PSR is a small agency within the Commonwealth Health portfolio. PSR is responsible for providing administrative support to the Director of PSR, PSR peer review Committees and the Determining Authority in performing their respective functions under Part VAA of the Health Insurance Act 1973.
3. The Privacy Act
The Privacy Act regulates how APP entities such as PSR collect, hold, use and disclose ‘personal information’ which is a defined term in the Act. ‘APP entity’ is also a defined term and includes Commonwealth agencies as well as many organisations in the private sector. The Privacy Act also provides for individuals to seek access to, and correction of, their personal information.
Personal information is information or opinion in any form that identifies, or enables identification of, a living person. The complete definition in the Privacy Act is:
'Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.'
4. Compliance with the Privacy Act
PSR is required to comply with the Privacy Act and, in particular, the thirteen APPs which regulate the collection, storage, use and disclosure of personal information.
5. PSR's Personal Information Handling Practices
5.1 Collection of personal information generally
PSR only collects personal information which it needs in order to perform its functions and activities under the Health Insurance Act 1973. PSR only collects personal information in a limited range of categories.
These categories include:
- information about medical and other health practitioners and when Medicare requests PSR to review their provision of services under the Medicare program and the Pharmaceutical Benefits Scheme;
- personal information about individuals who have received services under the Medicare and dental benefits programs and the Pharmaceutical Benefits Scheme from or on behalf of practitioners who are the subject of a review by PSR;
- personal information collected by contracted service providers in compliance with contractual measures as required by the Privacy Act; and
- personal information collected from employees, job applicants, contractors and others in relation to employment at PSR.
PSR collects personal information only in accordance with the Privacy Act.
PSR routinely provides a privacy notice as required by APP 5 when it solicits personal information. However, PSR is not routinely required to provide a notice under APP 5 where personal information is solicited from individuals and/or third parties as part of a PSR review process.
Occasionally, individuals or organisations may provide personal information to PSR on an unsolicited basis. PSR does not normally give an APP 5 privacy notice in these circumstances because of the unsolicited nature of the information received.
In all cases where personal information is received, it is handled according to the particular circumstances and in compliance with the Privacy Act.
PSR collects personal information through a range of different channels including:
- paper-based and electronic forms (including online forms)
- face to face meetings
- telephone, email, and facsimile communications
- from persons under review and third parties under Notices issued pursuant to section 89B and s 105A of the Act
- PSR’s websites (including online portals).
5.2 Kinds of personal information collected and held
PSR collects and holds various kinds of personal information including:
- records relating to personnel, payroll matters, recruitment, disciplinary and counselling matters for the PSR's staff, contractors and job applicants including security clearances and police record checks;
- records relating to occupational health and safety matters including accident and injury records, compensation and rehabilitation case files;
- applications, correspondence (including decision letters), instruments of appointment and other records relating to the performance of the PSR's legislative and administrative functions and activities;
- correspondence, invoices, receipts and other records relating to goods and services supplied to PSR;
- correspondence, invoices, receipts and other records relating to services provided by PSR or publications purchased from PSR;
- correspondence, curricula vitae, remuneration and travel records and other records, including membership lists, relating to PSR's statutory office holders and peer review committees;
- distribution and mailing lists relating to the dissemination of PSR publications, reports, newsletters and other information of interest to individuals;
- correspondence and other documents relating to contracts, grants, allocations, funding agreements, requests for tenders and other procurement processes;
- correspondence, reports and other records relating to internal and external audits, allegations of fraud and compliance investigations;
- correspondence and other records (including medical records) from individuals, organisations, medical practitioners and third parties;
- correspondence to the Ministers and Ministerial staff including background and briefing material;
- correspondence and other documents relating to complaints and other feedback provided to PSR;
- requests for access to documents held by PSR including requests under the Freedom of Information Act 1982 (FOI Act) and related correspondence; and
- correspondence and other documents relating to requests for legal advice.
5.3 Sensitive Information
Where the above kinds of personal information include sensitive information such as:
- information about an individual’s racial or ethnic origin;
- health information such as details of an individual’s medical history, including details of specific medical conditions, disabilities and medication history; or
- information about an individual’s membership of a professional association,
this information is given the higher level of protection required by the APPs.
5.4 How PSR holds personal information
PSR has controls in place to protect the information we collect from loss, unauthorised access or disclosure and from any other misuse. Our controls include:
- access to personal information collected is restricted to authorised persons
- our internal network and databases are protected using firewall, intrusion detection and other technologies
- paper files containing personal and sensitive information are protected in accordance with Australian Government security policy
- PSR’s premises are under 24-hour surveillance and access is via security passes only, with all access and attempted access logged electronically, and
- PSR conducts system audits and staff training to ensure adherence to our established protective and computer security practices.
PSR stores and disposes of personal information in accordance with the Archives Act 1983.
PSR makes use of GovTEAMS - on online workspace for whole of government collaboration - to temporarily store personal information. GovTEAMS is managed by the Department of Finance (and provided by a third-party). In order to protect personal information once it leaves the PSR environment for the cloud computing environment, the Department of Finance:
- ensures that its cloud service providers are contractually bound to protect personal information in accordance with the Privacy Act;
- ensures cloud service providers offer personal information security measures that are at least equal to those used by Finance, and
- ensures contractual arrangements are in place with cloud service providers to destroy or de-identify personal information once it is no longer needed.
Finance’s use of cloud computing environments is informed by the following documents:
- Commonwealth of Australia (Digital Transformation Agency) Secure Cloud Strategy (2017)
- Commonwealth of Australia (Department of Finance) Australian Government Cloud Computing Policy Maximising the Value of Cloud (July 2013), and Commonwealth of Australia (Department of Finance) Resource Management Guide No. 406 Australian Government Cloud Computing Policy (October 2014).
5.5 Purposes for which personal information is collected, held, used and disclosed
The purpose for which PSR collects, holds, uses and discloses personal information will vary depending on the function and activity being undertaken and may include one or more of the following:
- performing personnel functions including work health and safety obligations in relation to PSR’s staff and contractors;
- recruiting and engaging staff and contractors;
- providing secretariat services to the PSR's statutory office holders and peer review committees;
- undertaking compliance with legal obligations under portfolio and other legislation;
- maintaining appointment and officer details and making decisions in relation to portfolio appointments;
- investigating and responding to reports of inappropriate practice within Medicare and the Pharmaceutical Benefits Scheme;
- contract management;
- managing and responding to correspondence and enquiries from individuals and organisations; and
- support for the Director in performing their functions under the Health Insurance Act 1973.
5.6 How to seek access to and correction of personal information
An individual has a right of access under the Privacy Act to personal information about himself or herself held by PSR.
Alternatively, individuals may make a request for access to documents containing their personal information under the FOI Act, and by emailing PSR’s FOI Coordinator at email@example.com. Under the FOI Act, PSR is entitled to refuse access or only give access to certain information. For example, where the personal information is contained within a document that is commercially sensitive. If PSR denies an FOI request, in whole or in part, PSR will set out its reasons in writing.
PSR will try to make personal information available within 30 days after receiving an individuals’ request. There is no charge for PSR providing the individual’s personal information under a request or under the FOI Act. However, some charges may apply to requests under the FOI Act that extend to additional documents.
For more information on accessing, or correcting, personal information held by PSR, please contact PSR using the details set out at section 7.1 below.
Further information about making FOI requests (including when fees and charges may apply) is available on PSR's FOI web page (at https://www.psr.gov.au/psr-agency-corporate-information/freedom-of-information-foi) or by telephoning (02) 6120 9100.
5.7 Disclosure of personal information
Other than where required for the purpose of performing its functions under the Health Insurance Act or in circumstances such as unlawful activity or serious threats to health and safety, PSR does not ordinarily share personal information with other government agencies.
If an individual approaches PSR about an issue that needs to be dealt with by another agency, PSR will provide the individual with the necessary details to enable the individual to make contact with the other agency themselves.
PSR may also disclose your personal information to the Department of Finance who manage a cloud based information storage and sharing system (see s 5.4 above for more detail). This information may be disclosed to an overseas recipient for the primary purpose for which it was collected, consistent with performance of PSR's functions under the Health Insurance Act 1973. Your personal information may, for example, be hosted on servers in Singapore or Hong Kong.
Some personal information collected by PSR may be disclosed to contracted service providers (for example external legal consultants) where those service providers have been contracted to assist PSR in performing these functions.
If an individual wishes to make a privacy complaint against PSR, he or she also has the option of complaining directly to the Australian Information Commissioner.
The Australian Information Commissioner’s details are set out below:
Telephone: 1300 363 992
Post: Australian Information Commissioner
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
7. How to contact PSR
PSR can be contacted by telephone on (02) 6120 9100 or by email at firstname.lastname@example.org
(Policy revised and endorsed 25 July 2019).