Handling of Confidential Information
1.0 PURPOSE
AGRF Ltd is committed to handling personal information (including health information and other sensitive information) in accordance with all applicable privacy laws, including the Australian Privacy Principles set out in the Privacy Act 1988.
The purpose of this policy is to provide clear instructions on handling confidential information and details the various security measures that must be followed for such information.
2.0 SCOPE
This policy applies to all the activities conducted within AGRF. It applies to the collection, use and disclosure of all personal and sensitive information. This information also relates to the AGRF employees, clients and information received along with the samples. AGRF staff must treat this information as confidential and take steps to ensure that it is held, transferred and disposed of in a secure manner.
Information considered as confidential:
Personal information on samples, sample submission forms, test result/data:
Samples received by AGRF may carry personal information that could be used to identify the donor of the sample or companies that may not wish to publicise their association with AGRF. AGRF staff must treat this information as confidential.
Client information: Personal information collected from client or vendor for the business purposes
Employee personal information: Personal and sensitive information related to the AGRF employee
Standard operating procedures and related documents and forms
Company policies and procedures
Any other AGRF related sensitive information
3.0 HANDLING CONFIDENTIAL INFORMATION
3.1 Hard copies/paperwork
Paper copies of documents accompanying samples need to include the sender and organisation details as a minimum. AGRF Sample submission sheets and other paper communications from identifiable clients are to be kept confidential.
Such documents will also contain the information on the samples, this may include but is not limited to personal names, addresses, dates of birth and must be treated as confidential information. This information may be required for raw samples submitted for clinical extraction (saliva, blood, etc) to enable AGRF to process the samples according to our service agreements.
Sample reception procedures will detail the steps required in annotating, digitising, and cross-checking the information on these sheets with physical samples. These sheets must be stored behind a locked controlled access door when in use and thereafter in compliance with records retention requirements.
At the time of disposal, these are to be shredded on site, or consigned to a secure waste disposal company. Such sheets cannot be placed in standard waste or recycling bins without prior shredding
3.2 Physical samples for Clinical Genomic Services
These will include, but are not limited to: Blood tubes, Saliva stabilisation vials (eg. ORAgene), oral swabs, DNA samples, and FFPE biopsy samples. These containers may be labelled with donor names, dates of birthand/or other potentially identifying information.
Prior to disposal, ensure that all such samples are stored in designated locations (with signage, eg. “Clinical Samples”) to ensure they are correctly identified.
At the time of disposal, such original containers must have the labelling destroyed beyond recognition, such as scratched or crossed out.
Identifiable waste must be disposed of as Medical/Biohazard Waste using yellow collection bins. The contents are destroyed by a certified service provider at a secure facility.
3.3 Electronic files
All client and AGRF files containing identifiable information must always be behind at least one level of password protection when not in immediate use. Such files are typically MS Excel documents, or digital scans of paper originals in pdf format.
All AGRF servers and data (apart from ftp and external client facing LIMS interfaces) are held behind firewalls and require authentication to access either desktops or servers. AGRF ICT restricts access to servers where data is held and have secondary firewalls in place to reduce illicit access. AGRF deploy AI on the network which monitors for “anything out of the ordinary”. Data will be monitored, and the system trained to look for suspicious activity such as data exfiltration where data is being uploaded to a client (rather than the client downloading it from us). Also, suspicious login activity to monitor for potential threat and the system being comprised.
3.4 Data transfers
Transferring data files between nodes should be via shared drives and access restrictions. Email should be avoided to reduce the risk of an incorrect email addresses being used. Client data must not be transferred onto any personal storage device.
3.5 Waste hard drives
ICT removes hard drives from computers going for disposal, before they are sent to a secure facility where they will be cross-shredded and reduced to particulate matter.
3.6 Portable media:
Portable hard drives:
These must not be re-used. The pertinent risk is that previously loaded data is not completely erased and may be accidentally recovered by a different client. Portable physical media should be one way only - outgoing.Data sent to clients on hard drives is manually encrypted with decryption information sent separately.
Laptop computers:
All data stored on portable devices (laptops, etc) is encrypted automatically reducing the risk of the data being extracted/retrieved should a device be lost/stolen.
AGRF maintains a policy and procedures to ensure confidentiality of data. It is imperative that every staff member observes the utmost discretion with regards to their duties. Client data and records are confidential and are not to be discussed or disclosed to unauthorised persons. If there is uncertainty regarding whether persons are authorised to receive data, consultation with the Section Supervisors / Managers is obligatory.
4.0 REFERENCES AND FURTHER READINGS
Privacy Act 1988: https://www.oaic.gov.au/privacy/the-privacy-act
Information Privacy Act 2000 (Vic): http://www.legislation.vic.gov.au/
Privacy and Personal Information Protection Act 1998 (NSW): http://www.legislation.nsw.gov.au/
Information Privacy Act 2009 (Qld): http://www.legislation.qld.gov.au/
Information Privacy Principles Instruction, Premier and Cabinet Circular PC012 (SA): www.archives.sa.gov.au/privacy/ principles.html