The Atlantis Healthcare Group Privacy Policy
Updated July 2009
Given the significant sensitivities of the information we hold as an organisation, the Atlantis Healthcare Group (AHG) has developed a Privacy Policy to ensure our commitment to information privacy is maintained to an extremely high standard, and that both national and international requirements for the privacy of information are met. In addition, Atlantis Healthcare has appointed Privacy Officers globally to ensure our ongoing commitment to privacy and privacy issues.
Atlantis Healthcare designs and manages patient support programmes for the world’s leading pharmaceutical and wellness companies. Our proprietary framework uncovers the drivers behind compliance and loyalty and tailors support programme’s to suit different patient needs. Our services encompass all aspects of programme creation and fulfilment.
Given that the information we hold is of a sensitive nature, we have committed to an internal programme of data protection compliance audits, in conjunction with an annual audit conducted by a respected international data privacy specialist.
We are deemed to be a 'health service / health agency / data controller' by the legislation in the countries in which we operate, and as such, are bound by the NZ Privacy Act 1993, the Australian Federal Privacy Act 1988 and the UK Data Protection Act 1998 specifically as they relate to health or sensitive information.
The requirements of all relevant pieces of legislation, including the New Zealand Marketing Association Inc. guidelines on best practice for direct, fax and email marketing, and the internal controls of AHG have been referenced in formulating this Privacy Policy.
Collection, Source, Manner, Fairness and Lawful Processing
Three key personal information categories sources exist within AHG. The first is a database of the names and contact details of the medical / health professionals working within the markets in which we operate. The purpose for the collection of this information is for government agencies, pharmaceutical or wellness product communication and research.
This information was initially sourced through the acquisition of a privacy complaint database, and has subsequently been built upon using publicly available sources or directly from the professional’s place of work via a 6- to 12-monthly telephone interview.
The second category is patient and / or other consumer information collected for the purpose of enrolment in a particular patient support or other loyalty programme. In these cases, the information is collected directly from the patient or consumer by way of completion of a detailed opt-in patient support enrolment / loyalty application form.
Information is also collected directly from patients / other consumers via contact with our call centre for various projects such as clinical trial recruitment. Patient / consumer privacy is covered during call scripting in these instances.
The third category is employee information collected from employees over the course of their employment with us.
AHG ensures all information is collected lawfully, professionally and as unobtrusively as possible.
Use and Disclosure
All information collected and held by AHG is collected for the purpose disclosed at the time of collection.
It is used solely for that purpose and is not disclosed to anyone externally, except in the restricted circumstances covered by the relevant legislation in each specific country.
Accuracy – Data Quality and Integrity
AHG has implemented strict procedural guidelines relating to the initial data entry and ongoing maintenance of proprietary and client data held. Data is also protected by way of technical restrictions imposed by the Group’s network in terms of who has the authority to add or edit records. All technical restrictions are detailed in the Information Security documentation of the business.
All offices of the AHG are required to implement Data Quality Assurance Programmes. These programmes are designed to ensure a selection of new records entered are double-checked by management for accuracy. Quality Assurance reports detailing any discrepancies and / or error rates are published for review by senior management each month.
Access, Correction and Deletion
Any individual included on an AHG or AHG client-hosted database has the right to access, correct, and suppress any information that is included on the database.
To ensure that individuals have access to information hosted, AHG has established a telephone service, postal service, and email service to facilitate information access, amendment or suppression. Please refer to Appendix 1 for AHG’s Data Inquiries Procedures.
This allows individuals to contact a senior team member to confirm whether details are included on a database, request copies of the information held, request that the information be corrected or suppressed, and / or confirm that the information has been disclosed in accordance with the NZ Privacy Act 1993, the Australian Federal Privacy Act 1988 and the UK Data Protection Act 1998.
AHG as an organisation is committed to ensuring that any queries are responded to in a prompt and efficient manner. We target a maximum of five working days turnaround. In a situation where a response is not readily available, an AHG representative will inform the inquirer when it will be available.
Storage, Security and Retention
AHG has implemented generally-accepted standard technology and operational security in order to protect personally identifiable information from loss, misuse, alteration or destruction. Access to the servers hosting the sensitive information is restricted from external tampering through a firewall application provided by an external supplier.
Internal access to the AHG computer network is also heavily restricted, with all employees and contractors requiring logon names and passwords to gain access. Furthermore, access to actual databases is restricted to those responsible for the validation, verification, maintenance, and extraction processes. No one individual is responsible for multiple tasks within these processes. Full information security procedures are documented in the Information Security Policy of the business.
The physical security of the premises where the databases are hosted, is also heavily restricted. The requirements for access are outlined in AHG’s Security Policy. General Access is through swipe key entry. These swipe keys are programmed to control access to certain parts of the premises. The server room for example is very heavily restricted. Visitors to the premises are required to wear visitor badges at all times, and must be accompanied by an employee or contractor of AHG while on the premises. In certain circumstances, visitors to the premises may have executive approved and authorised access to the AHG computer network.
To secure commitment to the privacy of information, it is mandatory for all Employment Contracts and Independent Contractor Agreements to include a clause that specifies all employees and independent contractors have an understanding of and adhere to the requirements of the relevant legislation, be that the NZ Privacy Act 1993, the Australian Federal Privacy Act 1988 or the UK Data Protection Act 1998.
Retention
Information no longer required for its original purpose is managed in line with internal procedures and as contractually specified by our clients. Storage requirements vary from three months to seven years depending on the classification of the information and the requirements of our clients. Confidential information specialists handle information requiring destruction. Further details are outlined in our Security Policy.
Openness
The law requires health service providers to be open about how they handle health information. Businesses such as ours must develop a document like this one for consumers, which clearly explains how their organisation handles health information. The document must be made available to anyone who asks for it.
Unique Identifiers
AHG uses unique identifiers to assist in the management and maintenance of the databases held. Under no circumstances is one unique identifier assigned across multiple databases.
Anonymity
Australian law states that where it is lawful and practicable, consumers must be given the option to use health services without identifying themselves. Where possible Atlantis Healthcare has systems allowing for patients to enrol into a patient support programme anonymously.
Transborder Data Flows
In some circumstances, patient information is transferred between offices to enable us to utilise the available skills and expertise of our team effectively.
Where necessary, the specifics of the data transfer process are discussed with and approved by the client organisation and / or the Information Asset owner.
Any AHG data transferred externally between offices must follow the strict data transmission procedures detailed in the group’s Information Security Policy.
Statement
This Privacy Policy has been developed by AHG in consultation with external consultants, and in adherence to the requirements of the NZ Privacy Act 1993, the Australian Federal Privacy Act 1988 and the UK Data Protection Act 1998.
It has been developed to assist the organisation in ensuring that full and auditable processes are in place to comply with privacy requirements.
As part of the organisation’s ongoing commitment to the privacy of information, AHG reserves the right to modify or amend this Privacy Policy at any time.
This Privacy Policy is not intended to create a contract or agreement between AHG and any client, individual, or organisation.
Contacts
AHG has appointed Privacy Officers in each location to ensure the privacy requirements of the NZ Privacy Act 1993, the Australian Federal Privacy Act 1988 and the UK Data Protection Act 1998 are met. Requests for information can be sent to the following:
New Zealand
Sarah Walsh
The Privacy Officer
Atlantis Healthcare Group
Private Bag 92145
Auckland Mail Service Centre
Auckland
New Zealand
Telephone +64 9 980 9880
Facsimile +64 9 980 9898
Email
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Australia
Paul Harris
The Privacy Officer
Atlantis Healthcare Australia Pty Ltd
PO Box 6450
Alexandria
Sydney NSW 2015
Australia
Telephone +61 2 8332 6888
Facsimile +61 2 8332 6889
Email
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
United Kingdom
Hamish Franklin
The Privacy Officer
Atlantis Healthcare UK Limited
1st Floor, Unit 1,
Hammersmith Studios
55a Yeldham Rd,
London W68JF
United Kingdom
Telephone + 44 2079 37 97 93
Facsimile + 44 2071 17 38 27
To contact the relevant Information Privacy authority, the details are:
New Zealand
The Privacy Commissioner
PO Box 466
Auckland
New Zealand
Enquiries:
+64 9 302 8655 or 0800 80 39 09
http://www.privacy.org.nz/top.html
Australia
Office of the Privacy Commissioner
GPO Box 5218
NSW 2001
Enquiries:
+61 1300 363992
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
United Kingdom
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Enquiries:
+44 8456 30 60 60 or +44 1625 54 57 45
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Appendix 1:
Data Inquiries
New Zealand
+64 9 980 9838
All phone calls received through the main reception are to be directed through to the Contact Centre Manager, Melanie Hayes. Should Melanie not be available, reception will take the initial briefing (validation of the individual, specific request details, contact information) then forward the customer's information through to Melanie for action. If the customer is anxious for an immediate reply, the call should be escalated to the General Manager, or Group General Manager.
Patients / Customers can also forward inquiries via the Privacy email address
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This email will be forwarded directly to the Privacy Officer, Sarah Walsh, for her to action.
Australia
+61 2 8332 6888
Any data- / information-related inquiries received in Australia should be forwarded to the Australian Privacy Officer, Paul Harris.
Patients / Customers can also forward inquiries via the Privacy email address
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This email will be forwarded directly to the Privacy Officer, Paul Harris, for him to action.
United Kingdom
+44 2079 37 07 93
Any data- / information-related inquiries received in the United Kingdom should be forwarded to the United Kingdom Privacy Officer, Hamish Franklin.
Patients / Customers can also forward inquiries via the Privacy email address
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This email will be forwarded directly to the Privacy Officer, Hamish Franklin, for him to action.
AHG’s policy states that a privacy-related information inquiry must be actioned within five days. This is extended for requests across regional boundaries. Should there be delays in the request being processed, AHG will notify the inquirer (via email) of the request status, action taken and expected time delay.
Customer Details Amendment/ Suppression Request
1. Ask customer to confirm identity by asking for a minimum of four identifying details, eg, Name, Address, Date of Birth and a contact number.
2. Capture customer information on Customer Database Details Amendment / Suppression Request Form.
3. Read this information back to client to get verbal confirmation that details are correct.
4. These details must match information held on Connect to proceed.
5. Pass customer request form to appropriate internal resource for identification and amendment or suppression.
6. Archive customer request form for a 12-month period.
7. Send confirmation of action letter to customer.
Customer Information Only Request
1. Ask customer to confirm identity by asking for a minimum of four identifying details, eg, Name, Address, Date of Birth and a contact number.
2. Read this information back to client to get verbal confirmation details are correct.
3. These details must match information held on Connect to proceed.
4. Pass customer request form to appropriate internal resource to access customer file.
5. Produce report on requested patient / customer details held by Atlantis Healthcare.
6. Send confirmation of action letter to customer with copy of personal information report.
