Privacy Statement
Introduction
As New Zealand’s largest not for profit national network of private surgical hospitals, Southern Cross Healthcare Limited ("we", "our" or "us") is committed to safeguarding the privacy of patient information. We have a legal obligation to comply with the Privacy Act 2020 (”the Act”), the Information Privacy Principles ("IPPs") under that Act, and where health information is involved, the Health Information Privacy Code 2020 (“the Code”). You can read more about these laws on the website of the NZ Privacy Commission (www.privacy.org.nz).
Under the Act, organisations that are in possession of an individual's 'personal information' must observe certain restrictions and standards concerning the collection, use, disclosure, and security of that information. Personal information is defined by the Act as ‘information about an identifiable individual’.
As our patient, we may collect certain personal information and a medical history from you. For instance, we collect your personal details so we can provide you with medical treatment and advice. Test results and further information may be collected by us prior to your admission, while you are being treated as a patient at one of our hospitals, or may be received by us after your discharge.
For those people who are credentialled and independent medical practitioners who work within our hospitals and treat patients, we also collect personal information (such as evidence of competency, experience, current fitness, relevant health information, professionalism and performance) to ensure that such practitioners are sufficiently qualified and safe to operate on patients.
We have an obligation to collect personal information about you directly from you, unless it is unreasonable or impracticable to do so. If we have collected personal information about you, we must take steps as are reasonable in the circumstances to ensure that you are aware that we have collected your information and what we intend to do with it.
We have developed this Privacy Statement to inform you about:
- The kind of personal information that we collect and hold;
- How we collect and hold personal information;
- The purposes for which we collect, hold, use and disclose personal information;
- How you can gain access to personal information we hold and seek its correction;
- How you may complain about possible breaches of privacy, and how that complaint will be handled; and
- Whether we are likely to disclose your information overseas.
Health and safety
This section applies to information collected for health and safety purposes. This helps us to manage the safety and security of our workplaces and those who visit.
If you enter upon a Southern Cross hospital site, your contact details, such as your name, mobile number and time of your visit, may be collected by Southern Cross Healthcare.
We will collect your contact details in the following ways:
- If you are a Southern Cross Healthcare Limited staff member, we will be using the Kronos time recording application to record when and for how long you have been at a Southern Cross hospital site;
- If you are a medical practitioner consulting at a Southern Cross hospital site and you carry a wifi connected mobile device or tablet, we will use your automatic Southern Cross Healthcare Limited specialists wifi log in to record when and for how long you have been at a Southern Cross hospital site. If you do not wish for us to collect your personal contact details in this way then please turn off your device, or do not carry it with you, and instead sign in at the reception desk upon your arrival and departure from a hospital;
- If you are a patient, visitor or contractor, you will be asked to provide your contact details at our reception desk at the front entrance to our premises, either by signing in manually or using our electronic visitor register where this is available. We will already have your details if you are a patient.
If you do not wish to provide this information, we may be unable to allow you onto our premises.
How do we use personal information?
We will only use or disclose your personal information:
- for the purpose which it was collected (or a purpose that is directly related to the purpose in connection with which the information was obtained);
- for any other purpose for which you have authorised; and
- otherwise where we are permitted or required to do so by law.
We use personal information for the following purposes:
- to confirm your identity;
- to provide you, as our patient, with the clinical treatment that you have requested;
- to enable you, as a credentialled and independent medical practitioner to access and practice within our hospitals to treat patients;
- to offer applications (often referred to as an ‘App’) containing patient health information to medical practitioners, in order for that medical practitioner to review their patient’s health information and enable either our clinical staff, or a patient’s medical practitioner to provide timely medical treatment to their patient (note that any mobile App has a secure user consent process to enable those persons to access such data);
- paying accounts, invoices or generating bills;
- to investigate and resolve complaints concerning the provision of services;
- to comply with legislative and regulatory requirements and provisions; and
- to perform administrative functions including accounting, risk management and record keeping.
What personal information do we collect?
The personal information that we collect from patients generally includes:
- your name, email and postal address, date of birth, contact details, occupation, the name of your GP, emergency contact details, and other personal details (such as health insurance details if applicable), your NHI number, medical history, family medical history and health information such as medical test results, diagnosis and treatments in order for us to open a hospital record;
- personal information such as the name, contact details and medical history of any medical practitioners who are credentialled to treat the patients in our hospitals.
For those people who are credentialled and independent medical practitioners who access and practice within our hospitals and treat patients, we also collect personal information (such as evidence of competency, experience, current fitness, relevant health information, professionalism and performance) and a medical history to ensure that such practitioners are sufficiently qualified and safe to operate on patients.
We often collect personal information that is regarded as health information. Health information may only be collected where it is reasonably necessary for, or directly related to, one of our business functions or activities. Where required by law or regulation, we will handle this type of personal information differently to other types of personal information due to its special nature.
Why this information is collected?
If you are to receive, or have received, a service from one of our hospitals we will collect and hold your personal information to:
- provide the required treatment, service and advice;
- administer and manage those services, including charging, invoicing and debt collection;
- contact you to provide advice or information relating to your treatment;
- conduct appropriate health insurance eligibility checks;
- improve the quality of our services through research and development;
- conduct regular surveys to gain an understanding of individual needs;
- maintain and develop business systems and infrastructure to improve the services we provide.
If you are a medical practitioner providing services at our hospitals we will collect and hold your personal information to:
- administer and manage those services, including charging, invoicing and debt collection;
- contact you to provide advice or information relating to a patient’s treatment;
- conduct appropriate indemnity insurance, registration and other relevant professional practice checks;
- improve the quality of our services through research and development;
- conduct regular surveys to gain an understanding of individual needs;
- maintain and develop business systems and infrastructure to improve the services we provide.
How do we collect personal information?
Information collected from you
When it is reasonable and practicable to do so, we will collect your information from you directly.
- each time we have contact with you by telephone or email, or when you visit our website and complete an online enquiry form and submit that to us.
As a patient this may take place when you complete admission or administrative paperwork either in person via a paper form, or via the MyHealthcare platform. It may also occur via the hospital admission process, through your doctor's rooms or over the telephone. We will do this:
- when you, as our patient, provide information before, during or after your patient admission at one of our hospitals;
As one of our credentialled medical practitioners:
- applying to become credentialled with us, so as to enable you to treat patients within our hospitals;
- when we issue you (either as a credentialled medical practitioner with us or as one of our contracted allied health practitioners) with your user name and log in details to use electronic patient records;
As an staff member of Southern Cross Healthcare Limited, or if you apply for employment with us.
When you browse our website, you may do so without providing any personal information. However, where you voluntarily provide personal information (e.g. via an email to us or by completing a request online via our website) we are required to manage your information safely and with respect as per the Act and the Code.
We use Closed Circuit television Surveillance (“CCTV”) in certain parts of our hospitals to maintain the safety and security of property, patients, staff and visitors. These CCTV systems may but not always, collect and store personal information.
Information collected from third parties
We may also collect personal information about you for the purposes set out above from:
- medical practitioners and/or other healthcare service providers or external agencies;
- your treatment funder (or an advisor or agent associated with your treatment funding); and
- any other third party authorised by you such as a relative, a person with your power of attorney or other health services provider, if it is unreasonable or impracticable to collect it from you.
In particular, we may need to access health information about you that is relevant to your current treatment (including pre-admission and after discharge) which may be held by us, other health professionals or other health organisations.
When we collect personal information about you from a third party (such as another health services provider) you will have already given that third party your consent to share personal information with us for the purposes of carrying out your treatment, or we may contact you directly to obtain your consent to access this information.
If you do not provide the personal information we request or do not consent to our collecting that personal information from third parties, then depending upon the type of personal information concerned, we may not be able to provide you with appropriate treatment or care.
Use and disclosure of personal information
We will use and disclose your personal information for purposes directly related to your treatment and in ways you would reasonably expect for your ongoing care, or in accordance with this Privacy Statement. This may include, but is not limited to, the transfer of relevant personal information to your nominated GP, to another treating health service or hospital, to a specialist for a referral, for pathology tests and X-rays.
To facilitate continuation of your care following discharge, it is our practice to disclose personal information to your nominated general practitioner. If you do not want your personal information disclosed to your nominated general practitioner, please let us know.
The main purpose of collecting personal information about you is to provide ongoing clinical treatment and advice.
We are required to disclose some information to government agencies to comply with laws regarding the reporting of notifiable diseases and statistics. Your personal information may be required as evidence in court when subpoenaed.
We cannot use your personal information for direct marketing purposes unless you provide authorisation.
Our staff may convey to your next of kin or a close family member, general information about your condition while in hospital, in accordance with the accepted customs of medical practice, unless you request otherwise.
Our policies and procedures ensure our staff treat your personal information confidentially and discreetly.
We do not ordinarily disclose patient personal information to entities overseas. You may direct us to do so if, for example, your health insurer is based outside of New Zealand. These organisations may not be subject to New Zealand privacy laws. However, we will take such steps as are reasonable in the circumstances to ensure that those organisations are either subject to privacy laws that, overall, provide comparable safeguards to those under the Act, or are otherwise required to protect the information in a way that, overall, provides comparable safeguards to those under the Act.
In summary, we will only disclose your personal information to third parties:
- if you have given us your consent to do so;
- to people or entities such as:
- (if you are a patient) your medical practitioner or GP and/or other healthcare service provider;
- government, law enforcement or statutory bodies;
- treatment funders, where the information is required as part of a treatment settlement or associated audit;
- if the situation is an emergency and consent is not required.
- to other Southern Cross branded businesses for the sole purposes of: (a) fraud prevention, detection and investigation; and (b) redirecting claims and other correspondence that we reasonably believe to be intended for another Southern Cross branded business;
- to any third party authorised by you; and
- where it is permitted by law.
Any use of your information by that third party is limited solely to the purpose of that third party.
There may be occasions when your information is used or disclosed in other circumstances which are permitted by the Act, the Code or other laws.
Your consent
As a patient you should note that by commencing or continuing your relationship with us, you are taken to have authorised the collection and disclosure of personal information, including health information, by us from and to third parties as detailed in this Privacy Statement. You do not have to provide us with your personal information. However, depending on the circumstances, this may prevent us from being able to provide our services to you.
For those people who are credentialled and independent medical practitioners who access and practice within our hospitals and treat patients commencing or continuing your relationship with us, you are taken to have authorised the collection and disclosure of personal information, including health information, by us from and to third parties as detailed in herein and in the Credentialling access and practice guide. You do not have to provide us with your personal information. However, this will prevent us from being able to provide you with access and the ability to practice within our hospitals.
How personal information is held / security
Your personal information will be collected and held by:
Southern Cross Healthcare Limited, Level 14, ANZ Centre, 23-29 Albert Street, Auckland 1010
We store personal information in a variety of ways, including paper and electronic formats. The security of information is important to us. Our staff are responsible for maintaining the security of patient information from unauthorised access, to misuse, loss and damage.
We are strongly committed to protecting your personal information and your privacy. We have strict information security policies and procedures in place to protect personal information held by us from misuse, interference, loss, and unauthorised access, modification or disclosure.
Access to personal information systems is controlled by us through identity and access management. All employees are required to complete training about information security; and we regularly monitor and review our compliance with internal policies and industry best practice. By law we are required to hold all health information for a period of 10 years. Personal information may be stored in either hardcopy documents or as electronic data. We store all electronic data in secure data facilities located in either NZ or Australia, these facilities are either owned by us or our external service providers. All personal information is held in secure locations with access limitations. Our computer-based information is protected through the use of access passwords on each computer. Data is backed up daily. We employ firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses entering our systems.
Where personal information is transferred by you to us over the internet, we cannot guarantee that a transmission of information is always secure, and while we maintain the highest security measures, we cannot ensure information sent by you is secure and therefore it is transmitted by you at your own risk.
It is considered usual practice for healthcare organisations to communicate with patients via ordinary post. Such communications may include personal or health information.
We use a secure disposal system for the destruction of hard copy records containing personal information that does not need to be retained. All electronic documents are retained securely in our system.
Our security procedures and policies are audited on a regular basis to ensure they are updated and in accordance with legal requirements and current levels of information security standards and practices.
We will take all reasonable steps to protect the personal information of patients and credentialled medical practitioners from misuse, interference, loss, unauthorised access, modification or disclosure in accordance with the Act and the Code.
When we no longer need your personal information for a purpose for which it may be used or disclosed by us, we will take steps that are reasonable in the circumstances to destroy that information or make sure it is anonymised. We do not need to destroy or anonymise information that we are required to retain by a New Zealand law or a court/tribunal order.
Access and correction
You may request access to and/or correction of any of the personal information, including your medical records that we hold about you. To enable us to process your request, we ask that you contact us in writing or by email and state:
- your name;
- your date of birth; and
- the kind or type of information that you are requesting access to.
If you wish to correct that information, we may require proof that we have incorrect information held about you (i.e. such as statement from a doctor).
The type of information held generally includes the following:
- a record of your hospital procedures and medical history, and;
- the name of your medical practitioner who is providing or has provided treatment to you, if you are our patient;
- details relating to your credentialling with us, if you are a medical practitioner working within our hospitals;
- for some people, information relating to their treatment insurance cover and audit requirements.
Details of what kind of information we hold and for what purpose can be obtained by emailing us. You can also request information as to how we collect, use, store, and disclose your information.
We will acknowledge a request for access and respond to your request as soon as reasonably practicable and no later than 20 working days from the date the request is received, unless we have extended the time limit for responding to your request in accordance with the provisions of the Privacy Act. We may recover from you the reasonable costs of providing access to your personal information. We do not charge you for receiving or processing a request to correct or update your personal information. Access to the information will either be in the form of copies or by allowing you to view the information.
Where your access request may result in disclosure of personal information and, in particular health information, about other individuals, the request for access must be in writing with appropriate consents or a declaration that consent has been given before the personal information is released.
If you establish that the personal information we hold about you is not accurate, complete or up-to-date, we will take reasonable steps to correct the information on being provided sufficient evidence to correct or change the information. Please assist us to keep accurate details by informing us whenever your personal details change or whenever you become aware that our records are inaccurate.
There are certain circumstances permitted under the Privacy Act where we might not be able to fulfil your request. If that happens, we will provide reasons in writing for the denial or limitation on access and the options available to you to dispute the refusal, and we will inform you of any exceptions relied on under the Act. If we don't allow you to access or correct your personal information, and you disagree with our decision, please contact us using the contact details set out at the end of this Privacy Statement.
We will investigate your complaint and respond to you as quickly as possible (usually within 30 days of hearing from you). If your complaint takes longer to resolve, we’ll let you know how the investigation is progressing.
Overseas storage of data
Due to the way in which we store electronic data, in some cases your information is transferred overseas. By signing our patient admission form, you are consenting to us transmitting, using secure connections, your information to overseas parties for the purpose of secure storage, in appropriate circumstances, if required.
No marketing
We do not rent, sell or lease our customer information to third parties.
Privacy complaints
You should first direct any complaint of an alleged breach of the Privacy Act to our Privacy Officer. Each hospital has a General Manager who is also the Privacy Officer for that business unit. The Chief Executive Officer is the overall Privacy Officer for Southern Cross Healthcare Limited.
The complaint can be emailed to Southern Cross Healthcare Limited at: privacy@schl.co.nz
Alternatively, any complaint may be sent by post, for the attention of the Privacy Officer, to this address:
Southern Cross Healthcare Limited
PO Box 5341
Victoria Street West
Auckland 1142
New Zealand
If you are not satisfied with how we have dealt with the complaint, you may contact the Privacy Commissioner at:
Privacy Commissioner
Level 13, WHK Tower
51-53 Shortland Street
Auckland 1140
New Zealand
Telephone 0800 803 909
Email enquiries@privacy.org.nz
Changes to the Privacy Statement
This Privacy Statement was last updated in November 2022 and is subject to ongoing review. You may also obtain a copy of this statement by emailing us at privacy@schl.co.nz.