Privacy Policy - CareFlight

CareFlight (www.careflight.org) is an Australian aeromedical charity that aims to save lives, speed recovery, and serve the community.

This policy details CareFlight’s commitment to adherence to the Australian Privacy Act 1988 (the Act) and Australian Privacy Principles (APP’s) in the management of personal and sensitive information held by Careflight.

Scope

The policy applies to all personal and sensitive information provided to, or collected by CareFlight and is applicable to all CareFlight Employees, Volunteers, Contractors, Suppliers, Patients and Donors.
By providing your personal information to us, you consent to the use, storage, and disclosure of the personal information you provide to us as described in this policy.

What is personal information?

Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.

For example, personal information may include:

an individual’s name, signature, address, phone number or date of birth
sensitive information
credit information.
employee record information
photographs
internet protocol (IP) addresses

Sensitive information is personal information that includes information or an opinion about an individual’s:

racial or ethnic origin
political opinions or associations
religious or philosophical beliefs
trade union membership or associations
sexual orientation or practices
criminal record
health or genetic information

Generally, sensitive information has a higher level of privacy protection than other personal information.

CareFlight is committed to safeguarding the privacy of personal and sensitive information.

What personal information do we collect?

Some examples of personal and sensitive information we may collect are:

Clinical:

an individual’s name, signature, address, phone number or date of birth
sensitive information
photographs
racial or ethnic origin
religious or philosophical beliefs
sexual orientation or practices
health or genetic information

Media, Fundraising and events:

an individual’s name, signature, address, phone number or date of birth
sensitive information
credit information.

Finance & Procurement

an individual’s name, signature, address, phone number or date of birth
credit information.

Human Resources

an individual’s name, signature, address, phone number or date of birth
employee record information
photographs
trade union membership or associations
criminal record

How do we collect it:

Some examples include:

Directly from you: At the point of care, on registration or feedback forms, on application forms, through
fundraising platforms.
CareFlight Social Media Platforms: Facebook, Twitter,
Through mailing lists, donations, and event registration.
From Third Parties: other service providers, family, carers and authorised representatives, and law enforcement

Why do we collect it?

We collect your personal information to:

To Identify you.
Provide treatment, care and transfer of care.
To keep you informed about our services and products.
To seek your voluntary support.
To notify you of events and marketing campaigns
Improve the quality of our services through research and development.
To understand the population groups we service, so we may tailor services accordingly.
To assess your suitability to partner with you or employ you.

How do we share this information?

The CareFlight Privacy Officer is responsible for ensuring that personal and sensitive information is shared in adherence to the Australian Privacy Act 1988 (the Act), and only to authorised persons and agencies.
Internationally – When considering the cross-border transfer of personal information Careflight adheres to the Australian Privacy Principle 8: Cross-border disclosure of personal information

How do we store and protect your personal information?

Your personal information will be stored in a manner that reasonably protects it from misuse, loss and unauthorised access, modification, and disclosure.

CareFlight, IT works on the principle of least privilege. Least privilege is an information security concept that gives users, the minimum level of access to systems that they will need to complete their job responsibilities.

Data security is underpinned by the following data security policies:

Information Security Management System Policy (IT-015)
Information Security Management System Framework (IT-014)
Access Control Policy (IT-016)

What do we do with your information when it’s no longer required?

CareFlight only maintains information as long as it is required, and for the purpose it was collected for. We adhere to relevant state and territory legislation regarding the retention period and disposal of your information.

How can you access, update, delete or change your personal information?

CareFlight is committed to ensuring that the information we maintain is current, accurate and appropriate.

Should you wish to correct or delete your information, remove your details from our mailing/marketing database or request medical or other information please contact the CareFlight Privacy Officer at privacy@careflight.org

The Privacy Officer will manage the request and may require additional documentation to be completed or provided to verify the identity or authorisation of the requestor.

Requests for Medical Records and Crew Statements* are managed per the CareFlight Release of Medical Information and Provision of Statements Procedure (MS-066)

*Crew Statements as required by law.

Can my request for my medical records be declined?

In certain circumstances, as outlined by the OIAC, CareFlight may refuse to give you access to your health information if,

it may threaten your or someone else’s life, health or safety.
it may impact someone else’s privacy.
giving access would be unlawful.

If giving you certain information would impact someone else’s privacy, then CareFlight may remove or block out that part and give you the rest of the information.

If it’s not possible to give information directly to you because of a concern for your health or safety then CareFlight may give access through an agreed third party, such as your GP.

If CareFlight is unable to provide you with the information, The Privacy Officer will provide you with a written explanation, and information on how to make a complaint, should you wish to do so.

Can I be anonymous?

You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.

How are data breaches managed?

A data breach happens when personal information is accessed or disclosed without authorisation or is lost. CareFlight takes any data breach seriously. The Privacy Officer in partnership with the appropriate GM and Chief Executive Office and Chief Operating Officer is responsible for overseeing the response.

Notifiable data breaches are managed per https://www.oaic.gov.au/privacy/notifiable-data-breaches

The Chief Information Officer is the lead investigator for any data breaches involving IT Systems. Details of the data breach and subsequent management are tracked within the CareFlight incident management system.

I have a question or complaint.

If you have any questions or concerns about how privacy is managed at Careflight we encourage you to discuss them in the first instance with the CareFlight Privacy Officer on 02 9843 5100 or by email at privacy@careflight.org

Should you not be satisfied with the outcome, or wish to escalate your complaint, please refer to the OIAC website for further information: https://www.oaic.gov.au/privacy/privacy-complaints

References:

Australian Privacy Policy (1998)
1. OAIC – https://www.oaic.gov.au/
Australian Privacy Principles (APP’s)
CareFlight Data Security Policy
CareFlight Requests for Medical Records and Crew Statements Procedures

Privacy Policy Approval Date

26 November 2024