Handling Information Security As Part Of Mental Health Services

Total Page:16

File Type:pdf, Size:1020Kb

Handling Information Security As Part Of Mental Health Services

Protective security better practice guide Handling information security as part of mental health medical services

June 2016

Version 0.8

© Commonwealth of Australia 2015 All material presented in this publication is provided under a Creative Commons Attribution 4.0 Australia (http://creativecommons.org/licenses/by/4.0/) licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document.

The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 4.0 AU licence (http://creativecommons.org/licenses/by/4.0/legalcode ). Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour (http://www.itsanhonour.gov.au/coat-arms/index.cfm) website. Contact us Inquiries regarding the licence and any use of this document are welcome at: Commercial and Administrative Law Branch Attorney-General’s Department 3-5 National Cct BARTON ACT 2600 Telephone: (02) 6141 6666 [email protected]

Document details Security classification Unclassified Dissemination limiting marking Publicly available Date of security classification review June 2018 Authority Attorney-General’s Department Author Protective Security Policy Section Attorney-General’s Department Document status Final V 0.8 – June 2016 – Approved

3 Contents

4 Amendments No Location Amendment .

5 1. Introduction

1. Purpose

1. The Protective Security Policy Framework (PSPF) requires agencies to develop their own protective security policies, plans and procedures. The Australian Government protective security better practice guide—Handling information security as part of mental health medical services provides guidance to agencies in developing their protective security policies, plans and procedures to assist their current and former employees receiving mental health services.

2. The Government’s direction in regards to mental health is outlined in the Roadmap for National Mental Health Reform 2012 – 2022. The Roadmap sets out the ongoing reform that is necessary to achieve the vision of all Australian governments.1

3. Current and former government employees have sought advice from the Attorney-General’s Department on whether they can discuss classified information with their medical service provider. In most instances the employee worried about breaching the Crimes Act 1914 or the Criminal Code . This guide provides advice on handling the information security aspects of mental health medical services.

2. Audience

4. This document is primarily intended for: Australian government employees and former employees human resources and work health and safety practitioners medical service providers persons responsible for developing protective security policies, plans or procedures on behalf of Australian Government agencies.

3. Scope

5. This guide provides better practice advice to agencies. Specific controls and risk mitigation measures used by agencies are required to be based on legislative requirements and the PSPF. Where legislative requirements are less than those identified in the PSPF the higher level of control is required to be applied.

Use of specific terms in these guidelines

6. In this guide the term ‘required to’ and ‘must’ refers to obligations that are to be complied with, in all circumstances.

7. The terms ‘are encouraged to’ or ‘are recommended to’ refer to better practice.

8. The term ‘medical service providers’ refers to referring doctors, specialists and treating clinicians associated with medical consultation for mental health conditions.

9. The term ‘employee’ refers to past and present employees.

1 The Roadmap for National Mental Health Reform 2012 – 2022, endorsed by the of the Council of Australian Governments on 7 December 2012, p. 3 10. The term ‘client’ refers to an employee seeking medical services from the medical service provider. 2. Approach

11. Agencies are encouraged to support any current or former employees seeking mental health medical services arising during their period of employment.

12. Unmanaged employee mental health conditions may be a greater risk to an agency’s ongoing information security than a managed disclosure of security classified or sensitive information as part of medical consultations. While an employee’s mental health condition may be unrelated to their employment, the effective management of the condition relies on an understanding of the individual’s social environment. As such, discussion of classified or sensitive employment conditions or information may be conducive to managing the medical condition.

13. If there is an immediate and serious risk to an employee, health service providers may need to take immediate action to address the mental health condition. In such cases the employee’s wellbeing is the primary concern.

1. Legislative framework

14. Under the Safety, Rehabilitation and Compensation Act 1988 employees may seek medical services from their preferred medical service provider. Once medical services commence, the employee seeking these services may disclose sensitive or security classified information which may be in breach of sections 70 or 79 of the Crimes Act or a range of other secrecy provisions, see section 2.2: Applicable secrecy legislation.

15. Under the Work Health and Safety Act 2011 (WHS Act) agencies are required to take all reasonably practicable steps to prevent injury, including re-injury. Section 3(2) of the WHS Act provides that workers and other persons be given the highest level of protection against harm to their health, safety and welfare from hazards and risks arising from their work as is reasonably practical.

16. Sections 12C, 12D and 12E of the WHS Act provide exemptions where the disclosure would be, or could reasonably be expected to be prejudicial to Australia’s national security, defence or Australian Federal Police operations. Subject to direction from the relevant agency head, provisions of the WHS Act do not apply in defined circumstances. However, the WHS Act requires agency heads to promote the objects of the Act to the greatest extent, consistent with the maintenance of Australia’s national security and defence.

17. In addition to the implications of the Crimes Act, medical service providers are required to meet the Australian Privacy Principles contained in the Privacy Act 1988. Medical service providers may also be required to disclose to the relevant authorities information relating to illegal actions by their client.

18. Medical service providers may be called on to provide expert witness in other matters where the mental health condition is of concern—for example, child custody and personal litigation. In such circumstances the medical provider may be required by the court to disclose sensitive or classified information. The National Security Information (Criminal and Civil Proceedings) Act 2004 provides for protection of security classified information in court proceedings impacting on national security if the Attorney-General invokes the Act on request from an affected agency. Applicable secrecy legislation

19. Commonwealth secrecy laws provide for secrecy or non-disclosure obligations in respect of official information. The laws impose confidentiality obligations on a range of persons and apply criminal penalties for the breach of these provisions.

20. There are two categories of Commonwealth secrecy laws, general secrecy offences and specific secrecy offences. General secrecy offences - Section 70 of the Crimes Act is an umbrella offence applying criminal penalties to the unauthorised disclosure of Commonwealth information by current and former Commonwealth officers. Section 70 attaches criminal sanctions to a breach of a duty not to disclose information. The duty is most commonly set out in specific legislative provisions giving rise to a duty not to disclose information, but may also arise from common law or contractual obligations - Section 79 of the Crimes Act is an umbrella offence protecting defence and national security information and covers unauthorised disclosure as well as certain other conduct. Section 79 can apply to persons other than Commonwealth officers. Specific secrecy offences: - Specific secrecy offences located in various pieces of Commonwealth legislation, including some delegated legislation, apply to particular agencies, individuals or to protect particular types of information. There are a range of specific secrecy provisions that impose secrecy or confidentiality obligations in respect of Commonwealth information.

21. Commonwealth secrecy offences include a range of exceptions and defences. The most common exception to secrecy offences are those that permit disclosure in the performance of a person’s functions or duties or for the purpose of particular legislation. Some legislation may also permit a disclosure where it is authorised by a specified person, such as the head of an agency.

22. There are no specific exceptions which allow for disclosures made to medical service providers in the course of an employee’s medical consultation. It is recommended that agencies and their employees consider on a case-by-case basis their obligations under existing secrecy laws and obligations under the WHS Act. It is recommended that agencies seek their own legal advice where required.

Medical services management options

23. To facilitate medical services, while mitigating any information security impact, agencies are encouraged to provide clear guidance to employees on measures the employee can use to minimise any disclosure of sensitive or security classified information that is not necessary for medical consultations.

24. Agencies are encouraged to develop guidance which can be provided directly to medical service providers when the service provider is known to the agency. When the provider is not known to the agency advice can be provided to the agency employee seeking medical services to pass on to the medical service provider. 25. Mental health conditions in which a claim for compensation has been submitted may require gathering more detailed information during medical consultations. This may increase the risk of disclosing sensitive or security classified information.

26. The greater control the agency has over the provision of medical service options, the less risk there is of a potential security breach and the recording of sensitive or security classified information. Types of medical service options include: in-house capability (relatively low risk) outsourced or panels of medical service providers (medium risk) medical service providers referred to by the employee’s general practitioner, or sourced directly by the employee seeking medical services (relatively high risk).

27. However, it is appropriate for the risks to the agency to be balanced against the provision of the best medical service provider to address the employee’s condition.

28. For more detail on possible control measures see section 3: Medical services for and section 4: Error: Reference source not found.

Records management

29. For details on possible record control measures see section 5: Management of medical consultation records. 3. Medical services for employees

30. It is recommended that agencies provide publically available advice for employees on mental health medical service options.

31. Agencies are also encouraged to provide advice on how to manage the impact of the disclosure of sensitive or classified information during medical consultations noting that employees (current and former) are subject to the secrecy provisions relating to the disclosure of security classified or sensitive information. See Annex A – Example advice to .

32. It is recommended that agencies do not restrict employees disclosing information needed as part of their medical consultations unless necessary for the maintenance of national security, defence or police operations.

33. Employees holding a security clearance are required to report changes in circumstances to their agency, this includes changes in health or medical circumstances. See the Australian Government personnel security protocol—Annual health check section 9.3.

34. Agencies are encouraged to consider developing options for disaffected employees that may hold the agency responsible for their condition and may be reluctant to contact the agency for advice.

35. Agencies may not be made aware of a disclosure of security classified or sensitive information until after the fact. Agencies are encouraged to develop procedures to work cooperatively with the medical service provider and employee to minimise the impact of these disclosures.

In-house treatment

36. The use of in-house medical service providers represents a relatively low risk medical consultation option as it provides an increased level of accountability regarding the secure treatment of disclosed information, due to the contractual arrangements with in- house providers. The agency also manages the security of the facility and any employee records, including medical records.

37. Agencies with internal capability are encouraged to promote the use of this capability as the first option. Agencies are encouraged to include a requirement for in-house medical service providers to advise employees, seeking assistance, who hold a security clearance, of any requirements to report changes in circumstances to the agency security adviser or vetting agency.

38. When internal capability cannot meet demand or speciality, it may be necessary for outsourced or independent medical service providers to be consulted.

Agency engaged (outsourced) medical service providers

39. Outsourced medical service providers such as employee assistance programs allow the agency to have some control over the handling of potentially sensitive or security classified information. However, in many instances the outsourced or external medical service providers are not screened or security cleared by the agency. 40. The agency is encouraged to determine, based on a risk assessment, whether to request security clearances for medical service providers working under contract, as part of the contract conditions. See Australian Protective security governance guidelines— Security of outsourced services and functions.

41. It is recommended that agencies include information security requirements in any outsourced services contract, see the A ustralian Government protective security governance guidelines—Security in outsourced services and functions.

42. Agencies are also encouraged to include in contracts with outsourced medical service providers guidance on: secure storage and transfer of consultation records, including audio or visual recordings de-identifying guidance for records destruction of records when no longer required, noting the legal obligations relating to the management of medical records information that can be provided to other providers or compensation authorities the responsibility of Agency employees to report change of circumstances, including health and medical circumstances.

43. Agencies are encouraged to provide briefings to outsourced medical service providers on the management of confidentiality of any disclosed sensitive or classified information.

44. It is recommended that agencies, where possible, have medical service providers identify, within their professional practice, specific medical providers who will undertake sensitive or security classified work on behalf of the agency. However, the breadth of specialities may preclude early identification of medical service providers for all situations.

Independent medical services providers self-sourced by employees

45. Employees may decide to seek medical assistance through an independent medical service provider for a variety of reasons.

46. In compensation cases, the first notice of an employees’ medical condition may be when notified of a claim by the agency’s compensation authority.

47. Once notified of a claim or a non-compensable medical condition where there may have been a disclosure of security classified or sensitive information, the agency is encouraged to provide advice to the employee and medical service provider to manage the impact of any disclosures. See Annex A – Example advice to and Annex B – Example advice to health service providers.

48. If the employee holds a security clearance it is recommended that the agency provide advice to them on their change of circumstances reporting requirements.

Addressing possible future mental health conditions in separation briefings

49. As part of an agency’s separation procedures, it is encouraged to include advice on seeking medical services for mental health conditions, where the concerns relate to former service with that agency. This advice may include: advising the agency prior to seeking medical services advice on how to access agency cleared medical services providers (this information detail is not normally publicly available) advice for medical services providers how to lodge a compensation claim (if necessary). 4. Management of medical consultation records

50. Detailed medical consultation records need to be kept by the medical service provider. Consultation normally occurs in the medical service provider’s office, which for external providers does not normally have the level of security controls required to hold security classified information.

51. Agencies are encouraged to develop advice for medical service providers to maximise the safety of records in storage and during transfer to the compensation authority, agency or other medical service providers.

52. Agencies are encouraged to advise medical service providers of any relevant secrecy provisions that may apply to the provider and the information.

Classification and control of consultation records in the agency

53. An agency is unlikely to receive consultation records for their employees from an external medical service provider, such as employee assistance programs. However once an employee’s compensation claim has been submitted, the agency receives information from the compensation authority relating to the claim.

54. All health information about an employee is sensitive information as defined in section 6 of the Privacy Act and must be marked with the dissemination limiting marker ‘Sensitive: Personal’ by agencies upon receipt in guidance with the Australian Government Security Classification System.

55. Agencies are encouraged to apply security classifications based on the impact of the compromise of confidentiality of the records.

Management of consultation records by medical service providers

56. Outsourced medical service providers may not have facilities or procedures in place for the storage of security classified information. However, medical service providers are required under the Privacy Act to provide secure storage of their records. These controls broadly equate to the Commonwealth’s storage of information marked Sensitive: Personal.

57. When preparing to engage an outsourced medical service provider it is recommended that agencies include secure records management requirements in the outsourced medical service provider’s contract, see Protective security governance guidelines— Security of outsourced services and functions.

58. Medical service providers are encouraged to apply security controls to their medical consultation records to the extent compatible with managing the injury and their legislative requirements. This could include: not identifying specific locations, operation names or code words, or the employing agency’s name keeping all medical consultation records in hard copy only, and storing any audio or video recordings with hard copy records rather than uploading to the medical service provider’s ICT system. 59. Most medical service providers’ governing bodies provide ethical guidelines which can assist—for example the Medical Board of Australia’s Good Medical Practice: A Code of Conduct for doctors in Australia. For details of other professional bodies’ advice see Agency medical service providers.

Transfer of the records to the compensation authority

60. It is recommended that agencies provide advice to medical service providers on managing the transfer of medical consultation records to the compensation authority. Where medical consultation records contain security classified information or medical service providers are concerned about the sensitivity of the information it can be sent to the compensation authority by courier. It is recommended that agencies provide advice to medical service providers on suitable courier options based on a risk assessment.

61. It is recommended that medical service providers contact the originating agency of sensitive or security classified information in the medical consultation record for advice on appropriate handling.

Collection of information by compensation authorities

62. Agencies are encouraged to work with the compensation authority to clearly identify the information required to make a compensation assessment claim. It is recommended that compensation authorities only seek information, or specific details required for assessment of the claim.

63. Agencies whose compensation authority is not Comcare are encouraged to develop specific advice for the compensation authority on information that can be requested from the medical service provider as well as guidance on the secure provision of the information.

64. If the information required is likely to be security classified or sensitive the agency and compensation authority are encouraged to identify: specific information handling regimes for all claims relating to the agency through the life of the claim (and any subsequent appeals) any compensation authority personnel who will require security clearance to work on agency claims appropriate de-identifying procedures that can be implemented by the compensation authority ongoing records management and disposal procedures at the compensation authority. Annex A – Example advice to employees

Agency considerations when preparing advice to employees

This advice is general in nature. It is important that the security advice relating to seeking medical services for the management of mental health conditions is delivered as part of an agency’s supportive measures to assist their employees.

An example letter to employees seeking mental health medical services has been developed. It is recommended that agencies consider sensitivities and where it is not appropriate to reference the agency to refer only to the Australian Government.

Agency specific security requirements

As each agency may have specific security requirements it is recommended that these requirements be included when communicating and dealing with employees and/or medical service providers.

Secrecy determinations

It is recommended that agencies address agency specific secrecy or legislative provisions when developing their own advices. To address agency specific secrecy or legislative provisions, agencies may need to work with medical service providers to identify suitable medical service options or alternatively to use medical service options developed by other similar agencies.

If there is a secrecy determination that prevents disclosure of security classified or sensitive information by employees seeking mental health medical services, agencies are encouraged to develop alternative options that allow employees to seek appropriate services to address the mental health condition.

Preferred providers

It is suggested that agencies provide a list of preferred in-house or outsourced medical service providers on request to employees seeking mental health services. These providers may have security clearances and it is expected that the providers have been briefed about appropriate security practices.

This list may be provided by the employee seeking medical services to their General Practitioner or used to select a suitable specialist mental health service provider.

Advice to give to medical service providers

It is recommended that agencies make an advice sheet available to employees seeking medical services which they can give to their medical service providers regarding the management of sensitive or security classified information that may need to be disclosed in the course of medical service consultations.

See Annex B – Example advice to health service providers.

Level of detail – including any specific restrictions

Agencies are encouraged to discuss with their employees what information can be provided to medical service providers regarding sensitive or security classified information. It is recommended that agencies in consultation with the compensation authority advise medical service providers on the level of detail needed for a compensation claim.

Employees are encouraged to be aware that revealing or recording sensitive or security classified information may have security implications and could, for example, compromise operations, as well as breach the Crimes Act or Criminal Code. It is recommended that the agency work with employees and the medical services provider to minimise the impact of the disclosure.

Actions for security clearance holders

In accordance with the PSPF mandatory requirement PERSEC-2, agencies are required to advise current security clearance holders of their obligations to report any changes in circumstances. For former employees this must be to the person’s current agency’s security adviser or if no longer working in the agency, the vetting agency that granted the security clearance (normally the Australian Government Security Vetting Agency).

Reportable changes in circumstances include any changes to health or medical circumstances. For further advice see the Australian Government personnel security guidelines—Agency personnel security responsibilities section 14.2.

It is recommended that agencies include in their advice any additional agency specific reporting requirements. Example letter to employees seeking medical services

File Ref: Date:

[Insert employee’s name and address]

Dear [Insert employee’s name]

Assistance available from [Insert agency name] to enable you to seek mental health medical services

I understand that you are currently seeking mental health medical services. [Insert agency name] would like to work with you to ensure that you get the best medical outcome possible, while minimising the impact of any necessary disclosure of security classified or sensitive information.

During the course of the medical consultations you may feel the need to disclose information relating to your work or workplace. This can represent a potential security issue if the information is security classified or sensitive. [Insert agency name] has a number of medical service providers that are aware of government requirements relating to the protection of Australian Government information during medical consultations. A list of their names and specialities is attached for your use. The list may be provided to your referring doctor(s), but, it is not recommended to be provided to anybody not directly linked to selecting your medical service provider. Alternatively you can contact [insert agency HR contact person’s details] to discuss your medical service options.

If you choose to seek medical services through an independent medical service provider it is important to remember your obligations to treat security classified or sensitive information in accordance with the relevant legislation and government policy.

If you have already disclosed information that is security classified or sensitive during your medical consultations please advise [insert agency security contact person’s details] so they can work with you and your medical service provider to minimise the impact of the disclosure.

Attached is additional information that you can provide to your medical service provider to assist them to manage security classified or sensitive information you may need to disclose as part of your medical consultations.

For further information please contact [insert agency HR contact person’s details].

[Agency HR manager/senior management representative]

Attachments: [agencies to develop] 1. Agency health service providers 2. Advice to health service providers Annex B – Example advice to health service providers Agency considerations when preparing advice to health service providers

Health service providers have various responsibilities under the Privacy Act 1988. Their professional body may have specific advice relating to the security of client records, see Agency medical service providers.

An example letter to health service providers has been developed. It is recommended that agencies consider sensitivities of employees and where it is not appropriate to reference the agency, refer only to the Australian Government.

When providing medical services to Australian Government employees, they may potentially disclose sensitive or security classified information to their medical service provider. It is recommended that advice be provided to the medical service provider regarding recording, transferring and handling of the sensitive or security classified information provided to them by the employee.

Section 79 of the Crimes Act as well as any agency specific secrecy provisions may apply to the unauthorised disclosure of sensitive or security classified information by medical service providers.

Consent

Medical service providers require consent from the person receiving those services prior to discussing any aspect of the case with an agency. Agencies are encouraged to provide medical service providers with a consent form to allow the agency to discuss information security aspects of the case with the medical service provider.

Level of detail to record

In most cases detailed accounts of incidents that may have a security implication are recommended not to be documented unless necessary for the medical consultation. Where there are security implications—for example, the provision of information by Defence personnel about operations, only essential information relevant to the employees’ health condition may be recorded.

It is recommended that if the employee is submitting a compensation claim the medical service provider contact the compensation authority prior to the medical consultations to ascertain the level of information required.

De-identifying information

The importance of provider-client privilege, anonymity and discretion when handling sensitive or security classified information (including personal details – names, work, role), cannot be understated. The exchange of information via email is particularly vulnerable and is encouraged to be de-identified were possible. Where possible, it is recommended the information be anonymised by removing specific details of the incident. Examples include not identifying: specific locations operation names or code words the employing agency’s name.

Handling of interview/ consultation recordings

It is recommended that agencies encourage medical service providers to apply security controls to consultation records relating to cases where sensitive or security classified information may be disclosed to the extent compatible with managing the mental health condition. This could include: keeping all detailed consultation records relating to the case in hard copy only and de- identifying the information as much as possible only inputting a de-identified overview into electronic treatment records systems storing any audio or video recordings with the hard copy records rather than uploading to the service provider’s ICT system storing physical records in a secure locked safe or locked cabinet which cannot be accessed by other practice personnel unless necessary for the provision of medical services to the employee transferring documents only when necessary destruction of any detailed records when no longer required.

It is recommended that agencies provide specific advice to medical service providers on how to manage information relating to the case.

Transfer of records to third parties

Compensation authorities

It is recommended that agencies provide advice to medical service providers on managing the transfer of consultation records to the compensation authority. Where consultation records contain security classified information or medical service providers are concerned about the sensitivity of the information it can be sent to the compensation authority by courier. It is recommended that agencies provide advice to medical service providers on suitable courier options based on a risk assessment.

It is recommended that medical service providers contact the originating agency of sensitive or security classified information in the consultation record for advice on appropriate handling.

Other third parties Medical service providers may from time-to-time be requested to provide details of mental health conditions to other persons—for example, the person’s general practitioner, referring specialist, the person’s partner and the courts. It is recommended that agencies advise medical service providers to liaise with the agency prior to making any disclosure.Example letter to medical service providers

File Ref: Date:

[Insert medical service provider’s name and address]

Dear [Insert medical service provider’s name]

Assistance available to you to manage information security aspects of medical services for [insert employee name]

I have been advised that you are currently providing medical services to [insert employee name] for a mental health condition.

You as a medical service provider have various responsibilities under the Privacy Act 1988 and your professional body may have specific advice to assist you with this obligation. A list of relevant medical service profession advices is attached.

When providing medical services for [insert employee name], a [current or former] Australian Government employee, [he/she] may potentially disclose security classified or sensitive information to you relating to the mental health condition. It is recommended that discretion be used when recording, transferring and handling the information provided to you by [insert employee name].

It is recommended that you contact [insert agency security contact details] regarding the handling of security classified or sensitive information. [Insert agency name] is committed to working with you to deliver the best medical services possible for [insert employee name] while minimising the impact of any disclosure necessary for [his/her] medical consultations.

In order to meet your privacy obligations you will need to gain the agreement of [insert employee’s name] prior to discussing any aspect of this case including the handling of information that may be disclosed. I have enclosed a consent form to enable you to discuss the information security aspects of the case with [Insert agency name].

[Insert only if a compensation case] I understand that [Insert employee name] has lodged a claim for compensation with [Insert compensation authority’s name] in regard to this matter. In most cases the level of detail required by a compensation authority does not require the disclosure of any security classified or sensitive information. However, prior to reporting details of the mental health condition to the authority you are encouraged to liaise with the authority to determine the level of detail needed to assist [Insert employee’s name] with their claim. If you have any concerns about the information that is requested or how it is to be provided, please contact [insert agency security contact details] to discuss. The agency can also assist with arranging a courier to deliver information to the compensation authority if required.

Section 79 of the Crimes Act 1914 [and insert agency specific secrecy provisions] may apply to disclosure of security classified or sensitive information by you to other third parties. It is recommended that you seek advice from [insert agency security contact details] prior to releasing information to another party.

However, if the disclosure is required to address an immediate and serious threat to the person’s, or another person’s, health; such as a referral to a Critical Assessment and Treatment Team; the information can be provided immediately. If this does occur you are asked to advise [insert agency security contact details] so that remedial management of the disclosure can commence.

I have also included some general information security advice that may assist you with managing any information that [insert employee’s name] may already have disclosed to you.

If you need to refer [insert employee’s name] to another medical service provider, [insert agency name] has identified a number of providers who may be suitable, see the attached list. If there is no one suitable on the list or you would prefer that [insert employee’s name] seek medical services from another provider can you please advise [insert agency security contact person’s details] so that suitable information security arrangements can be made with that provider prior to [insert employee’s name] medical consultation.

[Agency HR manager/senior management representative]

Attachments: [agencies to develop] 1. List of relevant health service profession advices 2. Consent form 3. General information security advice 4. Agency medical service providers Annex C - Relevant health service professional advices Medical Board of Australia  Good Medical Practice: A Code of Conduct for doctors in Australia

Royal Australian and New Zealand College of Psychiatrists:  Guidance for Electronic Media Recording and Storage

 Professional practice guideline: Best practice referral, communication and shared care arrangements between psychiatrists, general practitioners and psychologists

 Professional practice guideline: Developing reports and conducting independent medical examinations in medico-legal settings

 Code of Ethics

Australian Clinical Psychology Association  Code of ethics

Australian Psychological Society  APS Code of Ethics

 Ethics resources (available to members only) Annex D – Advice to people who may need to disclose security classified or sensitive information during medical consultation

The Australian Government wants to support you in getting the best medical services possible to resolve your mental health condition. Your current or previous agency has a number of support mechanisms that you may be able to access. It is recommended that you contact the agency’s human resources or personnel support officers for further advice.

As part of your medical consultation you may be asked to disclose sensitive or security classified information relating to the circumstances that led or contributed to your mental health condition.

The unauthorised disclosure of security classified or sensitive information by a current or former Commonwealth officer or contractor may be subject to section 70 of the Crimes Act 1914 as well as any specific secrecy provisions relating to the agency that employed you when you were provided the information. However, your agency wants to work with you through your medical service provider to manage the impact of any disclosure.

It is recommended that prior to medical consultations you discuss any potential disclosures of security classified or sensitive information relating to events that may have led to your mental health condition with the agency that employed you at that time. If you have already disclosed security classified or sensitive information you will need to contact the agency so that they can work with you to minimise the impact of the disclosure.

The agency that provided you with the information may have in-house medical service providers or be able to provide you with contact details of suitable medical service providers available through contract to the agency. These medical service providers can assist you through the resolution of your mental health condition. Agency identified providers have a greater understanding of the sensitivity of the agency’s information as well as being required under their contracts to protect it.

You may still seek a medical service provider of your choice. However, you are encouraged, with the provider’s approval, to provide their contact details to the affected agency so that the agency can work with you and your medical service provider to manage the information. A separate generic information sheet is available for medical service providers at Annex E.

If it becomes necessary as part of your medical consultations to disclose security classified or sensitive information, for example, information about classified defence or police operations, advise your medical service provider of the sensitivity of the information. Please limit any disclosure to the minimum necessary for effective management of your condition. Some options you may be able to use to anonymise information include not identifying: specific locations – while the fact that you were on overseas deployment or undercover operations is not normally security classified the details of the deployment or operations may be operation codenames or code words – classified operations are normally identified by a codename or code word. Avoid providing codenames or code words to your medical service provider your agency’s name – in some instances the fact that you are, or were, employed by a specific agency may be security classified. If so, refer to your agency using the pseudonym provided by the agency. Additionally, if you are a security clearance holder you are required to report any changes of circumstances, including health or medical circumstances, to your current agency. If you are no longer an employee at this agency, please report changes of circumstances directly to the vetting agency. See the Australian Government personnel security protocol-Annual health check section 9.3. Annex E – Advice to medical service providers who may be provided security classified or sensitive information during mental health consultations

The Australian Government wants to support you in providing the best medical services possible to resolve mental health conditions of its employees.

Some employees may disclose security classified or sensitive information during medical consultations. While you may be subject to section 79 of the Crimes Act 1914 or other specific secrecy provisions in legislation relating to this information, the Government would like to work with you to manage this information’s use and storage to minimise the possibility of any accidental disclosure of the information by you.

If you believe that an employee may need to disclose, or has disclosed, security classified or sensitive information to you as part of their medical consultations, you are encouraged to discuss your concerns with the employee in the first instance. You are asked to limit records of information with security implications to that which is required for the medical services.

Additionally, with the agreement of the employee it is recommended that you discuss the management of the information with the agency affected by the employee’s disclosure. While it is not recommended to provide the agency with any information subject to client-provider privilege, the agency will be able to provide specific advice to help you handle the information provided by the employee.

The following generic information may also assist you.

De-identifying information

The importance of client-provider privilege, anonymity and discretion when handling sensitive or security classified information (including personal details – names, work, role), cannot be understated.

Where possible it is recommended that the information is anonymised by not identifying: specific locations – while the fact that the employee was on overseas deployment or in undercover operations it is not normally security classified, although the details of the deployment or operations may be. The employee is encouraged to advise you if this is the case operation codenames or code words – classified operations are normally identified by a codename or code word. If the employee provides any codenames or code words, avoid recording them the employing agency’s name – in some instances the fact that the employee is, or was, employed by a specific agency may be security classified. Refer to the agency using the pseudonym provided by the agency.

Handling of interview/ consultation recordings

Your normal information security measures may not be sufficient for security classified and sensitive information. The following additional controls of consultation records relating to cases where sensitive or security classified information may be disclosed to the extent compatible with managing the mental health condition are recommended: keeping all detailed consultation records relating to the case in hard copy only and de- identifying the information as much as possible (as above) only including a de-identified overview into electronic treatment records systems storing any audio or video recordings with the hard copy records rather than being uploading to your ICT system storing physical records in a secure locked safe or locked cabinet which cannot be accessed by other practice personnel (unless necessary for medical services for the employee) transferring information only when necessary destruction of any detailed records when no longer required for medical consultations if allowable under legislation. Transfer of records to third parties

Compensation authorities

It is recommended that if the employee is submitting a compensation claim you contact the compensation authority prior to reporting on the medical services to ascertain the level of information required by the authority.

It is recommended that you seek advice from the employing agency on managing the transfer of consultation records to the compensation authority. Where consultation records contain security classified information or you are concerned about the sensitivity of the information it can be sent to the compensation authority by courier. It is recommended you seek advice from the agency on suitable courier options.

It is recommended that you contact the originating agency of sensitive or security classified information in the consultation record for advice on appropriate handling.

Other third parties

The employing agency can advise you on how to manage the transfer of detailed information relating to the case to other parties such as other medical service providers and legal representatives.

You may from time-to-time be requested to provide details of work related medical conditions to other persons—for example as an expert witness in court proceedings. It is recommended that you seek advice from the employee’s agency as to what information may be disclosed or if any specific controls can be put in place.

Recommended publications