Information is logged when you visit this website, our server makes a record of your visit and logs the following information for statistical purposes or systems administration purposes:
- your server address
- your top level domain name (for example .com, .gov, .au, .uk etc)
- the date and time of your visit to the site
- the pages you accessed and documents downloaded
- the previous site you have visited
- the type of browser you are using.
- No attempt will be made to identify users or their browsing activities, except in the unlikely event of an investigation where a law enforcement agency may exercise a warrant to inspect the logs.
The Independent Health and Aged Care Pricing Authority (IHACPA) is committed to the protection of personal information and complies with the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs).
IHACPA is also committed to ensuring that the statistical hospital data accessed for the purposes of IHACPA’s functions under the National Health Reform Act 2011 (NHR Act) and National Health Reform Agreement are managed in a manner that is consistent with the APPs, state and territory privacy laws and health data laws. Although these laws do not strictly apply to this data in the form in which it is held by IHACPA, that data is treated with the same care as personal information held by IHACPA.
- what information IHACPA collects
- how IHACPA collects, holds and uses personal information
- how IHACPA handles data breaches that include personal information
- how to lodge a complaint on how IHACPA has handled personal information
- how someone can access or request corrections to their personal information.
IHACPA takes all reasonable steps to ensure that it establishes and maintains internal practices, procedures and systems to ensure compliance with the APPs.
IHACPA has developed and implemented a number of supporting policies and procedures to supplement the principles outlined in the Policy, these include;
- Consultant Access to IHACPA Protected Data Rules
- Data Access and Release Policy
- Data Breach Response Plan
- Data Governance Policy
- Information Security Policy
- IT Operations Security Policy
- Privacy Impact Assessment
- Privacy Management Plan
- Procedures for handling inquiries, complaints and requests for access and amendment
- Public Interest Disclosure Policy.
This Policy applies to personal information collected by IHACPA. Where relevant, IHACPA will also apply the Policy to the Activity Based Funding Data and National Hospital Cost Data Collection data (collectively, hospital data) it collects in its role to the extent that it is practicable for IHACPA to do so.
The requirements under this Policy apply to all IHACPA employees, officers and employees of contracted service providers.
This Policy will be reviewed annually by the Executive Officer but may be reviewed more frequently if required.
What is “personal information”?
The Privacy Act defines ‘personal information’ as ‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstance. Whether an individual is ‘reasonably identifiable’ from particular information about that individual will depend on a number of matters including: the nature and extent of the information and whether it is possible for the recipient of the information to identify the individual using available resources (including other information available to that recipient).
Where it is technically possible to identify an individual based on the information, but doing so is not practicable, because of: the cost, difficulty, practicality and likelihood of a person or entity doing so, that individual will generally be regarded as not ‘reasonably identifiable’. For example if the cost of reasonably identifying an individual is overly expensive or resource intensive, that individual would be regarded as not reasonably identifiable.
Personal information relates only to natural persons and in most circumstances it will not apply to deceased persons. However, information about individuals provided in a business or professional capacity is personal information, and will be protected by the APPs.
Types of information collected by IHACPA
IHACPA only collects personal information where the information is reasonably necessary for, or directly related to, one or more of IHACPA’s functions or activities. Examples include:
- contact details including name, address, phone number, email address, role, organisation or agency, other contact details
- educational qualifications
- employment history
- procurement records
- consultancy records
- committee membership details
- bank account details
- superannuation details
- creditor and debtor information
- recruitment records
- personnel records.
IHACPA may request or receive this personal information from:
- individuals who contact IHACPA with an enquiry
- individuals who act on behalf of a healthcare organisation and register their interest in IHACPA activities
- individuals who deal with IHACPA as part of consultation, including a reference group or as a representative of a stakeholder organisation
- individuals who share data with IHACPA on behalf of a state or territory government department or a healthcare organisation
- researchers who apply for data access and release
- IHACPA's business associates
- goods and services providers (including contractors)
- current and former employees
- applicants for employment.
This information is subject to the Privacy Act and IHACPA has an obligation to ensure that this information is managed in accordance with the Privacy Act.
IHACPA also collects a range of hospital data pursuant to its functions outlined in the NHR Act. The use of hospital data is subject to secrecy provisions contained in the NHR Act which relate to ‘protected Pricing Authority information’. The NHR Act recognises the importance of protecting patient confidentiality and imposes strict obligations on the use, disclosure and publishing of information that is likely to enable the identification of a patient (refer to section 279(2) of the NHR Act).
Hospital data contains Activity Based Funding Data and National Hospital Cost Data Collection data including demographic information, clinical information, the nature of care provided and costs.
Importantly, both the patient and the hospital are assigned a unique identifier. This unique identifier is used instead of the patient’s name and the name of the hospital. The unique identifiers are not available to the general public. IHACPA has implemented a range of strategies to ensure that data sets are not able to be searched or combined in a way that would allow a person to determine the identity of an individual. For example, hospital data is only used or disclosed in a de-identified fashion.
Where small cell data (that is, data sets with a small number of entries) is present, IHACPA takes measures (such as zeroing or aggregation) to ensure that no identifying data is used or disclosed.
How IHACPA collects and holds personal information
IHACPA collects personal information about individuals directly from those individuals or their authorised representative. IHACPA may also collect personal information if it is required or authorised by or under an Australian law to do so.
When collecting personal information, IHACPA will inform the individual of the purpose for collecting the information, IHACPA’s requirements to access the information, how the information will be held, the ramifications if IHACPA fails to collect the information and if the collection of the information is required or authorised by or under Australian law.
IHACPA does not collect sensitive information about an individual unless the individual has consented and the information is reasonably necessary for, or directly related to, one or more of IHACPA’s functions.
Where IHACPA receives unsolicited personal information, IHACPA will determine whether that information could have been collected in accordance with the APPs. If IHACPA determines it could not have obtained the information in accordance with the APPs, IHACPA will consider whether it is obliged to retain that information under its record-keeping rules. If not, IHACPA will destroy the information or ensure that the information is de-identified where it is lawful and reasonable to do so.
IHACPA uses TRIM as its official electronic document and records management system for storing of its information, including personal information. TRIM is a secure environment vetted and managed by the Commonwealth Department of Health and meets the security requirements of the Australian Government.
How IHACPA may collect and use personal information
IHACPA may collect and use the personal information in order to:
- respond to enquiries and otherwise engage with stakeholders
- communicate information to an individual about any initiative offered by or associated with IHACPA, including invitations to consultation or engagement events
- provide marketing information about goods, services, events or initiatives which may be of interest
- conduct business with its business associates and contractors
- manage requests for data access and release
- manage its employment relationships and responsibilities
- engage and manage its workforce
- deliver its functions and meet its legal obligations.
For example, the NHR Act authorises IHACPA to establish committees to provide advice or assist in performing its functions. IHACPA collects and uses personal information relating to the committee members in order to establish and maintain current committee member information. Personal information contained in committee files may include contact details and terms of engagement.
If IHACPA is required to pay sitting fees to eligible committee members, IHACPA’s file will include member’s bank accounts, taxation details and superannuation details in order to pay those sitting fees.
Personnel and Contractor files
IHACPA collects and uses personal information to maintain current employee information for business related purposes.
IHACPA collects and uses stakeholder files to maintain current stakeholder information for business related purposes. The personal information relates to contact details and employment details.
Personal information in relation to consultation
Feedback gathered from jurisdictional, stakeholder and public consultations is crucial to the success of IHACPA’s work program. IHACPA often collects consultation feedback on a variety of areas in its work program. This can be in the form of written submissions, names, contact details and details of workplaces. All submissions are published on IHACPA's website unless respondents specifically identify any sections they believe should be kept confidential due to commercial or other reasons.
In addition to the above categories, IHACPA collects and uses information about corporate entities. This may contain information relating to a person in their corporate capacity, such as details and job titles for employees of IHACPA’s business associates.
While information about individuals comprises personal information, information about corporate entities does not meet the definition of personal information under the Privacy Act. IHACPA treats such information as commercial-in-confidence if it is appropriate to do so.
Internet cookies and location information
A cookie is a very small text file which is stored on an individual's device, when a user first visits a website. Cookies may be used on IHACPA websites, including www.ihacpa.gov.au. When a visitor returns to a website owned by IHACPA, the cookie enables IHACPA to register that same browser, on which the cookie is stored has returned. Cookies help IHACPA to improve its website and monitor internet traffic.
Visitors to IHACPA’s website can block cookies by activating a setting on their browser that allows the visitor to refuse the setting of all or some cookies, however, if the visitor blocks all cookies they may not be able to use the full functionality of IHACPA’s websites.
Currently IHACPA’s server makes a record of an individual’s visit and logs the following information for statistical purposes or systems administration purposes:
- server address
- top level domain name (for example .com, .gov, .au, .uk etc)
- the date and time of the visit to the site
- the pages accessed and documents downloaded
- the previous site visited
- the type of browser being used.
No attempt will be made to identify users or their browsing activities, except in the unlikely event of an investigation where a law enforcement agency may exercise a warrant to inspect the logs.
Disclosure of personal information
Ordinarily, IHACPA discloses personal information to other government agencies or organisations only for the purpose the information was collected.
Personal information may be disclosed for a secondary purpose with the individual’s consent, where the individual would reasonably expect that their information will be disclosed, or if disclosure is otherwise required or authorised by or under law.
For example, personal information will be used and/or disclosed:
- To manage new and ongoing employees’ employment such as leave applications and approvals and pay related records.
- To monitor employees’ phone and internet usage, code of conduct investigations, police checks and security clearances, while undertaking fraud or audit functions or for other purposes relevant to employer powers under the Public Service Act 1999.
- To Comcare for worker’s compensation matters and/or Comcare rehabilitation providers for rehabilitation purposes and legal advisors for workers’ compensation matters.
- To decision makers, which may include external parties, including ministers or the Chair of such committees. Biographical information may be disclosed on IHACPA’s website or media announcements regarding particular appointments.
- To other Commonwealth, state or territory government departments and external bodies or contracted service providers responsible for performing the functions, or assisting IHACPA to perform its functions.
- For purposes including IHACPA promotions activities.
IHACPA does not routinely send personal information overseas, but where it does so, it will ensure that it has appropriate procedures and systems in place for ensuring that the information will be handled in accordance with the APPs.
IHACPA applies the principles set out in the Australian Government Protective Security Policy Framework and Australian Government Information Security Manual with reference to IHACPA’s individual security requirements.
IHACPA will destroy or de-identify personal information if it is no longer required to perform its functions and its retention is not required under Australian law. IHACPA will also ensure that personal information is protected from misuse, interference, loss and from unauthorised access, modification or disclosure through a range of physical and electronic security measures including restricted physical access to IHACPA’s premises, security firewalls and computer user identifiers and passwords.
IHACPA has adopted a comprehensive Data Governance Policy to ensure that the personal information that it holds is protected. IHACPA’s Information Security Policy outlines how IHACPA complies with its information security obligations in respect of the handling and protection of personal information. In addition IHACPA has adopted personnel security procedures to ensure that the information IHACPA holds is protected from misuse.
IHACPA will also undertake a written Privacy Impact Assessment (PIA) for all projects that involve new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.
Privacy or data breach
The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act requires IHACPA to notify individuals whose personal information is involved in a data breach that is likely to result in ‘serious harm’ to any of the individuals. Serious harm refers to serious physical, psychological, emotional, financial or reputational harm to an individual or individuals.
IHACPA has implemented a Data Breach Response Plan to manage all data breaches in accordance with the NDB.
If a suspected or known data breach occurs, all employees are required to take action to report suspected data breaches to the Executive Officer and take immediate steps to contain the breach (if applicable). The Executive Officer will immediately notify the Chief Executive Officer (CEO) of the suspected breach and will then undertake an initial assessment based on its seriousness. The CEO will make a decision regarding the response required, including whether notification via the NDB Statement – Form (www.oaic.gov.au) to the Office of the Australian Information Commissioner (OAIC) is necessary.
If serious harm is likely to be caused to an individual or individuals from the data breach, IHACPA will notify the affected individual:
- as far as it is practicable to do so, immediately to advise that a suspected or known data breach has occurred
- the breach includes their personal information
- the actions that are being undertaken to limit or mitigate any harm caused by the breach.
IHACPA will work with the OAIC on any recommendations or directions from the Information Commissioner relating to the breach.
IHACPA will review the incident to determine possible causes of the breach and revise its internal policies and procedures to prevent reoccurrence. Possible actions will include updating policies and procedures relating to records management and additional staff training on privacy.
Roles and responsibilities
IHACPA is required under the Australian Government Agencies Privacy Code to appoint a Privacy Champion and Privacy Officer. The Privacy Champion provides cultural leadership and promotes the value of personal information. The Privacy Officer is the first point of contact for privacy matters within IHACPA, and is responsible for ensuring day-to-day
Privacy Champion (Executive Director, Data Analytics)
Name: Julia Hume
Postal Address: PO Box 483 Darlinghurst NSW 1300
Telephone: 02 8215 1159
Privacy Officer (Executive Officer)
Name: Olga Liavas
Title: Executive Officer
Postal Address: PO Box 483 Darlinghurst NSW 1300
Telephone: 02 8215 1129
IHACPA has established a robust compliance program to ensure that it meets its obligations to manage personal information appropriately and to comply with the APPs. IHACPA reviews how and when it collects personal information to ensure that the collection complies with the APPs.
IHACPA annually reviews its use and disclosure of personal information to ensure that it manages personal information in accordance with the APPs.