Policy for the handling of personal information by Hahn Healthcare Pty Ltd

Version 1.2

Key Definitions

Confidential Information: Information that is not known to, or readily accessible by, the public and disclosure of that information would cause harm to or disadvantage a person or organisation. Access and disclosure of Confidential Information must be controlled and will only be given to persons who require access to perform their duties.

Data Breach: An incident, in which Personal Information or Confidential Information is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

Eligible Data Breach: A Data Breach which has caused serious harm to an individual requiring notification under the Notifiable Data Breaches Scheme under the Privacy Act or which is notifiable under GDPR to the Information Commissioner’s Office in the UK, or the equivalent notifying body in other countries or jurisdictions.

GDPR: General Data Protection Regulation (GDPR), the equivalent to the Australian Privacy Act 1988 (Cth) in the European Union, which took effect in May 2018, and enacted individually in member countries (applying in the UK via the Data Protection Act 2018).

Personal Information (Privacy Act) or Personal Data (GDPR): Hahn Healthcare recognises the importance of privacy and is committed to the management and handling of Personal Information in an open and transparent way. Hahn Healthcare is required to comply with the Australian Privacy Act 1988 (Cth) (Privacy Act) and this policy creates a framework to ensure that any Personal Information Hahn holds is collected, used, stored and disclosed in accordance with the Australian Privacy Principles in the Privacy Act.

Privacy Act: Privacy Act 1988 (Cth)

Sensitive Information: Personal Information categorised as Sensitive Information under the Privacy Act, including but not limited to health records.

1.1 Objective

Hahn Healthcare recognises the importance of privacy and is committed to the management and handling of Personal Information in an open and transparent way. Hahn Healthcare is required to comply with the Australian Privacy Act 1988 (Cth) (Privacy Act) and to the extent required by Hahn Healthcare’s operations outside of Australia which collect Personal Data from residents of European Union member countries, Hahn Healthcare is also required to comply with GDR.

This policy creates a framework to ensure that any Personal Information Hahn holds is collected, used, stored and disclosed in accordance with the Australian Privacy Principles in the Privacy Act. and where required, the GDPR

1.2 Scope

This Privacy Policy documents the handling of Personal Information by Hahn Healthcare Pty Ltd. This policy does not apply to the handling of Personal Information about Hahn Healthcare employees.

1.3 Related Policies

Hahn Healthcare policies that should be read in conjunction with this policy are:

  • Data Breach Response Policy
  • Data Classification Policy
  • Confidentiality Policy

1.4 Regulatory Environment

As a healthcare company which deals with Personal Information and Sensitive Information, Hahn Healthcare has an obligation to respect the privacy of individuals and to follow the privacy laws in Australia and other countries in which Hahn Healthcare has operations, which include:

  • the Privacy Act 1988 (Cth) (as amended from time to time);
  • the National Privacy Principles contained in Schedule 3 to the Privacy Act or where applicable, the Australian Privacy Principles contained in Schedule 1 of the Privacy Act;
  • all other applicable laws that require a person to observe privacy or confidentiality obligations in respect of Personal Information;
  • the Data Protection Act 2018 (UK) and legislation enacting the GDPR in other European Union member countries, to the extent applicable Hahn Healthcare’s business or operations.

2.1 Personal Information Collected and Held by Hahn Healthcare

Hahn Healthcare may collect and hold information about individuals who may be customers, members of the general public, job applicants, business contacts, healthcare professionals and others. The information Hahn Healthcare typically collects and holds includes:

General Public

Much of the information collected and held by Hahn Healthcare about you will be de-identified. Information held by Hahn Healthcare about members of the public could include:

  • Your name, relevant address, telephone number(s) and email address,
  • Any dealings you may with Hahn Healthcare, including product enquiries or complaints, Adverse Event reporting, and enquiries to Hahn Healthcare’s Medical Information line
  • Information relevant to your participation in medication access programs or patient support programs man aged by Hahn Healthcare
  • Information relevant to your participation in Hahn Healthcare run conferences or other educational events
  • Information obtained when you access Hahn Healthcare’s website

Job Applicants

The types of Personal Information Hahn Healthcare collect from job applicants, including contractors, may include:

  • Employment history
  • Education and Qualifications
  • Information relating to credentialing of health professionals
  • Opinions about suitability for employment from referees and previous employers
  • Taxation, superannuation and banking details
  • Information from the public domain and social media websites
  • Information obtained when you access Hahn Healthcare’s website
  • Residential address
  • Copies of Identification documents – driver’s licence and/or passport
  • Name and contact information for next of kin

Applicants for employment and/or contract roles have the right to not disclose Personal Information, however, Hahn Healthcare may not be able to assess a candidate’s suitability for employment when it does not receive all necessary information. Hahn Healthcare will only disclose the Personal Information of job applicants to third parties with the consent of the job applicant, or as otherwise permitted in limited circumstances by law.

Once a position has been filled, all applications received by Hahn Healthcare are filed and kept by the recruitment manager in the human resources team.

Business Contacts

  • Your name, business address, business telephone number(s) and email address
  • Dealings with Hahn Healthcare in respect of general business relationships
  • Work, professional and employment references, reports and assessments
  • Information from public domain websites
  • Information obtained when you access Hahn Healthcare’s website

Healthcare Professionals

  • Your name, practice location, business telephone number(s) and email address
  • Professional credentials and other details, including AHPRA numbers or equivalents in other jurisdictions, and College CPD number, years in practice
  • Practice speciality including areas of interest
  • Treatment site affiliation (hospital) and contact information
  • Membership of professional associations
  • Practice and/or business information including, where applicable, interest in Hahn Healthcare products
  • Information relating to your patients, following Adverse Event reporting, product complaints or Medical Information line enquiries
  • Information relating your participation in Hahn Healthcare sponsored or supported medication access programs, patient support programs, conferences or other educational events
  • Information from public domain websites
  • Information obtained when you access Hahn Healthcare’s website
  • Survey and demographic information
  • Survey and aggregate clinical practice information (e.g. number and type of patients treated)
  • Standard sales call information – who we connected with, date of the call, the call outcome, call duration and call notes
  • Sales data from IMS, wholesalers, or a Pharmacy point-of-sale system.

Patients

Data collected will vary by programme, but can include:

  • Name
  • Home address
  • Mobile phone number
  • Email address
  • Age
  • Gender
  • Diagnosis
  • Treatment information (drug, date of initiation, dose, duration/discontinuation)

Adverse Event Reporting

Hahn Healthcare is required to report Adverse Events to its clients relating to client medicines. In some cases, this information may then be transmitted in a de-identified manner to regulatory authorities and to client affiliates based outside of Australia. The following information is collected and used to fulfil these reporting requirements:

  • Identifiable patient information is required for an Adverse Event report to be validated, however, only patient initials OR age OR gender is required.
  • Where Adverse Event reports require submission to local regulatory health authorities or to an in-licensed partner/distributor, a de-identified CIOMS-I form is used to collect and transmit the information (refer to section 2.4 for additional information).
  • Suspect Drug Information (name, strength, dosage, route of administration, therapy start and end date, indications for use).
  • Adverse Event details (date started/ended, outcome, causality).
  • Concomitant medications (if any).
  • Medical conditions (if available).
  • Name, profession, institution name and contact details of the person reporting the Adverse Event. If the Adverse Event is reported by a patient, personal details are de-identified and contact details are with held unless authorised to complete a follow-up, in which case the contact details are retained until they are no longer needed, at which time they are permanently deleted.
Print Version