Information Management Policy Framework
View the PDF document of the Information Management Policy Framework.
1. Policy framework statement
The Information Management Policy Framework specifies the information management requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent management of health, personal and business information across the WA health system.
The Director General (DG) of the Department of Health is the System Manager responsible for the overall management, strategic direction and stewardship of the WA health system. The DG will use policy frameworks to ensure a consistent approach to a range of matters undertaken by HSPs. Policy frameworks must be complied with and implemented as a part of ongoing operations.
The purpose of this policy framework is to ensure:
- a consistent approach is adopted for collecting and managing information across the WA health system
- best practices for information management and protects the privacy of individuals
- health and personal information is appropriately managed throughout its lifecycle
- proper and secure handling of business related information necessary for its services and functions.
This policy framework is binding on each HSP to which it applies or relates.
The key principles that underpin this policy framework are:
- for purposes related to treatment and health care
- for purposes that are directly related to, and necessary for, the activities of the HSP (to manage, plan, evaluate or promote, protect and maintain the health of the community)
- in a manner that is transparent and accountable to patients, and employees and protects their privacy and confidentiality
- directly from the patient or employees where reasonable and practical to do so, ensuring it is relevant, accurate, up-to-date and not excessive
- into health information management systems approved by the DG
- according to common definitions, interpretations, formats and business rules, unless there is an accepted and documented justification for the deviation.
- for purposes stipulated under the Health Services Act 2016 and in accordance with the Regulations or delegated approvals
- for research purposes with approval from the relevant WA Health Human Research Ethics Committee (HREC) that is constituted in accordance with, and acting in compliance with, the National Statement
- with the consent of the person to whom the information pertains for any other particular purpose.
- of securely and in accordance with all requirements in the authorised retention and disposal schedule.
- in accordance with the Health Services Act 2016 and the Regulations or delegated approvals
- in accordance with the Freedom of Information Act 1992
- by promptly managing information breaches and security incidences
- using transparent and accountable data governance and research ethics processes.
- using methods to ensure it is migrated, preserved, accessible and usable to meet patient care and business requirements
- using security provisions that protect against unauthorised access, use, modification or disclosure
- ensuring it is disposed of appropriately and in accordance with any requirement for its retention and disposal.
- for purposes stipulated under the Health Services Act 2016 and the Regulations or delegated approvals
- for facilitating good healthcare for patients (staff should only access, view and use the health and personal information that is necessary for them to perform their duties)
- for research purposes with approval from the relevant HREC that is constituted in accordance with, and acting in compliance with, the National Statement
- for a directly related purpose which could be reasonably expected by the individual, when the purpose cannot be served by the use of de-identified information and it is impractical to seek the consent of the individual for the use
- the minimum amount of information is used to accomplish the purpose and everything reasonably practicable is done to prevent its unauthorised use.
5. Legislative context
The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). The other relevant part in the Act that relates specifically to this policy framework is Part 17.
The legislation below, may also apply:
- Children and Community Services Act 2004
- Commonwealth Privacy Act 1988(Australian Privacy Principles)
- Coroners Act 1996
- Corruption,Crime and Misconduct Act 2003
- Criminal Code Act Compilation Act 1913
- Electronic Transactions Act 2011
- Evidence Act 1906, Acts Amendment (Evidence) Act 2000
- Freedom of Information Act 1992
- Freedom of Information Regulations 1993
- Health Act 1911
- Health and Disability Services (Complaints) Act 1995
- Human Reproductive Technology Act 1991
- Mental Health Act 2014
- National Health and Medical Research Council Act 1992
- State Records Act 2000
6. Mandatory requirements
Under this policy framework HSPs must comply with all mandatory requirements* including:
- Admission, Readmission, Discharge and Transfer Policy - MP 0058/17
- Clinical Coding Policy - MP 0056/17
- Data Breach Response Policy - OD 0564/14
- Data Collection Policy - OD 0558/14
- Data Quality Policy - MP 0057/17
- Data Reporting Requirements for Episodes of Admitted Maintenance Care - MP 0036/16
- Data Reporting Requirements for Episodes of Admitted Palliative Care - MP 0061/17
- Data Stewardship and Custodianship Policy - MP 0011/16
- Digitisation and Disposal of Patient Records Policy - OD 0583/15
- Elective Services Wait List Data Collection (ESWLDC): Data Reporting Requirements for Health Service Providers - MP 0014/16
- Emergency Department and Emergency Services Patient-Level Data Collection and Reporting - OD 0205/09
- Freedom of Information Reporting within the Public Health System - OD 0122/08
- Hospital Morbidity Data Reporting Cycle and Edit Protocol Policy - MP 0059/17
- Information Classification Policy - OD 0537/14
- Information Lifecycle Management Policy - OD 0557/14
- Information Storage and Disposal Policy - OD 0559/14
- Information Use and Disclosure Policy - MP 0015/16
- Mail Management and Postal Remittances - OP 1944/05
- Metadata Documentation Policy - OD 0464/13
- Non-Admitted Activity Recording and Reporting Policy - MP 0068/17
- Patient Information Retention and Disposal Schedule - MP 0002/16
- Release of Information under the Freedom of Information Act 1992 (the 'FOI Act') - Policy and Guidelines - OD 0574/14
- Department of Health Recordkeeping Plan 2013
- Retention and Disposal Schedule for Administrative and Functional Records^
- WA Data Linkage Branch Access and Charging Policy
*Any mandatory requirement document that references the Hospitals and Health Act 1927 must be interpreted as a requirement under the Health Services Act 2016.
^This internal document can be made available on request.
7. Supporting information
The following documents support and inform the implementation of the mandatory requirements:
- Guidelines for Managing Statewide Reporting Definitions - IC 0200/14
- Guidelines for the Release of Data - IC 0208/14
- Guidelines for the Transmission of Personal Health Information by Facsimile Machine - IC 0179/14
- Practice Code for the Use of Personal Health Information Provided by the Department of Health - IC 0177/14
8. Policy framework custodian
Assistant Director General
Purchasing and System Performance
Enquiries relating to this policy framework may be directed to:
This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.
|Version||Effective from||Effective to||Amendment(s)|
|1||1 July 2016||30 June 2017||Original version|
|2||30 June 2017||1 July 2017||Major Amendment to MP 0036/16, Major Amendment to MP 0015/16.|
|3||1 July 2017||2 August 2017||New MP 0058/17, superseded OD 0540/14. New MP 0056/17 superseded OD 0620/15. New MP 0059/17 superseded OD 0136/08 and OD 0137/08. Rescinded OD 620/15, OD 0380/12, OD 0136/08, and OD 0137/08 from Mandatory Requirements and OD 0540/14 from Supporting Information.|
|4||2 August 2017||4 October 2017||New MP 0061/17.|
|5||4 October 2017||22 February 2018||New MP 0068/17, superseding OD 0621/15 and OD 0622/15. Rescinded OD 0621/15 and OD 0622/15 from Mandatory Requirements.|
|6||22 February 2018||Current||Rescinded OD 0272/10, OD 0132/08 and OD 0131/08 from Mandatory Requirements|
This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.
|Approval by||Dr David Russell-Weisz, Director General, Department of Health|
|Approval date||1 July 2016|
|Date published||22 February 20182017|
|Dept. File No||F-AA-40150|
This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.
12. Glossary of terms
Under section 26 of the Health Services Act 2016, policy frameworks may apply to:
|Business information||Includes, but is not limited to, administration, corporate, workforce, human resources, financial or accounting information that may contain personal information.|
|Confidentiality||The obligation of people not to use or disclose information for any purpose other than which was given to them, without consent.|
|Consent||Consent means voluntary agreement to some act, practice or purpose.|
|Data||The term 'data' generally refers to unprocessed information, while the term 'information' refers to data that has been processed in such a way as to be meaningful to the person who receives it. In this policy the terms 'data' and 'information' have been used interchangeably and should be taken to mean both data and information.|
|Data governance1||Is the system of decision rights and accountabilities surrounding data and the use of data. It can involve legislation, organisational structures, legal contracts, and various agreements, policies, and guidelines.|
|Data linkage||A complex technique connecting data records within and between datasets thought to relate to the same person, place, family or event. Data linkage typically uses demographic data (for example: name, date of birth, address, sex, medical record number) and facilitates analysis of linked information in a way that protects individual privacy.|
|De-identified information2||Is synonymous with the term 'non-identifiable information' and refers to information or opinion about a person whose identity is not apparent and cannot be reasonably ascertained from the information or opinion.|
|Directly related purpose3||
Refers to the use of health information for a purpose which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. It must be a purpose that people would reasonably expect to be associated with the original purpose.
Examples include, but are not limited to:
|Disclosure||Refers to the communication or transfer of information outside of the WA health system, which is considered a single entity under the Framework. A disclosure can occur by giving a copy, summary, or communicating the information in any other way to another organisation or individual outside the WA health system.|
|Duty of confidentiality||The legal duty of confidentiality obliges health care practitioners to protect their patients against inappropriate disclosure of personal health information.|
|Health information||Means Ė (a) information, or an opinion, that is also personal information, about:
(b) other personal information collected to provide, or in providing, a health service.
(Refer to clause 213 of the Health Services Act 2016).
|Health information management4||Is information management applied to health and healthcare. Information management is defined as the means by which an organisation plans, identifies, creates, receives, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains, preserves and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent.|
|Health record||Is the documentation (whether in paper or electronic form) of a patient's health information that is created by a Health Service Provider for the purpose of managing the patient's healthcare.|
|Health Service Provider||Health Service Provider means a health service provider established under s. 32 of the Health Services Act 2016 and may include North Metropolitan Health Service (NMHS), South Metropolitan Health Service (SMHS), Child and Adolescent Health Service (CAHS), WA Country Health Service (WACHS), East Metropolitan Health Service (EMHS), Quadriplegic Centre and Health Support Services (HSS).|
|Human Research Ethics Committee (HREC)||Means a human research ethics committee constituted in accordance with, and acting in compliance with, the National Statement.|
|National Statement||Means the National Statement on Ethical Conduct in Research Involving Humans, as in force from time to time, issued under the National Health and Medical Research Act 1992 (Cwlth) clause 7(1) (a).|
Has the meaning given in the Freedom of Information Act 1992 in the Glossary clause 1:
Means information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead -
(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or
(b) who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.>
|Practical||Concerns what is feasible in real circumstances. Because something is inconvenient, costs money or is an annoyance, do not assume it is not reasonable or practicable to do. In deciding if certain matters are practical (or reasonable) consider (i) what the majority of people would expect or find appropriate, (ii) assess the time and cost involved in complying against benefits and risks (iii) consider alternative methods to achieve a similar result and (iv) take into account the entire situation (For example: impact on patients, urgency of an issue).|
|Primary purpose||The main reason for which information is collected. For example, in most cases, health information is collected from a patient to provide health care.|
|Privacy5||The individual's right or expectation that health information and other identifying information will not be disclosed.|
|Reasonable||Refer to 'Practical'.|
|Reasonable expectation||Means that the purpose is closely related to the healthcare of the patient and/or that the use or disclosure was communicated when the information was collected.|
|Research6||Original investigation undertaken to gain knowledge, understanding and insight. It is a broad concept and there is no simple, single way to define research for all disciplines.|
|Use||Of information refers to the communication or handling of information within the WA health system. The WA health system is considered a single entity under the Framework. Therefore, sharing information between Health Service Providers, the Department and Contracted Health Entities is considered use.|
|WA health system||The WA health system is comprised of the Department of Health, Health Service Providers (NMHS, SMHS, CAHS, WACHS, EMHS, Quadriplegic Centre and HSS) and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities.|
1Australian Institute of Health and Welfare. Data Governance - In Brief
2Privacy Manual for Health Information. Reproduced by permission, NSW Ministry of Health © 2016
3The State of Queensland (Office of the Information Commissioner) 2012
4Queensland Government Information Management Policy Framework Definitions
5National Health and Medical Research Council - Principles for Accessing and Using Publicly Funded Data for Health Research Canberra
6National Health and Medical Research Council - Australian Code for the Responsible Conduct of Research