Stay informed with the latest updates on coronavirus (COVID-19). Find out more >>

Policies and Procedures

Personal information - security

  • 1. Procedure statement

    All reasonable measures must be taken to protect personal health information from unauthorised access, improper use, disclosure, unlawful destruction, or accidental loss. This procedure outlines guidelines for The Royal Children's Hospital (RCH) staff to protect personal health information and the roles and responsibilities involved in managing a data breach

    2. Persons Affected

    All persons and entities - including staff, clients and their families, visitors, members of the public and external organisations.

    3. Definition of terms

    Personal information is factual data or opinion about an individual who may be identified directly or indirectly, by the material. It can be in any medium including electronic or paper records, video or audio recordings, clinical photography, x-rays, pathology samples, etc.

    Security is the right of an individual to expect that personal information once given in confidence for approved use by third-parties, will thereafter be maintained safely against unauthorised disclosure, intrusion, modification or destruction.

    4. Responsibility

    Staff who come into contact with or have access to patient/staff/other information have a responsibility to maintain the security of that information.

    Department Heads are responsible for continuing education of staff and taking appropriate action where this procedure has been or may be breached.

    Information and Communication Technology (ICT) have policies on the issuing of email addresses, and when a person leaves the organisation ICT has an automated process in place to disable their accounts. ICT ensure that all new applications contain the capability for user access to be administered according to security requirements of the organisation, these may be different dependent upon the application.

    5. Criteria

    From 8th August 2020, a shared Electronic Medical Record (EMR) between RCH, the Royal Melbourne Hospital, The Royal Women’s Hospital and Peter MacCallum Cancer Centre (the Parkville Health Services) allows the Parkville Health Services to access a patient’s record if that patient has been treated at any of the Parkville Health Services. Staff at each of the Parkville Health Services are required to adhere to their health service’s policies and /procedures regarding the collection, use, and disclosure of patient information, including this procedure. Staff must only access records contained in the EMR as required as part of their role (e.g. if involved in or supporting care and treatment of that patient). Access to the EMR is audited regularly to monitor staff compliance. The records may not be retained locally or deleted. They may not be printed, disclosed, used, or amended for reasons other than patient care and treatment and only in accordance with RCH policies and procedures.

    The highest standards of security are expected within the RCH. Any violations of security procedure will be addressed through the RCH Performance Management and Disciplinary Procedure . Examples of breaches of security includes but are not limited to: 

    •   Staff accessing information that is not part of their job (eg. browsing patient information systems).
    •   Telling a co-worker your password so that s/he can log into secure information system. 
    •    Unauthorised use of a log-in code to access employee files or patient information.
    •   Leaving a hard copy medical record or patient paperwork unattended in any public area.
    •   Discussing personal health information in a public space (lifts or corridors) where it may be overheard by others. 
    •    Emailing patient information to an external organisation.
    •    Faxing personal information without including a fax cover sheet that includes an appropriate confidential note as per guideline below.

    5.1 Data Breach

    A data breach is an unauthorised access or disclosure of personal information, or loss of personal information. It may be caused by a deliberate action (external or internal), human error, or a system or information handling failure.  

    Examples of data breaches include:

    • loss or theft of physical devices (such as laptops, USBs and other storage devices) or paper records that contain personal information
    • unauthorised and inappropriate access to personal information by an employee
    • disclosure of personal information due to ‘human error’, for example a fax or email sent to the wrong person
    • disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.

    Data Breach Plan

    A data breach may occur at the local hospital level e.g. an email or fax sent to the wrong person, loss or theft of a device or unauthorised access by an employee, or across the Parkville Health Services e.g. Cybersecurity attack on the EMR. 

    (a) Hospital level data breach

    • If there is a data breach or suspected data breach at the local level staff are to report it to their line manager. The line manager should escalate to the Privacy Officer and complete a VHIMS.  The Privacy Officer will be responsible for managing and assessing the breach, notifying and escalating to internal and external stakeholders where appropriate, and identifying any changes required to minimise the chance of the breach occurring again.
    • The Privacy Officer may refer to relevant local policy and procedures for next steps and escalation to appropriate General Counsel and Executive Director for advice.

    (b) Parkville Health Services level data breach

    • A data breach involving the Parkville Health Services will require activation of business continuity plans and a joint response with key individuals from each hospital. These individuals would include the chief information officers, executive, and members of the Hospital Incident Management Team (HIMT). The joint response team would be responsible for managing and assessing the breach, notifying and escalating to internal and external stakeholders including the Department of Health, and conducting an incident review.   

    Actions taken following a data breach should follow four key steps:

    • Step 1: Contain the data breach to prevent any further compromise of personal information.
    • Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
    • Step 3: Identify if a cross-precinct data breach has occurred. If so, the relevant PHS Privacy Officers should be notified as soon as practicable.
    • Step 4: If a cross-precinct breach is identified, the relevant Privact Officers must formulate a coordinated response, which may include engaging internal stakeholders to assist e.g., General Counsel, Executive, People & Culture etc.
    • Step 5: Determine if the Health Complaints Commissioner, the Office of the Victorian Information Commissioner, the Department of Health or any other external body should be notified of the breach.
    • Step 6: Review the incident and consider what actions can be taken to prevent future breaches

      5.2. Disclosure of Personal Information - disclosure via electronic messaging, fax, email, phone or verbally

      All disclosures should be documented/recorded in the patient's medical record and include date, name and signature of staff member disclosing information, detail of information disclosed, and name and contact number of requestor.

      Fax guidelines

      Patient information may be transmitted via the Electronic Medical Record (EMR) using autofax or manually by facsimile machine (fax). Details of the release of information by fax must be recorded in the patient's medical record.

      A standard RCH fax cover sheet that clearly identifies our organisation must be included in the transmission. This cover sheet must include the following details: 

      • date and time of transmission, and total number of pages;
      • destination, name of institution, fax and telephone numbers, person and department nominated as recipient; 
      • name, department and telephone number of person sending/authorising fax.

      The word "CONFIDENTIAL" must be included along with the following notice.

      Notice: This facsimile transmission and any documents attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender and destroy the original.

      To minimise risks associated with faxing personal information also: 

      • Where possible, before sending a fax, ring the intended recipient to confirm their number and inform them the fax is being sent. 
      • Set the fax machine to print transmission reports if possible. 
      • Send only the minimum amount of information necessary. For example, if only one paragraph of a report is relevant send only that paragraph and not the whole report. 
      • Double check to ensure the correct fax number has been dialled and connected. 
      • Where possible, telephone recipient immediately to confirm that the information has been received in full. 
      • When autofaxing, using faxing software combined with a database of fax numbers to transmit confidential information, the contact information particularly the fax number must be validated. Validation involves contacting persons on the database and ensuring their fax details are correct prior to commencing faxing. Validation of the information in the database should occur periodically thereafter for example once or twice a year.

      Email guidelines

      The email system is not secure. The security risks include: misdirection due to error in typing address; lack of confidentiality of Internet traffic, email may be scanned and copied when it passes through nodes; it is simple for the sender to purport to be someone else; and receiving information in electronic form makes it easy for the recipient to copy, amend and disclose it to others.

      Therefore, at RCH personal health information must not be sent externally by email. Externally refers to email addresses other than "" or "".

      To minimise risks associated with emailing personal information internally staff should:

      • State clearly in the message if you do not want all or part of it forwarded to others and set the email footer to include the following notice.
        • Notice: This email transmission and any documents attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender and destroy the original.
      • Before forwarding messages from others, it may be necessary to remove sensitive parts. However, never edit and re-send a message from someone else without indicating that changes have been made to the original. 
      • If you receive a message intended for someone else, don't ignore it, return it to the sender and then delete. 
      • If you doubt the authenticity of a message, return it to the sender and ask for confirmation that they sent it. 
      • Assume that any message you send could be modified and forwarded anywhere without your knowledge or consent.

      For complete information on using email refer to the Email Usage Procedure.

      Phone guidelines

      Depending on factors such as the sensitivity of the information, the purpose for which it is being conveyed and the complexity of the details, all or some of the following steps may be appropriate safeguards for reducing the risk to privacy when using the telephone:

      • Ensure that other staff or patients cannot overhear the conversation. Move to another room, or time the call when others are not present.
      • If someone is asking for sensitive information over the phone, and it is reasonable to disclose it, ask if you can call back (so you can check the number against your records or confirm that they are from the organisation they purport to represent). 
      • If you are asking the other party to give sensitive information over the phone, check that they are able to discuss it privately (and are not, for example, speaking on a mobile phone in a public place) 
      • Keep a note of the conversation in the medical record, to record what information was given and to whom.

      Verbal guidelines

      All staff need to be mindful of where they carry out discussions regarding patient care. It is unacceptable to discuss personal health information in public areas such as lifts and corridors. The risk associated with personal information being inappropriately overheard is high. To minimise risks when verbalising personal information staff should:

      • Not discuss patient information in hospital lifts, corridors and public areas.
      • Be aware of who can overhear conversations on wards and other clinical areas.
      • Seek adequate privacy prior to discussing sensitive information with staff or patients.

      Medical Records

      Paper-based medical records are the property of RCH and are not to be removed from the organisation under any circumstance, unless authorised by the Manager, Health Information Services.

      Medical records, patient lists or reports must not be left in areas where the general public or unauthorised staff can access them.

      When staff are transporting medical records around the organisation every effort should be made to keep patient details covered. For example, if carrying a bundle of records in a lift turn the last one over so that only the back of the medical record cover is exposed.

      When records or information are sent with or without a patient outside the RCH the information must be secured in a sealed envelope or container labelled "Confidential" and addressed to the specific person at the receiving facility (e.g. Admissions Nurse). Records must be securely transported to the receiving facility and not left unattended at any stage until delivered to the authorised receiving person.

      Records when required at a Court of Law under subpoenas must be copied before they are sent outside the RCH. This copy will be kept at the RCH if required for patient care.

      Any paper-based information containing patient or private information that requires destruction should be placed in the secure destruction bins located throughout the Hospital

      5.4. Secure information systems, passwords and screensavers

      Staff access to secure information systems is determined via Department Heads authority. Department Heads need to ensure that access to systems is granted on a "need to know" basis. Access should only be provided to staff that require access to carry out their work. When staff are terminated, ICT must be notified to have access removed.

      Passwords for all information systems are to be kept secure.

      No password should be shared unless authorised by the Chief Information Officer.

      Staff are responsible for any access to secure information systems using their password.

      All computer screens in patient or public contact areas must have the screensavers wait period set at 3 minutes maximum. This will reduce the chance unauthorised viewing of information left on computer screens by patients, public or unauthorised staff.

      6. Special provisions/reference documents (which may be referred to)