Health agencies must take reasonable steps to protect the personal information they hold from misuse, loss and unauthorised access, modification or disclosure.4
Security measures may be both physical (for example, locks and swipe cards for rooms and compactuses) and electronic (for example, passwords and encryption for computers and USB devices). The level of storage and security will depend upon the nature of the personal information in the document and the risk of a security breach occurring.
Information Standard 18 (Information Security) may be of assistance in determining what basic security measures are required.
Health agencies may also wish to consider implementing internal policies and providing training regarding:
If the personal information is no longer needed for any purpose for which the information was collected, health agencies must take reasonable steps to ensure that the individual can not be identified from the personal information.5
Reasonable steps may include destruction or de-identification, depending on the nature of the personal information and health agencies' obligations under the Public Records Act 2002 (Qld).
De-identification must be permanent; health agencies must not be able to later match the information with other records to re-establish identity.
Current as at: July 9, 2012