Information Act 2009 (Qld)
• Public Records Act 2023 (Qld)