PSR Privacy Policy

1. Introduction

Australian Privacy Principle (APP) 1.3 of the Privacy Act 1988 (the Privacy Act) requires Professional Services Review (PSR), as an ‘APP entity’, to have an 'APP Privacy Policy'.

2. PSR

PSR is a small agency within the Commonwealth Health portfolio. PSR is responsible for providing administrative support to the Director of PSR, PSR peer review Committees and the Determining Authority in performing their respective functions under Part VAA of the Health Insurance Act 1973.

3. The Privacy Act

The Privacy Act regulates how APP entities such as PSR collect, hold, use and disclose ‘personal information’ which is a defined term in the Act.  ‘APP entity’ is also a defined term and includes Commonwealth agencies as well as many organisations in the private sector.  The Privacy Act also provides for individuals to seek access to, and correction of, their personal information.

Personal information is information or opinion in any form that identifies, or enables identification of, a living person. The complete definition in the Privacy Act is:

'Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.'

This APP Privacy Policy sets out how PSR, as an APP entity, manages personal information.

4. Compliance with the Privacy Act

PSR is required to comply with the Privacy Act and, in particular, the thirteen APPs which regulate the collection, storage, use and disclosure of personal information.

5. PSR's Personal Information Handling Practices

5.1 Collection of personal information generally

PSR only collects personal information which it needs in order to perform its functions and activities under the Health Insurance Act 1973. PSR only collects personal information in a limited range of categories.
These categories include:

  • information about medical and other health practitioners and when Medicare requests PSR to review their provision of services under the Medicare program and the Pharmaceutical Benefits Scheme;
  • personal information about individuals who have received services under the Medicare and dental benefits programs and the Pharmaceutical Benefits Scheme from or on behalf of practitioners who are the subject of a review by PSR;
  • personal information collected by contracted service providers in compliance with contractual measures as required by the Privacy Act; and
  • personal information collected from employees, job applicants, contractors and others in relation to employment at PSR.

PSR collects personal information only in accordance with the Privacy Act.

PSR routinely provides a privacy notice as required by APP 5 when it solicits personal information. However, PSR is not routinely required to provide a notice under APP 5 where personal information is solicited from individuals and/or third parties as part of a PSR review process.

Occasionally, individuals or organisations may provide personal information to PSR on an unsolicited basis. PSR does not normally give an APP 5 privacy notice in these circumstances because of the unsolicited nature of the information received.

In all cases where personal information is received, it is handled according to the particular circumstances and in compliance with the Privacy Act.

PSR collects personal information through a range of different channels including:

  • paper-based and electronic forms (including online forms)
  • face to face meetings
  • telephone, email, and facsimile communications
  • from persons under review and third parties under Notices issued pursuant to section 89B and s 105A of the Act
  • PSR’s websites (including online portals).

When you visit the PSR website, we use Google Analytics to collect or view website traffic information. Google Analytics has their own privacy policy. Information collected when you visit the PSR website may include the IP address of the device you are using and information about sites that IP address has come from. PSR uses this information to maintain and improve our website. In relation to Google Analytics, you can opt out of the collection of this information using the Google Analytics Opt-out Browser Add-on.

5.2 Kinds of personal information collected and held

PSR collects and holds various kinds of personal information including:

  • records relating to personnel, payroll matters, recruitment, disciplinary and counselling matters for the PSR's staff, contractors and job applicants including security clearances and police record checks;
  • records relating to occupational health and safety matters including accident and injury records, compensation and rehabilitation case files;
  • applications, correspondence (including decision letters), instruments of appointment and other records relating to the performance of the PSR's legislative and administrative functions and activities;
  • correspondence, invoices, receipts and other records relating to goods and services supplied to PSR;
  • correspondence, invoices, receipts and other records relating to services provided by PSR or publications purchased from PSR;
  • correspondence, curricula vitae, remuneration and travel records and other records, including membership lists, relating to PSR's statutory office holders and peer review committees;
  • distribution and mailing lists relating to the dissemination of PSR publications, reports, newsletters and other information of interest to individuals;
  • correspondence and other documents relating to contracts, grants, allocations, funding agreements, requests for tenders and other procurement processes;
  • correspondence, reports and other records relating to internal and external audits, allegations of fraud and compliance investigations;
  • correspondence and other records (including medical records) from individuals, organisations, medical practitioners and third parties;
  • correspondence to the Ministers and Ministerial staff including background and briefing material;
  • correspondence and other documents relating to complaints and other feedback provided to PSR;
  • requests for access to documents held by PSR including requests under the Freedom of Information Act 1982 (FOI Act) and related correspondence; and
  • correspondence and other documents relating to requests for legal advice.

5.3 Sensitive Information

Where the above kinds of personal information include sensitive information such as:

  • information about an individual’s racial or ethnic origin;
  • health information such as details of an individual’s medical history, including details of specific medical conditions, disabilities and medication history; or
  • information about an individual’s membership of a professional association,

this information is given the higher level of protection required by the APPs.

5.4 How PSR holds personal information

PSR has controls in place to protect the information we collect from loss, unauthorised access or disclosure and from any other misuse. Our controls include:

  • access to personal information collected is restricted to authorised persons
  • our internal network and databases are protected using firewall, intrusion detection and other technologies
  • paper files containing personal and sensitive information are protected in accordance with Australian Government security policy
  • PSR’s premises are under 24-hour surveillance and access is via security passes only, with all access and attempted access logged electronically, and
  • PSR conducts system audits and staff training to ensure adherence to our established protective and computer security practices.

PSR stores and disposes of personal information in accordance with the Archives Act 1983.

PSR makes use of GovTEAMS - on online workspace for whole of government collaboration - to temporarily store personal information. GovTEAMS is managed by the Department of Finance (and provided by a third-party). In order to protect personal information once it leaves the PSR environment for the cloud computing environment, the Department of Finance:

  • ensures that its cloud service providers are contractually bound to protect personal information in accordance with the Privacy Act;
  • ensures cloud service providers offer personal information security measures that are at least equal to those used by Finance, and
  • ensures contractual arrangements are in place with cloud service providers to destroy or de-identify personal information once it is no longer needed.

Finance’s use of cloud computing environments is informed by the following documents:

  • Commonwealth of Australia (Digital Transformation Agency) Secure Cloud Strategy (2017)
  • Commonwealth of Australia (Department of Finance) Australian Government Cloud Computing Policy Maximising the Value of Cloud (July 2013), and Commonwealth of Australia (Department of Finance) Resource Management Guide No. 406 Australian Government Cloud Computing Policy (October 2014).

5.5 Purposes for which personal information is collected, held, used and disclosed

The purpose for which PSR collects, holds, uses and discloses personal information will vary depending on the function and activity being undertaken and may include one or more of the following:

  • performing personnel functions including work health and safety obligations in relation to PSR’s staff and contractors;
  • recruiting and engaging staff and contractors;
  • providing secretariat services to the PSR's statutory office holders and peer review committees;
  • undertaking compliance with legal obligations under portfolio and other legislation;
  • maintaining appointment and officer details and making decisions in relation to portfolio appointments;
  • investigating and responding to reports of inappropriate practice within Medicare and the Pharmaceutical Benefits Scheme;
  • contract management;
  • managing and responding to correspondence and enquiries from individuals and organisations; and
  • support for the Director in performing their functions under the Health Insurance Act 1973.

5.6 How to seek access to and correction of personal information

An individual has a right of access under the Privacy Act to personal information about himself or herself held by PSR.

Individuals may make a request to PSR for access to their personal information under APP 12, by using the contact details set out at section 7.1 of this APP Privacy Policy.

Alternatively, individuals may make a request for access to documents containing their personal information under the FOI Act, and by emailing PSR’s FOI Coordinator at foi@psr.gov.au.  Under the FOI Act, PSR is entitled to refuse access or only give access to certain information. For example, where the personal information is contained within a document that is commercially sensitive.  If PSR denies an FOI request, in whole or in part, PSR will set out its reasons in writing.

PSR will try to make personal information available within 30 days after receiving an individuals’ request. There is no charge for PSR providing the individual’s personal information under a request or under the FOI Act.  However, some charges may apply to requests under the FOI Act that extend to additional documents. 

An individual also has a right under the Privacy Act to request PSR to correct his or her personal information. Where an individual wishes to request correction of personal information, he or she should contact PSR at the contact details provided at paragraph 7.1 of this APP Privacy Policy. PSR will deal promptly with the request in accordance with the requirements of the APPs.

For more information on accessing, or correcting, personal information held by PSR, please contact PSR using the details set out at section 7.1 below.

Further information about making FOI requests (including when fees and charges may apply) is available on PSR's FOI web page (at https://www.psr.gov.au/psr-agency-corporate-information/freedom-of-information-foi)  or by telephoning (02) 6120 9100.

5.7 Disclosure of personal information

Other than where required for the purpose of performing its functions under the Health Insurance Act or in circumstances such as unlawful activity or serious threats to health and safety, PSR does not ordinarily share personal information with other government agencies.

If an individual approaches PSR about an issue that needs to be dealt with by another agency, PSR will provide the individual with the necessary details to enable the individual to make contact with the other agency themselves.

PSR may also disclose your personal information to the Department of Finance who manage a cloud based information storage and sharing system (see s 5.4 above for more detail). This information may be disclosed to an overseas recipient for the primary purpose for which it was collected, consistent with performance of PSR's functions under the Health Insurance Act 1973. Your personal information may, for example, be hosted on servers in Singapore or Hong Kong.

Some personal information collected by PSR may be disclosed to contracted service providers (for example external legal consultants) where those service providers have been contracted to assist PSR in performing these functions.

6. Complaints

If an individual believes PSR has breached his or her privacy rights, he or she may contact PSR using the contact details set out at section 7.1 of this APP Privacy Policy. PSR will treat the complaint seriously and is committed to providing a fair and timely response.

If an individual wishes to make a privacy complaint against PSR, he or she also has the option of complaining directly to the Australian Information Commissioner.

The Australian Information Commissioner’s details are set out below:

Telephone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: Australian Information Commissioner
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001

7. How to contact PSR

PSR can be contacted by telephone on (02) 6120 9100 or by email at enquiries@psr.gov.au

(Policy revised and endorsed 25 July 2019).