Privacy Policy

SECTION 1 – INTRODUCTION

PURPOSE

Greenlight understands that confidentiality of injured workers’ personal information must be maintained at all times, both from legal and moral/ethical perspectives.

In line with this, a Privacy Policy has been developed and implemented. All staff and contractors engaged to work with Greenlight are required to follow the terms in this policy. Additionally, Greenlight only deals with contractors that comply with the Privacy Act 1988, the Health Records and Information Privacy Act 2002 and all applicable subsequent amendments, and their respective principles (APPs and HPPs).

SCOPE

This policy statement applies to all Greenlight managers and employees in their work for Greenlight.

SECTION 2 – POLICY

PRINCIPLES

Greenlight understands that confidentiality of injured workers’ personal information must be maintained at all times, both from legal and moral/ethical perspectives.

The Australian Privacy Principles are a set of rules set down by the Privacy Amendment (Private Sector) Act 2000, and the Health Records and Information Privacy (HRIP) Act 2002, and their respective principles (APPs and HPPs). These Acts are designed to protect an individual’s personal information that may be held or used by an organisation. The Privacy Principles aim to ensure that organisations that hold information about people will manage that information responsibly. They also give people some control over the way information about them is handled.

The Principles regulate the collection, handling, use, disclosure, transfer, and management of personal information.

Protecting individuals’ privacy and the confidentiality of their personal information is important to us, as it is fundamental to the way we conduct business. Greenlight is sensitive to privacy issues and treats very seriously the ongoing trust our customers have placed in us. Greenlight believes it has best practice procedures and that we have some of the most robust systems in place for handling and protecting private and sensitive information.

In line with this, a Privacy Policy has been developed and implemented. All staff and contractors engaged to work with Greenlight are required to follow the terms in this policy. Additionally, Greenlight only deals with contractors that comply with the Health Records and Information Privacy Act 2002, and associated amendments.

Greenlight understands that enhanced privacy legislation took effect in March 2014, which, among other things, increased penalties for breaches of privacy by companies, and individuals, and introduced a new credit reporting system. In preparation for these enhancements, Greenlight has made our privacy statement available to all through our website, provides copies of our privacy statement to all workers who request it, and continuously reviews all privacy and data gathering processes to ensure our full compliance.

POLICY

Greenlight’s Privacy Policy currently addresses each Australian Privacy Principle (and corresponding Health Privacy Principle (HPP)) as follows:

Australian Privacy Principle 1—open and transparent management of personal information (HPP4 & HPP6)

 Greenlight is open and transparent with our customers as to what information we collect and how we use this information. As part of the legislation, we are required to advise individuals who deal with us:

• what information we are collecting (even if we are collecting it from someone else) – such as name, address, financial information, health information etc.

• why we collect it (for what purpose)

• who else we may give the information to

• their rights in relation to accessing the information

• their right to ensure the information we collect is accurate, up to date and complete

• their right to complain if they believe their privacy has been breached.

We communicate our policy on privacy by providing a copy of our Privacy Policy, which informs our customers of our obligations under Privacy legislation.

Australian Privacy Principle 2—anonymity and pseudonymity (HPP 12 & 13)

Greenlight ensures that where it is lawful and practicable, we provide an individual with the option of dealing with us anonymously or by using a pseudonym. As an example, if individuals want to enter our website, we will not need to ask them for any personal information.

Australian Privacy Principle 3—collection of solicited personal information (HPP 1 & 3)

Greenlight considers ‘collection’ to mean the gathering, acquisition or obtaining of personal information from any source and by any means. Collection also includes when an organisation obtains personal information it has come across by accident or has not asked for.

In the collection of personal information, Greenlight undertakes to comply with the provisions of the Privacy Act 1988 (Cth) and the appropriate amendments. In doing so, Greenlight will only collect personal information where it is necessary for one or more of our functions or activities, and, where practicable, will collect the information directly from the individual. We will also only collect personal information in a fair and bona fide manner (without deception or intimidation).

Personal Information

Greenlight considers, in most cases, personal information as items of knowledge or opinion, whether true or not and regardless of medium, about a natural person whose identity is apparent or can be reasonably ascertained from the information or opinion.

With this in mind, Greenlight considers the following examples to constitute personal information:

• Sensitive information

• Name

• Address

• Date of birth

• E-mail address

• Fax number

• Telephone number

• Contents of a file note

• Health information

• Banking details

• Claim form

• Certificate of earnings

• Medical report.

Greenlight considers sensitive information as the following:

• Racial or ethnic origin

• Political opinion

• Membership of a political association or religious beliefs, affiliations or philosophical beliefs

• Membership of a professional or trade association or membership of a trade union

• Sexual preferences or practices

• Criminal record

• Health information about an individual.

It is our aim to only collect sensitive information if the customer has consented to the collection. If it is necessary to collect sensitive information without a person’s consent, we will only do this where the collection is required by law or to establish, exercise or defend a legal or equitable claim.

Health information

As a general rule, Greenlight classifies health information as the following:

• Information regarding the health or disability of an individual

• Individual’s expressed wishes about the future provision of health services

• Health services provided or to be provided to an individual

• Donation, or intended donation of body parts or body substances.

It is our aim to only collect health information where we have an individual’s consent. We will only collect health information without an individual’s consent if the information is necessary to provide a health service and is required to be collected by law or in accordance with rules established by professional medical bodies; for public health purposes or to monitor a health service; and if it is impracticable to get consent and de-identified information would not be sufficient.

In addition, Greenlight only intends to use or disclose health information for public health research, if it is de-identified or with the consent of the customer.

Australian Privacy Principle 4—dealing with unsolicited personal information (HPP2)

If Greenlight obtains personal information it has come across by accident or has not asked for, Greenlight will determine whether the information obtained is information that could have been obtained appropriately under Australian Privacy Principle 3 above. If this is so, then all Privacy Principles apply as if the information was solicited. If the information is not information that could have been obtained appropriately under Australian Privacy Principle 3 above, then Greenlight will immediately destroy the information or ensure that the information is de-identified where it is legal to do so.

Australian Privacy Principle 5—notification of the collection of personal information (HPP4)

Accompanying our policy on information collection, Greenlight will always disclose to individuals who we are, how we can be contacted, access rights, purposes of collection, who we may collect information from, who we usually disclose information to, laws requiring collection and the consequences to an individual for failure to provide information to us. As a result, we will only proceed with our service when the individual provides consent to do so.

Australian Privacy Principle 6—use or disclosure of personal information (HPP10)

The primary purpose for the collection of personal information by Greenlight is to assist us in our functions of injury and disability management, training and consulting and the provision of rehabilitation services. Greenlight will lawfully collect, use and disclose personal information for this purpose.

However, we may use or disclose the information for related, secondary purposes if the individual could reasonably expect us to use the information in such a way - or if the individual has given consent. This may include following up a complaint, advising customers of a change of address, or disclosing information required by law.

Australian Privacy Principle 7—direct marketing (HPP10 & 15)

Greenlight will never disclose personal information to any party for the purposes of direct marketing without the specific and documented consent of each specific individual. 

Greenlight aims to only use personal information for direct marketing if we have given the customer a clear choice in each marketing communication as to whether he or she wishes to receive marketing communications.

Australian Privacy Principle 8—cross-border disclosure of personal information (HPP11 & 14)

Where we are required to transfer personal information to a non-Greenlight entity or a related Greenlight company in a foreign country, we will only do so if there are comparable privacy laws in that country, we have obtained the individual’s consent, or if the transfer were for the benefit of the individual and the individual would have consented to the transfer.

If this transfer were to an individual, we would only transfer to the individual whom the personal information is about.

Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers (HPP12 & 13)

An ‘identifier’ is a unique combination of letters and numbers used by businesses – including government organisations - to identify an individual. Examples include insurance policy numbers, Medicare numbers etc.

Greenlight will not use a Commonwealth Government identifier (such as a tax file number) to organise and match Greenlight information, unless we are allowed to do so according to Privacy regulations. In other words, we use our own identifier to organise all information we hold about an individual. This could also include date of birth, name and address or date of referral.

Australian Privacy Principle 10—quality of personal information (HPP8 & 9)

Greenlight will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up to date. 

Australian Privacy Principle 11—security of personal information (HPP5)

Greenlight will take reasonable steps to ensure that the personal information we hold is protected from unauthorised use, access, modification, and disclosure. These steps include technological measures, physical measures, and training of all staff in the requirements of collection, use and storage of personal information. 

This obligation also extends to information we may disclose to our agents, contracted service providers or other third parties. In accordance with this, we intend to only disclose information to agents or contracted service providers if they agree to abide by the terms of Greenlight policies, as well as relevant privacy legislation.

In practice, Greenlight has implemented a security policy covering all organisational systems used for processing, storing, or transmitting personal information that is accessible by all staff. This involves ensuring secure destruction of information and adequate de-identification (i.e. removing identifiers), protection of all computer stored information through firewalls and password protection algorithms, and secure storage of portable electronic storage and information access devices such as tablets and smart phones. Additionally, all data and information is stored, managed and processed using a network of remote servers hosted in a data centre, rather than on a local server or personal computer. 

We also aim to protect personal information by developing an organisational culture, which respects an individual’s privacy.

Australian Privacy Principle 12—access to personal information (HPP6,7, &9)

A customer of Greenlight has the right to access most of the personal information that we hold about them. (Refer to exceptions listed in the Frequently Answered Questions Section below). Customers do not have to provide us reasons as to why they wish to access their information. In providing access to information, we ensure that an individual who seeks access to information is in fact the individual that the personal information is about.

When Greenlight does receive requests for access to information, it is our intention to meet the following response times:

• To acknowledge receipt of individual’s request for access within 10 working days from date of request.

• To provide access to simple requests for personal information within 15 working days from date of request.

• To provide access to more complex requests for personal information within 20 working days from date of request.

There are situations in which Greenlight will not be required to grant customer access to information. These situations may prejudice legal dispute resolution proceedings or negotiations; pose a threat to life, health, or safety; pose a threat to national security; be unlawful; or impact the privacy of another individual. In the situations where we are withholding access to information, we will always provide an explanation to the customer (except when we are investigating unlawful activity). We would also give the customer access to the parts of the record that are not exempt. 

Australian Privacy Principle 13—correction of personal information HPP7)

Greenlight takes all reasonable steps to correct personal information where an individual establishes that the information is inaccurate, incomplete, or not up-to-date.

If an individual requests that a report is to be modified, in their belief that it contains inaccuracies, the consultant has two options:

1. If the consultant agrees with the individual’s requested correction, the consultant will amend the report and circulate it again.

2. If the consultant disagrees with the individual’s requested correction, the consultant will attach a supplementary report to the original report, detailing what corrections the individual had requested, and circulate the supplementary report to recipients of the original report.

INFORMATION SECURITY

With all the functions and accessibility of our IT platform, Greenlight aligns this IT management application with our privacy policy, Greenlight being fully aware of the need for protective measures to ensure the safety and confidentiality of all the information we gather and store. To this end, Greenlight has instigated a range of protocols to ensure our information database and all its content is protected and remains unavailable to all external parties.

These include:

• Use of remote, secure offsite locations for our server hardware.

• The use of a network of remote servers hosted in a data centre, rather than on a local server or personal computer, operating within the cloud and protected by username and password algorithms to access our IT Systems and programs.

• Additional and separate user-id and password protection algorithms to access Case Manager and its database, including specific licence protocols for the use of Case Manager as a product.

• Communication via email and scanner direct from Case Manager to provide an additional layer of protection of outgoing information.

• Password-Protected email systems hosted in the cloud.

• Multiple layers of Firewalls at all levels of entry providing multi-layered protection to the actual personal data collected on our systems.

• Specific time-out functions embedded into our IT platform, so the system shuts down all remote accesses after specific timeframes of inactivity.

• Access to these systems via smartphones, tablets and laptops, all of which are individually passcode and password protected tools and stored in secure facilities when not in use

• Regular anti-virus protection activities and system updates to ensure the highest level of data quality and protection.

• Daily back-ups of all databases such that minimal data is lost following unforeseen events such as hardware/software issues.

• All backups are replicated between a primary and secondary data centre in the event the primary data centre is not available.

• A team of IT experts who are constantly reviewing our IT Systems for enhancements and latest IT developments that facilitate better services whilst maintaining our level of security, quality, and integrity in data management.

• Failsafe back up power generation such that should a power disruption or surge occur, our data is protected with automatic switching to an alternate power supply, providing uninterrupted service.

• All data that is accessed is encrypted with SSL encryption.

These protocols ensure that Greenlight has established and maintains appropriate controls against the destruction, unauthorised disclosure, loss or alteration of data and records, at all times during the period of service provision to all our customers and for a period of seven years following the cessation of services in the event this information is required by our customers following completion of a case. It is standard practice that, seven years following completion of a case, all information pertaining to that case is deleted and destroyed, becoming completely unsalvageable.

Data Breach Management:

Any and all breaches of or relating to information security, actual or suspected, must be reported and will be investigated by our CISO and executive management where relevant, or by another party where more relevant or applicable. These circumstances will be defined as an Incident and may be referred to and handled as such within Greenlight’s IT Operations & Security Policy in line with the Australian Government Data Breach Action Plan for Health Service Providers.

(https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/health-service-providers/data-breach-action-plan-for-health-service-providers )

All employees, contractors and third-party users will be made aware of the procedures for reporting the different types of security incident, or vulnerability that might have an impact on the security of the organisation’s assets.

Furthermore, Information safety education and training will be available to all staff/employees where relevant and applicable, all information stored on our systems will be stored via an external safe facility and kept at an absolute minimum (only required information will be retained), and these processes will be applied to all relevant roles within the business, via an approved framework and to all possible third parties to ensure that any possible breaches are minimized by design.

With regard to viruses and other malicious software, we will utilise all reasonable efforts to ensure that no harmful code is introduced into the ecosystem and where possible will take proactive steps to ensure that any damage caused by these interactions are minimal. Should foreign hostile code be introduced into the system, we will take every reasonable effort to remove the threat and assess the impact of the breach.

All data breaches are recorded on Greenlight’s data Breach Register which is reviewed quarterly by the Executive Management team to assess for potential threats.

FREQUENTLY ASKED QUESTIONS

What happens if a worker requests access to their file?

If a worker requests access to information, the Greenlight consultant will bring this to the attention of a Managing Director. It is not uncommon that if a worker requests access to their file, they have some concern. It is Greenlight’s intention to meet the following response times:

•  To acknowledge receipt of individual’s request for access within 10 working days from date of request.

• To provide access to simple requests for personal information within 15 working days from date of request.

• To provide access to more complex requests for personal information within 20 working days from date of request.

There are situations in which Greenlight will not be required to grant customer access to information. 

These situations may prejudice legal dispute resolution proceedings or negotiations, pose a threat to life, health, or safety, pose a threat to national security, be unlawful, or impact the privacy of another individual. In the situations where Greenlight is withholding access to information, Greenlight will always provide an explanation to the customer (except when Greenlight is investigating unlawful activity). Greenlight would also give the customer access to the parts of the record that are not exempt.

Greenlight will also take reasonable steps to correct personal information where an individual establishes that the information is inaccurate, incomplete, or not up to date. In the situations where Greenlight is withholding access to information, Greenlight will always provide an explanation to the customer (except when Greenlight is investigating unlawful activity). Greenlight will also give the customer access to the parts of the record that are not exempt.

Greenlight is also required to take reasonable steps to correct personal information where an individual establishes that the information is inaccurate, incomplete, or not up to date.
If an individual requests that a report be modified in their belief that it contains inaccuracies, the Greenlight consultant has two options:
    1. If the consultant agrees with the individual’s requested correction, the consultant will amend the report and circulate it again.
      2. If the consultant disagrees with the individual’s requested correction, the consultant will attach a supplementary report to the original report, detailing what corrections the individual had requested and circulate the supplementary report to recipients of the original report.

What do I do if there is information on the file that I perceive as sensitive in relation to a third party? 

If a worker requests to access their file under Privacy Legislation, Greenlight is responsible for ensuring that providing the access does not breach a third party’s privacy. If there are file notes that disclose sensitive information about a third party, it is appropriate to remove or black out this information prior to providing access to the worker. 

Costs related to the case are considered confidential information in relation to the provider / Agency relationship; hence the worker is not entitled to access this information without the consent of the Agency.

Independent medical reports held on Greenlight files can, in some instances, be accessed by the worker under Privacy Legislation. However, Greenlight will let the Agency and independent medical examiner know about the request. If there is a court case pending, all information on the file is only able to be accessed via a subpoena.

What happens if the worker refuses to sign the Information Consent form?

Sometimes workers are reluctant to sign Information Consent forms as they are unsure how their information is going to be used. If this is the case, a reassuring explanation of the purpose for collecting and disclosing the information is provided to overcome this concern.

Some workers have been advised by their solicitor not to sign anything. If this is the case, Greenlight will telephone the solicitor to address this barrier. If possible, consultants will ring the solicitor during the initial interview with the worker, if this issue arises.

Some workers persist in refusing to sign Consent forms. Fundamentally, if the consent form is not signed, Greenlight is not able to provide the service we have been requested to undertake. If this scenario arises, it can be a sensitive issue to deal with and it is crucial that a Director be made aware of the situation. The Director will provide advice on how best to deal with this scenario.

What happens if a solicitor requests that wording in the consent form be changed? 

If a worker and / or solicitor requests that any wording on the Information Consent form be

changed, the Greenlight consultant must bring this to the attention of a Director. As a general rule, the wording on the Consent form should not be changed. However, depending on the circumstances, it may be appropriate in some instances, but any changes must be ratified by a Company Director.

What happens if someone rings requesting sensitive information?

When a caller is requesting private and / or sensitive information, three questions need to be asked to identify the caller and ensure they are entitled to receive the requested information.

1.        Name

2.       Address or Date of Birth

3.       Another question relating to the case e.g. ‘Who is your Workers Comp Insurer? ‘ or ‘What is your claim number?’, etc.

Professional registrations and affiliations

Greenlight supports external training programs and study commitments that further augment an individual’s ability to provide high quality service. As such we pay for professional memberships for all our staff where appropriate and encourage our staff to attend professional courses provided by their professional bodies, offering each staff member additional study leave days for courses related to their profession.

External training days and study leave are offered to all internal staff members, with each staff member allocated $3000 in financial support per year to assist in covering the cost of these studies. Additionally, all Greenlight staff are empowered to submit proposals to the managing directors regarding additional funding for professional development if required. This funding is reviewed annually by our managing directors to ensure the amounts allocated are in line with increases in external provider costs.

Greenlight maintains a copy of each professional code of conduct for all professions relevant to the staff employed to perform injury management and rehabilitation services. Greenlight’s Executive Management Team keeps a copy of each code of conduct on file for reference.

All contractors are responsible for maintaining the standards of their own profession’s code of conduct. This is monitored by the Executive Management Team.

All staff and contractors are obliged to provide copies of their professional registration and degree qualifications, applicable to their position, upon recruitment. Further evidence is then required on an annual basis to demonstrate currency of registration and any newly obtained qualifications. Greenlight’s administration staff maintain records of all these documents and have established calendar reminders to ensure appropriate registrations are obtained annually.

Complaints regarding Privacy:

Greenlight takes all complaints very seriously, as we view feedback and complaints as ways to help us improve our services and create greater service user satisfaction and outcomes.

Greenlight is committed to managing complaints in an accountable, transparent, timely and meaningful way and in the most direct way possible.

Greenlight supports and encourages the rights of our service users, their families/ carers and stakeholders to lodge and pursue any complaint in relation to any aspect of Greenlight services or operations. 

The organisation is committed to the following complaints management principles:

• Assisting people to make a complaint in whatever way is meaningful for them

• Complaints can be lodged without fear of retribution

• Protect confidentiality and privacy of complainants

• Complaints are assessed fairly, objectively and professionally

• Openness and accountability

• Complaints are resolved in a timely manner

• Ensure the application of procedural fairness and natural justice for all involved

• Encourage the development of harmonious partnerships

• Integrate complaints information into the organisation’s improvement process.

Greenlight expects that complaints/feedback will be able to be addressed and initially responded to by the people directly involved, with all unresolved complaints being dealt with the by the managing directors. However, where complaints require investigation or more formal review, we will ensure that sufficient resources are allocated as a means to ensure that complaints are proficiently managed and investigated and will only allocate suitably skilled and qualified employees to investigate and manage complaints.

Further information regarding our complaints process can be found in Greenlight’s Feedback and Complaints Policy, which can be obtained from Greenlight by sending an email to administration@greenlighthc.com.au or by telephone on 1300 312 049.

Policy Training and Responsibilities:

Training on Privacy, Security and Professional registrations and affiliations is provided as follows:

All Greenlight staff are issued with all policy and procedure documents at the commencement of their employment, and, in the induction period, a Regional Lead works through all of these with the new employee in person to ensure a thorough understanding is gained.

1. All policies are reviewed on a biennial basis by the Executive Management Team and updated in between as required.

2. Any changes to these policies are presented by the Executive Management Team for discussion in the monthly team meetings, with updated documents provided to all staff and all questions answered.

3. Hence the Executive Management Team is able to regularly review changes in legislation and the impact of these changes, facilitating a rapid dissemination of information.

4. Additionally, Greenlight has ‘legislative changes and review’ as a regular mandatory agenda item for these monthly meetings.

5. Greenlight management conducts regular audits on all cases to ensure compliance with all privacy legislation and any issues identified are raised with the individual employee or contractor, as well as at the next monthly meeting.

6. Furthermore, Greenlight manages change by exception; if an issue is identified that requires immediate action, such as one identified by a customer Provider Manager, then an exigent meeting of the Executive Management Team is convened, the issue discussed, and a strategy put into place. This change is then communicated to all staff and strategies to monitor the change invoked. The customer Provider Manager is informed of Greenlight’s issue resolution activities, confirming the Customer’s satisfaction with the strategy to resolve, and an educational program is initiated to ensure the issue does not occur again.

7. All professional registrations and affiliations are noted and recorded by educational program is initiated to ensure the issue does not occur again at the time of Employment with a yearly review of these registrations and affiliations completed as part of our Recruitment and Quality Assurance Policies.

Effectiveness and benefits of Greenlight’s ability to maintain contemporary practices, legislative and professional standards with regards to Privacy, Security and Professional registrations and affiliations:

Greenlight’s practices regarding Privacy, Security and Professional registrations and affiliations are supported through the rigorous adherence to robust policies, which ensure:

a.      Greenlight meets all legislative requirements as determined by the NSW SIRA Workplace Rehabilitation Provider Framework and Comcare’s Guidelines for Rehabilitation Authorities.

b.      Greenlight complies with all Privacy Legislation. 

c.       Greenlight is able to safeguard personal information of all our customers and their clients.

d.      Greenlight has established privacy practices that dictate the gathering, use, safe storage and destruction of private individual and corporate information.

   e.      Greenlight is able to safely use current technology such as Cloud Computing and Social media to enhance its services, whilst maintaining the privacy of all our clients and customers.

f.        Consistency of our service delivery to all our customers.

g.      A reliability of service delivery second to none.

h.      A sustainable and robust business model that is truly adaptive and responsive to our customers.

   i.     All Greenlight’s services are performed within the Safety, Rehabilitation and Compensation Act (SRC Act) including Comcare’s Guidelines for Rehabilitation Authorities. Greenlight services comply with the Comcare Operational Standards for workplace providers, Comcare’s conditions of approval, and the NSW SIRA Workplace Rehabilitation Provider Framework.

Greenlight hopes that this document has helped aid your understanding of the Privacy Principles and the steps and actions Greenlight has put in place to protect an individual’s privacy. If you wish to discuss any aspects of this policy, please contact a Greenlight director.