RCH logo

Policies and Procedures

Personal Information - Privacy

  • 1. Procedure statement

    The Royal Children's Hospital (RCH) is committed to protecting the privacy of patient and staff information. The hospital is required by law to protect personal information and comply with the Health Records Act 2001  and other relevant legislation relating to confidentiality and privacy. This Procedure outlines the management of personal information at the RCH to satisfy the requirements of the legislation.

    From 8th August 2020, a shared Electronic Medical Record (EMR) between RCH, the Royal Melbourne Hospital, The Royal Women’s Hospital and Peter MacCallum Cancer Centre (the Parkville Health Services) will allow the Parkville Health Services to access a patient’s record if that patient has been treated at any of the Parkville Health Services. Staff at each of the Parkville Health Services are required to adhere to their health service’s policies and /procedures regarding the collection, use, and disclosure of patient information, including this procedure. Staff must only access records contained in the EMR as required as part of their role (e.g. if involved in or supporting care and treatment of that patient). Access to the EMR is audited regularly to monitor staff compliance. The records may not be retained locally or deleted. They may not be printed, disclosed, used, or amended for reasons other than patient care and treatment and only in accordance with RCH policies and procedures.

    2. Persons affected

    All employees, contractors, honorary appointments, board members, studaents, observers and volunteers of the RCh and its Campus Partners, as well as membrs of the public and external organisations.

    3. Definition of terms

    Personal information is information or opinion about an individual who may be identified, directly or indirectly, by the material. It can be in any medium including electronic or paper records, video or audio recordings, clinical photography, x-rays, or labels on pathology samples. This definition encompasses health information, including genetic information, as defined in the Health Records Act 2001.

    HPP Health Privacy Principle

    4. Responsibility

    All RCH staff, contractors, volunteers, and students are responsible for maintaining privacy, confidentiality, and security of personal information. All staff are obligated by laws to maintain the privacy of information. Disciplinary action will be taken against staff if this Procedure has been compromised or breached.

    5. Criteria

    HPP1 - Collection

    The RCH provides all patients with a copy of `The privacy of your personal information' brochure which outlines key information about the RCH, information handling practices and how a patient can access their information.

    The RCH only collects personal health information necessary to perform our functions. Information will be collected by fair and lawful means, where possible directly from the patient themselves.

    Associated procedure: Personal Information Collection.

    HPP 2 - Use and Disclosure

    In general, information is only used and disclosed for the primary purpose for which it was collected or a directly related secondary purpose. Generally, this is for the purpose of providing care and treatment or purposes directly related. We may use or disclose information for other purposes, which are permitted under law. For example, to lessen or prevent a serious threat to public health, welfare or safety. Individual patient consent is obtained for use or disclosures for purposes that are not directly related to primary or secondary purposes.

    The RCH normally transfers information to the local or referring doctor after a patient is discharged or after an emergency or outpatient visit. In the event that patients (or guardians) do not want this information to be transferred mechanisms are in place to facilitate this request.

    Information that is de-identified, ensuring an individual's identity cannot be ascertained, is not covered by the Health Records Act 2001 and may be used and disclosed without consent.

    Associated procedure: Personal Information - Use and Disclosure

    HPP 3 - Data Quality

    The RCH takes reasonable steps to keep all current personal information it holds up-to-date, accurate and complete. The RCH relies in most instances on the patients and guardians to inform the hospital of any alterations to their information.

    HPP 4 - Data Security and Data Retention

    All reasonable measures are taken to protect personal health information within the RCH from unauthorised access, improper use, disclosure, unlawful destruction, or accidental loss. Our medical records and computer systems have controlled access and only authorised staff members can gain access.

    Information that may be needed for future care of the individual or for public health reasons will be kept securely for future retrieval.

    Associated procedures: Personal Information - Security and  Personal Information - Retention and Disposal.

    HPP 5 - Openness

    This privacy procedure and the patient privacy brochure are available to anyone who asks for further information on the RCH information handling practices.

    The RCH has a complaints process to address patient concerns relating to the care and handling of their personal information

    • Consumer Experience Liaison Officer - 9345 5676 or clo@rch.org.au. 

    HPP 6 - Access and Correction

    Patients are able to request access to their personal information held by the RCH, as set out in the Freedom of Information Act 1982. In some circumstances access may be refused and an explanation will be provided. Patients also have a right to request an amendment to incorrect information.

      HPP 7 - Identifiers

      A unique numeric identifier is allocated to each patient that attends the RCH to enable ongoing care and treatment to be provided. Royal Children's Hospital uses a seven-digit number.

      HPP 8 - Anonymity

      In general, it is impracticable for the RCH to provide healthcare to individuals anonymously.

      Associated procedure: EMR - Privacy Functionality in the EMR.

      HPP 9 - Transborder Data Flow

      The RCH will only transfer information outside Victoria in circumstances where the information will have appropriate protection; where the transfer is necessary for the provision of service to the individual; or where consent has been obtained.

      HPP 10 - Transfer or closure of the practice of a health service provider

      In the event the RCH or part thereof is sold, transferred, amalgamated or closed down, health information will be handled in accordance with Health Privacy Principle 10.

      HPP 11 - Making information available to another health service provider

      The RCH will make health information relating to an individual available to another health service provider if requested by the individual.

      Associated procedures: Personal Information - Access, Availability of Medical Records for Patient Care and  Personal Information - Use and Disclosure.

      6. Special provisions/reference documents (which may be referred to)

      • Health Records Act 2001 , `Health Privacy Principles'