The purpose of this policy is to:
Ensure that employees, contractors and volunteers of GPGC understand their obligations under applicable legislation when dealing with Personal Information;
Enable Members and others who interact with GPGC to understand what types of personal Information we collect, and what we do with such information in performing our functions and to comply with our privacy obligations; and
Set out GPGC's obligations in relation to responding to complaints about potential privacy breaches.
GPGC is committed to protecting the privacy of the Personal Information we collect and receive. We have a strong commitment to maintaining the security and integrity of Personal Information within our care.
This policy applies to all employees, contractors, volunteers and Members of GPGC and any member of the public who provides information.
3. Types of Information held by GPGC
GPGC will hold a variety of types of Personal Information about its Members, volunteers, employees and contractors and in some cases the general public. Information which GPGC may routinely gather as part of its normal operations includes for example:
People’s names, addresses, birthdates and gender;
Location where GPGC members practice
Areas of specific interest and languages spoken
Membership category and services accessed
Business quotes, invoices and contracts
3.1 Personal Information
Personal Information is information or an opinion whether true or not, about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.
For example, a person’s home address or their telephone number will be Personal Information.
3.2 Sensitive Information
Sensitive Information is a type of Personal Information. Sensitive Information includes health and genetic information and information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record and some types of biometric information.
For example, a person’s self-identification as Aboriginal, a person’s status as a member of the Australian Medical Association, a person’s status as an atheist or a person’s conviction for theft will all be Sensitive Information.
Small pieces of data which are sent from General Practice Gold Coast’s web browser when the website is visited. The cookie is stored on the browser’s computer as a historical identifier and is used for interactive features and remembering preferences and settings.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
4. The purposes for which the GPGC collects, holds, uses and discloses Personal Information
GPGC collects, holds, uses and discloses Personal Information as a result of carrying out its normal operations consistent with the purposes and functions under its Constitution as reasonably necessary. These purposes and functions include for example:
- operational functions related to the services provided to members such as administration and support;
- matters related to collegiality such as participation in peer groups, specific interest networks, educational events and activities;
GPGC governance such as board secretariat, compliance, audit and policy; and
business as usual corporate functions such as finance, contracting, media and communications, publications, research, innovation, events management, IT, advisory functions, and advocacy.
5. The kind of Personal Information we collect and hold
The kind of Personal Information we collect and hold about individuals depends on the circumstances of collection and the nature of the dealings with GPGC.
For example, if a person:
Is a GPGC member, we collect information including name, address, contact number, gender, date of birth, address, email address and other information related to membership and participation within GPGC, for example specific skills.
Works for GPGC, we collect contracting details including your Australian Business Number, tax file number and superannuation details where relevant and other information related to your engagement;
Applies for a job with GPGC, we collect the information included in an application for employment, including a cover letter, resume, contact details and referee reports; or
is a member of the general public who contacts GPGC who elects not to rely on anonymity or pseudonymity, we collect contact address details, usually including but not limited to email addresses and phone numbers and details about the reason for the contact.
In all cases where we collect Personal Information, we seek to keep it updated and accurate.
5.1 Sensitive Information
GPGCs policy is only to collect Sensitive Information where it is reasonably necessary for our functions or activities and either:
The individual has consented; or
we are required or authorised by or under law to do so.
For example, we may collect:
- Information about an individual’s membership of other professional associations; Such as vocational registration.
- information about dietary requirements or mobility needs when we conduct events such as conferences and seminars
6. How we collect and hold Personal Information
6.1 Methods of collection
GPGC only collects Personal Information by lawful and fair means. If it is reasonable and practicable, we will collect Personal Information we require directly from the individual.
GPGC collects Personal Information in a number of standard ways, including:
- by email or other electronic means such as websites, cookies.
- through written correspondence including letters, faxes, hard copy emails, applications, registration and other forms, and surveys;
- in person;
- from third parties where data sharing agreements are in place (for example the PHN)
- indirectly, through social media sites like Facebook, Twitter, Google and others (to whom you have provided consent)
6.2 Collection notices
Where the GPGC collects Personal Information directly from an individual, GPGC's policy is to take reasonable steps to notify them, including:
- our identity and how to contact us;
- the purposes for which we are collecting the information;
- the third parties (or types of third parties) to whom we would normally disclose information of that kind;
- We do this at or before the time of collection, or as soon as practicable afterwards.
The GPGC will generally include these matters in a collection notice. For example, where Personal Information is collected on a paper or website form, we will generally include a collection notice, or a clear link to it, on the form.
Where the GPGC collects information about an individual from a third party, our policy is to take reasonable steps to make sure that the individual is made aware of the collection details listed above and, if unaware that that we have collected the information, of the fact and circumstances of the collection.
6.3 Unsolicited Personal Information
Unsolicited Personal Information is Personal Information GPGC receives that we have taken no active steps to collect (such as an application sent to us by an individual on their own initiative, rather than in response to a job advertisement).
Unless the unsolicited Personal Information is reasonably necessary for one or more of our functions or activities, GPGCs approach is to destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.
7. Use and disclosure of Personal Information
7.1 Use of Personal Information
Personal Information is kept until we are no longer legally obliged to keep it, or when the need for the Personal Information has passed (at which point it will be destroyed, deleted or de-identified). Our purpose for collecting Personal Information will to a degree depend on the interaction with us.
For example, for members, our primary purposes for collection is to administer and provide Members with the full benefits of and administering membership, providing services, sending related information, or as a record of confirmation of attendance at educational events/training, and to advocate on behalf of general practice as a profession.
Other than in limited circumstances that are prescribed by law, we will not use an individual’s Personal Information without consent. Permitted exceptions, include where we are legally required to disclose, or to protect the personal safety of any individual or the public.
7.2 Disclosure of Personal Information to Third Parties
Under the GPGC policy, Personal Information will not be disclosed without consent, other than in certain limited circumstances.
In the case of contracted service providers, GPGC may disclose Personal Information to the service provider and the service provider may in turn provide us with Personal Information collected from an individual in the course of providing the contracted products or services.
We will not ordinarily disclose Personal Information to anyone outside of Australia. Where GPGC is permitted to disclose Personal Information to an overseas organisation, it will take all reasonable steps to ensure that organisation complies with the Australian Privacy Principles under the Privacy Act 1988. GPGC will also advise any individual of the countries where the Personal Information is to be disclosed if practicable.
8. Direct marketing
Where we have consent, GPGC may use Personal Information it has collected for receiving direct marketing from GPGC. For example, where the GPGC has consent, we may send individuals information about GPGC products and services, competitions and promotions and offers relating to the products and services of other organisations.
Unless an individual has given us consent, we will not provide, rent or sell information to other organisations so that they can direct market.
8.1 Communication of Consent
An individual may communicate consent or withdrawal of a previous consent to GPGC's use of their Personal Information for direct marketing in writing, verbally or electronically. GPGC will clearly identify when an individual is choosing to consent or withdraw consent to receive direct marketing.
9. Data quality and security
GPGC stores Personal Information in a number of ways, including in electronic databases and contact lists, and in paper files held in secure drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.
GPGC's policy is to take reasonable steps to:
- make sure that the Personal Information that we collect, use and disclose is accurate, up to date and complete and in the case of use and disclosure relevant;
- protect the Personal Information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure; and
- destroy or de-identify information that is no longer required.
- An individual can also help us keep information up to date by letting us know about any changes to Personal Information, such as email address or phone number. The steps we take to secure the Personal Information we hold include ICT security (such as endpoint detection response, anti-virus software, event monitoring, encryption, firewalls, authentication and authorisation controls)
10. Access and correction of Personal Information
An individual has a right to request access to the Personal Information that GPGC holds about them and also to request its correction.
Some information may be directly accessed and amended through the GPGC website. For any Personal Information that cannot be accessed and corrected through the website, admin can be contacted at email@example.com to access or correct the Personal Information that we hold. We may ask to verify an individual’s identity before processing any access or correction requests to ensure that the Personal Information we hold is properly protected.
GPGC will provide access to Personal Information subject to some exceptions permitted by law, including protecting others’ privacy. We may provide access in the manner requested provided it is reasonable and practicable for us to do so.
If an individual asks GPGC to correct Personal Information that we hold about them, or if we believe the Personal Information we hold is inaccurate, irrelevant or misleading, we will take reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
Except in the case of more complicated requests, GPGC will endeavour to respond to access and correction requests within 30 days.
For complaints about how GPGC has collected or handled Personal Information, please contact GPGC.
Our team will endeavour in the first instance to deal with the complaint and take any steps necessary to resolve the matter within 10 working days.
If the complaint can't be resolved at the first instance, we will ask the individual to email firstname.lastname@example.org and provide details of the date, time and circumstances of the matter that is being complained about, how you believe privacy has been interfered with and how you would like your complaint resolved.
We will endeavour to acknowledge receipt of the Complaint within five business days of receiving it and to complete our investigation into the complaint in a timely manner. This may include, for example, gathering the facts, locating and reviewing relevant documents and speaking to relevant individuals.
In most cases, we expect that complaints will be investigated and a response provided within 30 days of receipt of the Complaint. If the matter is more complex and our investigation may take longer, we will write and let you know, including letting you know when we expect to provide our response.
Our response will set out:
the organisations findings; and
what action, if any, GPGC will take to rectify the situation.
If an individual is unhappy with our response, a complaint can be made to the Office of the Australian Information Commissioner.
12. Retention of Personal Information
All Personal Information that has been collected by GPGC will be kept for the time that is relevant to the purpose for which the Personal Information is to be used and for as long as required by applicable law.
When the Personal Information that we collect is no longer required, we destroy, delete or de-identify it in a secure manner.
In the case of GPGC job applicants, all job applications and interview notes are retained for a period of six months after which they are securely destroyed. If an applicant consents, GPGC may retain applications and interview notes for a longer period for consideration of further positions.
13. Further information
Please contact GPGC for any queries about the Personal Information that we hold or the way we handle that Personal Information. Our contact details for privacy queries and complaints are set out below.
For queries about the application or interpretation of this Policy or the APPs more generally, or if you are unsure as to whether particular information can be disclosed, please contact GPGC.