Health agencies must take reasonable steps to protect the personal information they hold from misuse, loss and unauthorised access, modification or disclosure.4
Security measures may be both physical (for example, locks and swipe cards for rooms and compactuses) and electronic (for example, passwords and encryption for computers and USB devices). The level of storage and security will depend upon the nature of the personal information in the document and the risk of a security breach occurring.
Information Standard 18 (Information Security) may be of assistance in determining what basic security measures are required.
Health agencies may also wish to consider implementing internal policies and providing training regarding:
- internal authorisations and levels of access to information
- use of portable storage devices such as USB devices, mobile phones and CDs
- password and encryption protections; and
- email and facsimile use procedures and safeguards.
If the personal information is no longer needed for any purpose for which the information was collected, health agencies must take reasonable steps to ensure that the individual can not be identified from the personal information.5
Reasonable steps may include destruction or de-identification, depending on the nature of the personal information and health agencies' obligations under the Public Records Act 2002 (Qld).
De-identification must be permanent; health agencies must not be able to later match the information with other records to re-establish identity.
- 1 All references to health agencies in this document include bound contracted service providers for health agencies. [up]
- 2 Refer to Guideline – Key Concepts - Use and Guideline - Key Concepts - Disclosure, for more information about 'use' and 'disclosure'. [up]
- 3 National Privacy Principles (NPP) 3. [up]
- 4 NPP 4(1). [up]
- 5 NPP 4(2). [up]
Current as at: July 9, 2012