Policy for the handling of Personal Information by Hahn Healthcare Pty Ltd
Version: 1.2
Key definitions
Confidential Information
Information that is not known to, or readily accessible by, the public and disclosure of that information would cause harm to or disadvantage a person or organisation. Access and disclosure of Confidential Information must be controlled and will only be given to persons who require access to perform their duties.
Data Breach
An incident, in which Personal Information or Confidential Information is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.
Eligible Data Breach
A Data Breach which has caused serious harm to an individual requiring notification under the Notifiable Data Breaches Scheme under the Privacy Act or which is notifiable under GDPR to the Information Commissioner’s Office in the UK, or the equivalent notifying body in other countries or jurisdictions.
GDPR
General Data Protection Regulation (GDPR), the equivalent to the Australian Privacy Act 1988 (Cth) in the European Union, which took effect in May 2018, and enacted individually in member countries (applying in the UK via the Data Protection Act 2018).
Personal Information (Privacy Act) or Personal Data (GDPR)
Information about an identified individual, or an individual who is reasonably identifiable. Information that is not about an individual on its own can become Personal Information when it is combined with other information if this combination results in an individual becoming ‘reasonably identifiable’. Information which has had identifiers removed or replaced in order to anonymise the data is still Personal Data for the purposes of GDPR. To the extent relevant, each reference in this policy to Personal Information shall also be deemed to include Personal Data.
Privacy Act
Privacy Act 1988 (Cth)
Sensitive Information
Personal Information categorised as Sensitive Information under the Privacy Act, including but not limited to health records.
1.1 Objective
Hahn Healthcare recognises the importance of privacy and is committed to the management and handling of Personal Information in an open and transparent way. Hahn Healthcare is required to comply with the Australian Privacy Act 1988 (Cth) (Privacy Act) and to the extent required by Hahn Healthcare’s operations outside of Australia which collect Personal Data from residents of European Union member countries, Hahn Healthcare is also required to comply with GDR.
This policy creates a framework to ensure that any Personal Information Hahn holds is collected, used, stored and disclosed in accordance with the Australian Privacy Principles in the Privacy Act. and where required, the GDPR
1.2 Scope
This Privacy Policy documents the handling of Personal Information by Hahn Healthcare Pty Ltd. This policy does not apply to the handling of Personal Information about Hahn Healthcare employees.
1.3 Related Policies
Hahn Healthcare policies that should be read in conjunction with this policy are:
• Data Breach Response Policy
• Data Classification Policy
• Confidentiality Policy
1.4 Regulatory Environment
As a healthcare company which deals with Personal Information and Sensitive Information, Hahn Healthcare has an obligation to respect the privacy of individuals and to follow the privacy laws in Australia and other countries in which Hahn Healthcare has operations, which include:
• the Privacy Act 1988 (Cth) (as amended from time to time);
• the National Privacy Principles contained in Schedule 3 to the Privacy Act or where applicable, the Australian Privacy Principles contained in Schedule 1 of the Privacy Act;
• all other applicable laws that require a person to observe privacy or confidentiality obligations in respect of Personal Information;
• the Data Protection Act 2018 (UK) and legislation enacting the GDPR in other European Union member coutnries, to the extent applicable Hahn Healthcare’s business or operations.
2.1 Personal Information Collected and Held by Hahn Healthcare
Hahn Healthcare may collect and hold information about individuals who may be customers, members of the general public, job applicants, business contacts, healthcare professionals and others.
The information Hahn Healthcare typically collects and holds includes:
General Public
Much of the information collected and held by Hahn Healthcare about you will be de-identified. Information held by Hahn Healthcare about members of the public could include:
• Your name, relevant address, telephone number(s) and email address,
• Any dealings you may with Hahn Healthcare, including product enquiries or complaints, Adverse Event reporting, and enquiries to Hahn Healthcare’s Medical Information line
• Information relevant to your participation in medication access programs or patient support programs managed by Hahn Healthcare
• Information relevant to your participation in Hahn Healthcare run conferences or other educational events
• Information obtained when you access Hahn Healthcare’s website
Job Applicants
The types of Personal Information Hahn Healthcare collect from job applicants, including contractors, may include:
• Employment history
• Education and Qualifications
• Information relating to credentialing of health professionals
• Opinions about suitability for employment from referees and previous employers
• Taxation, superannuation and banking details
• Information from the public domain and social media websites
• Information obtained when you access Hahn Healthcare’s website
• Residential address
• Copies of Identification documents – driver’s licence and/or passport
• Name and contact information for next of kin
Applicants for employment and/or contract roles have the right to not disclose Personal Information, however, Hahn Healthcare may not be able to assess a candidate’s suitability for employment when it does not receive all necessary information. Hahn Healthcare will only disclose the Personal Information of job applicants to third parties with the consent of the job applicant, or as otherwise permitted in limited circumstances by law.
Once a position has been filled, all applications received by Hahn Healthcare are filed and kept by the recruitment manager in the human resources team.
Business Contacts
• Your name, business address, business telephone number(s) and email address
• Dealings with Hahn Healthcare in respect of general business relationships
• Work, professional and employment references, reports and assessments
• Information from public domain websites
• Information obtained when you access Hahn Healthcare’s website
Healthcare Professionals
• Your name, practice location, business telephone number(s) and email address
• Professional credentials and other details, including AHPRA numbers or equivalents in other jurisdictions, and College CPD number, years in practice
• Practice speciality including areas of interest
• Treatment site affiliation (hospital) and contact information
• Membership of professional associations
• Practice and/or business information including, where applicable, interest in Hahn Healthcare products
• Information relating to your patients, following Adverse Event reporting, product complaints or Medical Information line enquiries
• Information relating your participation in Hahn Healthcare sponsored or supported medication access programs, patient support programs, conferences or other educational events
• Information from public domain websites
• Information obtained when you access Hahn Healthcare’s website
• Survey and demographic information
• Survey and aggregate clinical practice information (e.g. number and type of patients treated)
• Standard sales call information – who we connected with, date of the call, the call outcome, call duration and call notes
• Sales data from IMS, wholesalers, or a Pharmacy point-of-sale system.
Patients
Data collected will vary by programme, but can include:
• Name
• Home address
• Mobile phone number
• Email address
• Age
• Gender
• Diagnosis
• Treatment information (drug, date of initiation, dose, duration/discontinuation)
Adverse Event Reporting
Hahn Healthcare is required to report Adverse Events to its clients relating to client medicines. In some cases, this information may then be transmitted in a de-identified manner to regulatory authorities and to client affiliates based outside of Australia. The following information is collected and used to fulfil these reporting requirements:
• Identifiable patient information is required for an Adverse Event report to be validated, however, only patient initials OR age OR gender is required.
• Where Adverse Event reports require submission to local regulatory health authorities or to an in-licensed partner/distributor, a de-identified CIOMS-I form is used to collect and transmit the information (refer to section 2.4 for additional information).
• Suspect Drug Information (name, strength, dosage, route of administration, therapy start and end date, indications for use).
• Adverse Event details (date started/ended, outcome, causality).
• Concomitant medications (if any).
• Medical conditions (if available).
• Name, profession, institution name and contact details of the person reporting the Adverse Event. If the Adverse Event is reported by a patient, personal details are de-identified and contact details are withheld unless authorised to complete a follow-up, in which case the contact details are retained until they are no longer needed, at which time they are permanently deleted.
2.2 How Will Hahn Healthcare Collect Your Personal Information
Wherever possible, Hahn Healthcare will collect Personal Information about you directly from you. Nevertheless, on some occasions, Hahn Healthcare may collect your Personal Information from other sources, such as:
• Public domain websites on the Internet
• Electronic communications such as articles and information pieces in which you feature such as a health information site or a medical professional site
• Publicly available directories and listings such as telephone directories or AHPRA records
• Newspapers, magazines, professional journals and the electronic media
• The date, time and domain from which you access Hahn Healthcare’s website
• Personal interactions and/or communications with Hahn Healthcare employees and/or contractors
• Databases purchased from an external provider
• Healthcare professionals reporting submitting an adverse event report
Personal information about you which Hahn Healthcare collects and holds may vary depending on your particular interaction with Hahn Healthcare and will be for a legitimate business purpose. Hahn Healthcare will not collect Sensitive Information about you, such as information about your health or ethnicity without your consent.
2.3 Collection of Your Personal Information Through Websites Operated by Hahn Healthcare
Websites operated by Hahn Healthcare may provide direct input of Personal Information under some circumstances.
In addition, Hahn Healthcare websites make use of ‘cookies’ which are small text files that are stored in the visitor’s local browser cache. This enables recognition of the visitor’s browser to optimise the website and simplify its use. Most browsers are set up to accept these cookies automatically, however, you can deactivate the storing of cookies or adjust your browser to inform you before the cookie is stored on your computer. Data collected via cookies will not be used to determine the personal identity of the website visitor.
Hahn Healthcare expects to increasingly make use of web analytics, including analysis by third party service providers, which may use IP addresses. While this may in some circumstances be ‘Personal Information’ neither Hahn Healthcare nor the service providers have any interest in an individual’s browser activities and will not use the information to take any action targeted to individuals without having obtained that person’s consent.
2.4 How Will Hahn Healthcare Hold and Use Your Personal Information
Customer Relationship Management (CRM) Software
• Information relating to healthcare professionals and third parties with which Hahn Healthcare conducts business will be held on Hahn Healthcare’s customer relationship management (CRM) software platform. This information will be accessed and used in the ordinary course of conducting business, including but not limited to communicating with you, order processing and fulfilment, accounting, responding to enquiries or complaints.
• Information relating to third parties with which Hahn Healthcare conducts business will be used to facilitate the provision of products and services to Hahn Healthcare.
• Where healthcare professionals or other Hahn Healthcare customers have opted in via completion of a consent form, or request via email, Hahn Healthcare may use your information to communicate with you in the future about programmes or events which may be of interest to you.
• Hahn Healthcare may also use this information to contact HCPs on behalf of Hahn Healthcare customers, including to send them product specific information.
• Information will also be aggregated and used on a de-identified basis for business intelligence/market insights.
Medical Information/Adverse Event Reporting Database
• Information relating to adverse events is initially documented on Hahn Healthcare’s platform and is then transcribed into a form for communication to the relevant Hahn Healthcare customer.
• Hahn Healthcare maintains a hard copy of all source documents relating to Medical Information/Adverse Events.
Patient Data
Patient data is used to administer patient programmes, including Patient Support Programmes and Product Familiarisation Programmes, which may involve:
• Direct communication with the patient via phone or email to provide information related to the programme.
• Direct shipment of a drug to the patient’s home (as directed by a patient’s medical practitioner).
• Home visits by nurses to provide education or initiation training to patients.
In the course of administering these programmes, Hahn Healthcare may share patient information on a need-to-know basis with:
• Hahn Healthcare contract nurse teams who provide in-home/phone-based support.
• Pharmacies are responsible for dispensing or shipping treatment.
• Other third parties (with patient consent). By way of example, Hahn Healthcare may be managing a Product Familiarisation Programme and the patient enrolment form includes an opt-in for a Patient Support Programme managed by another service provider.
Other Use and Disclosure
• Where relevant, information will be used for Medicines Australia Code of Conduct reporting requirements.
• Where you are participating in a Patient Familiarisation Programme or Patient Support Programme, we will use your information to confirm registration with the PFP programme and/or online portal and to provide programme updates – drug dispatch, patient discontinuation, adverse event reporting follow-up.
Hahn may disclose information about you in the course of any of the uses described above, including to related businesses and third-party service providers for routine business purposes such as order delivery, marketing, hosting, data processing and validation, data storage or archiving, printing and mailing. Hahn Healthcare will use only reputable service providers and will ensure that it enters into appropriate contractual provisions with service providers to safeguard your privacy.
Should Hahn Healthcare now or in the future use a third-party Customer Database Provider to supply it with a syndicated database of healthcare professionals and their practices, Hahn Healthcare will be required to keep the database updated and may disclose some information about healthcare professionals and their practices to its Customer Database Provider. This information will be limited to professional information about healthcare professionals and their practices. The information is used for commercial purposes and the Customer Database Provider makes that information available to all parties who also have access to its database, including pharmaceutical companies other than Hahn Healthcare.
Should Hahn Healthcare in the future buy or sell (or propose to buy or sell) all or part of its business, Hahn Healthcare may disclose your Personal Information to a third party, as customer information is generally regarded as a business asset.
Hahn Healthcare will otherwise only disclose Personal Information about you to a third party where required by law.
2.5 Overseas Recipients
Hahn Healthcare conducts business for customers who have a global presence and are headquartered in jurisdictions outside of Australia. Information held by Hahn Healthcare about you may in some circumstances be collated, de-identified and transferred to overseas partners.
Where Hahn Healthcare uses external service providers located in countries outside of Australia, Hahn Healthcare takes reasonable steps, including by contract provisions, to ensure that these service providers do not breach the Australian Privacy Principles.
Where Hahn Healthcare collects Personal Information form healthcare professionals or other persons based outside of Australia, for European residents, that date will be stored on third-party operated cloud servers located in the UK. For other non-Australian residents, Personal Information may be stored by Hahn Healthcare in the UK or in Australia. Hahn Healthcare personnel responsible for managing educational or other programmes, which collect data from European residents may from time to time access such data, which may include Personal Information, from Hahn Healthcare offices in Australia. In such circumstances, some Personal Information may be co-located on Hahn Healthcare computers and servers located in Australia.
3.1 Data Security
Hahn Healthcare uses technical and organisational security precautions to protect your data from misuse, interference or loss and from unauthorised access, modification or disclosure.
Any Personal Information that is provided to Hahn Healthcare by you through Hahn Healthcare’s systems will be encrypted in transit to prevent its possible misuse by third parties. Hahn Healthcare’s security procedures are continuously revised based on new technological developments.
In the event of an actual or suspected data breach, Hahn Healthcare will follow the procedures outlined in its Data Breach Response Plan, including
• containing the data breach
• conducting a risk assessment to assess the severity rating of a suspected or known data breach
• assessing whether an Eligible Data Breach has occurred.
If an Eligible Data Breach has occurred, Hahn Healthcare may report the data breach to third parties such as:
• Hahn Healthcare’s financial services provider
• police or law enforcement bodies
• the Australian Securities & Investments Commission (ASIC)
• the Australian Taxation Office (ATO)
• the Australian Transaction Reports and Analysis Centre (AUSTRAC)
• the Australian Cyber Security Centre (ACSC)
• the Australian Digital Health Agency (ADHA)
• the Department of Health
• State or Territory Privacy and Information Commissioners
• Information Commissioner’s Office (UK), or the equivalent notifying body in other countries or jurisdictions
• professional associations and regulatory bodies
• insurance providers.
Hahn Healthcare will contact you if you have been personally impacted by an Eligible Data Breach.
3.2 Data Retention
Hahn Healthcare will delete from its records Personal Information which is no longer required.
If Hahn Healthcare is required to retain Personal Information (e.g. Adverse Event records), then wherever practicable, it will be held in a de-identified form.
3.3 Data Access and Correction
You may request access to Personal Information Hahn Healthcare holds about you at any time. If you believe your Personal Information is inaccurate, out of date, incomplete, irrelevant or misleading, you may request to have it corrected.
Requests to access or correct Personal Information should be sent to the Privacy Officer. Please provide as much detail as possible to assist in the location of information Hahn Healthcare may be holding about you, such as your name, contact details, any former name(s), and if possible the context, for example, your relationship with Hahn Healthcare. Please specify if you are seeking access to specific Personal Information.
Hahn Healthcare will respond to your request within 30 days of receipt or within any further time notified to you in writing.
3.4 Deletion of Data
You may notify Hahn Healthcare at any time if you do not wish Hahn Healthcare to retain your Personal Information. Hahn Healthcare will comply with all such requests wherever practicable and lawful.
3.5 Complaints
All complaints regarding your Personal Informational should be made in writing to Hahn Healthcare’s Privacy Officer.
Hahn Healthcare will respond to your complaint within 30 days of receipt of your correspondence or within any further time notified to you in writing.
If you are not satisfied with the outcome of the response you receive, we can refer you to the Office of the Australian Information Commissioner (as applicable) for further investigation.
4.1 Data Protection Rights Available to European Residents Under GDPR
Hahn Healthcare would like to make sure that European residents are fully aware of all of their data protection rights in relation to Personal Data collected by Hahn Healthcare. Each European resident whose Personal Data is collected by Hahn Healthcare is entitled to the following:
4.2 The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.
4.3 The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
4.4 The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
4.5 The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
4.6 The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
4.7 The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
5.1 Privacy Officer contact information
All requests relating to access, correction or deletion of Personal Information, or any other information relating to Hahn Healthcare’s Privacy Policy should be made in writing to:
The Privacy Officer Hahn Healthcare Pty Ltd
Level 2, 104 Mount St.
North Sydney
NSW 2060
Australia
Phone: +61-2-9959 5533 Or by email: privacy@hahnhealthcare.com.au