Checklist
As a health provider, you're subject to the normal requirements of the new regime, plus some extra requirements specific to health information. For more, see our health section.
As of 21 December 2001, compliance is mandatory. Ideally, you should have a privacy policy up and running by now, giving you sufficient time to overcome any teething problems.
You should:
- decide whether to subscribe to an approved industry code, and if so, which one is most appropriate for you.
- conduct an information audit - determine what information you collect, what is it used for and how it is stored.
- establish a means of distinguishing between personal information you have collected before and after 22 December 2001.
You should also review how you collect information - for example you should:
- determine what information collection is necessary for the legitimate functions of your business.
- review all forms used for collecting personal information - should they include new or expanded patient consents?
You should also develop a publicly available privacy policy and review your information handling. For example you should:
- develop systems to isolate and then destroy or de-identify personal information that's no longer needed
- formulate your written privacy policy - depending upon the size of the organisation and the extent and type of information collected this may require expert legal assistance.
- train staff to comply with the privacy policy.
- possibly appoint a privacy officer to oversee the formation, implementation and maintenance of the privacy policy.
- assign responsibility and create procedures for for access and correction requests
You should have:
- a working privacy policy; and
- sufficient human and technological resources to enable you to comply with the privacy policy.
