Information Management

Generating PDFGenerating PDF

Policy framework statement

The Information Management Policy Framework specifies the information management requirements that all Health Service Providers (HSPs) must comply with in order to ensure effective and consistent management of health, personal and business information across the WA health system.

Purpose

The purpose of this policy framework is to:

  • optimise the value and quality of information to support the realisation of the WA health system's vision to deliver a safe, high quality, sustainable health system for all Western Australians
  • maximise access and use of information to achieve the System Manager and Health Service Provider functions in accordance with the Health Services Act 2016 and other written laws
  • enhance transparent public reporting and real-time access to information to support better services and outcomes, and a more accountable WA health system
  • minimise misuse and inappropriate disclosure of information
  • provide employees with the ability and knowledge to safely secure and protect sensitive, confidential and appropriately classified information
  • promote appropriate fit-for-purpose information management governance models and mechanisms
  • support the effective, efficient and consistent management of information through each stage of the information lifecycle
  • foster the adoption of contemporary best practice for data integrity and information management related processes, procedures and policies across the WA health system.

Applicability

This policy framework is binding on each HSP to which it applies or relates.

Principles

The key principles that underpin this policy framework are for information in the WA health system to be:

Valued

  • by facilitating better patient treatment, health care and public health
  • by better informing decision making
  • by providing opportunities to identify effectiveness and efficiency improvements
  • by enabling research related discoveries, innovations and enhancements.

Available

  • by collecting and storing relevant, timely and high quality information
  • by using methods to ensure stored information is migrated, preserved, and remains accessible and usable
  • by facilitating transparent public reporting and real-time information access
  • for the legal purposes stipulated the Health Services Act 2016, the Health Services (Regulations) Act 2017 and other written laws
  • for functions stipulated in the Health Services Act 2016 and other statutory requirements
  • through streamlined access protocols and mechanisms in accordance with the delegated authorities
  • for research purposes in accordance with the Health Services Act 2016 with approvals from the relevant Human Research Ethics Committee HREC that is constituted and acts in compliance with the National Statement on Ethical Conduct in Human Research.

Shared

  • for purposes that are directly related to, and necessary for, the activities of the Health Service Providers to manage, plan, evaluate or promote, protect and maintain the health of the community
  • for the legal purposes stipulated in the Health Services Act 2016, the Health Services (Regulations) Act 2017 or other written laws
  • for functions stipulated in the Health Services Act 2016 or other written laws
  • by adopted policies, processes and procedures that support a culture of information sharing in accordance with legal requirements
  • to reduce the need to collect the same information multiple times
  • appropriately in accordance with statutory, regulatory and mandatory policy requirements and delegated authorities.

Governed

  • through a clearly defined information management governance model(s) and mechanisms
  • at each stage of the information lifecycle
  • within information management systems where required and in accordance with legislative requirements
  • through transparent and accountable data governance and research ethics processes
  • in accordance with statutory, regulatory and mandatory policy requirements
  • to promote access to information for assurance purposes
  • by adopting effective models that are simple, fit for purpose and appropriate to the dataset or information being managed.

Trustworthy

  • by providing policies, processes and procedures to promote high quality information
  • by adopting common definitions, interpretations, data quality statements, formats and business rules
  • by incorporating best practice data integrity and information management processes
  • by utilising audits, information specialists and subject matter experts.

Secure and protected

  • by storing information in systems that are secure, protected and meet governance requirements
  • by adopting best practice for procurement, design, development, testing and implementation of information systems
  • in a manner that is transparent and accountable to protect against misuse, or the unauthorised or inappropriate collection, storage, transit, access, use, disclosure or disposal of information
  • by ensuring staff within the WA health system are informed and empowered to do everything reasonable and practicable to prevent the misuse or unauthorised access to or disclosure of information
  • by adopting security provisions to protect against unauthorised access, use, modification or disclosure
  • by ensuring information is disposed of appropriately and in accordance with any requirement for its retention and disposal
  • by mitigating and managing information breaches and security incidents
  • by ensuring compliance with statutory, regulatory and mandatory policy requirements for each stage of the information lifecycle.

Legislative context

This policy framework is made pursuant to ss 26(2)(k) of the Health Services Act 2016.

The Health Services Act 2016 refers to policy frameworks in ss. 26-27 and s. 34(2)(c). Other relevant part in the Act that relates specifically to this policy framework is Part 17.

The legislation below, may also apply:

  • Children and Community Services Act 2004
  • Commonwealth Privacy Act 1988 (Australian Privacy Principles)
  • Coroners Act 1996
  • Corruption, Crime and Misconduct Act 2003
  • Criminal Code Act Compilation Act 1913
  • Electronic Transactions Act 2011
  • Equal Opportunity Act 1984
  • Evidence Act 1906, Acts Amendment (Evidence) Act 2000
  • Freedom of Information Act 1992
  • Freedom of Information Regulations 1993
  • Health (Miscellaneous Provisions) Act 1911
  • Health and Disability Services (Complaints) Act 1995
  • Health Services (Information) Regulations 2017
  • Human Reproductive Technology Act 1991
  • Industrial Relations Act 1979
  • Mental Health Act 2014
  • National Health and Medical Research Council Act 1992
  • Public Health Act 2016
  • Health Services Act 2016
  • State Records Act 2000

Policy framework custodian

Assistant Director General
Purchasing and System Performance

Enquiries relating to this Policy Framework may be directed to: PolicyFrameworkSupport@health.wa.gov.au

Review

This policy framework will be reviewed as required to ensure relevance and recency. At a minimum this policy framework will be reviewed within two years after first issue and at least every three years thereafter.

Version Effective from Amendment(s)
55 9 September 2024 Policy review and amendment to MP 0145/20 Information Storage Policy. Amendments include the following: Purpose section refined; Applicability section: WA health entity and contracted health entities statement updated; Policy requirements: section condensed and terminology update to 'staff members'; Compliance monitoring section updated for consistency and to reflect other Information and System Performance Directorate owned policies; Inclusion of the following related documents: State Records Commission Standard 6: Outsourcing; State Records Commission Standard 7: State Archives Retained by Government Organisations; State Records Office of Western Australia Archival Storage Specification; State Records Commission Standard 8-Managing Digital Information; Specifications for Digitisation of State Records; Australian Government, Department of Health and Aged Care: Therapeutic Goods Administration: Biological standards; Supporting Information 'Information Storage Policy Resource Compendium' updated; Definitions 'WA health entity'; 'Digital Record' and 'Information' updated; Policy contact updated to Director level to reflect policy ownership. 
54 2 September 2024 Policy review and amendment to MP 0146/20 Information Classification Policy. Updated policy requirements section to include mandatory requirement for WA health entities to comply with the Information Classification Labelling and Handling Minimum Requirements. Inclusion of related document: ‘Information Classification Labelling and Handling Minimum Requirements.’ Inclusion of supporting information document: ‘Information Classification Resource Compendium.’
53 3 July 2024 Policy review and amendment to MP 0164/21 Patient Activity Data Policy. Amendments include the removal of the superseded mandatory policies from the Purpose section as three years since policy in effect. Inclusion and updated 2024-25 related documents and supporting information. 
52 9 May 2024 New mandatory policy MP 0184/24 Data Linkage Policy.  The purpose of this policy is to establish minimum data linkage standards for WA health entities creating linkage keys to enable the integration of WA health system information. 
51 1 February 2024 Policy review and amendments to MP 0015/16 Information Access, Use and Disclosure Policy.  Amendments include the following: Purpose section amended to align with governance requirements; Applicability section amended to capture WA health entities and update the statement on contracted health entities; Related document - new Information Access, Use and Disclosure Standards; Supporting information: Compendium update with contemporary guidance; Definitions section amended to remove terms no longer referred to in the policy and/or Standards. 
50 31 January 2024 Policy review and amendments to MP 0144/20 Information Retention and Disposal Policy. Amendments include: Purpose section amended to align with governance requirements; Applicability section amended to include a standard phrase on contracted health entities; Compliance monitoring section amended to clarify the requirements of WA health entities and the Department of Health; Related documents: Inclusion of DA 2021-012 Sector Disposal Schedule for Mental Health Services; All hyperlinks reviewed and updated as required, with the Recordkeeping Resource Schedule (previously Supporting Information) hyperlinks transferred into the policy. 
49  1 July 2023  Amendment to MP 0164/21 Patient Activity Data Policy. Annual review and inclusion of 2023-2024 related documents and supporting information. 
48  9 June 2023  Amendment to MP 0152/21 Information Management Governance Policy.   Amendment to supporting information document: Information Asset Governance Document Template to provide additional information in section 3: Roles and Responsibilities. 
47  11 May 2023 Policy review and amendment to MP 0135/20 Information Breach Policy. Amendments include the inclusion of WA health entities in the Compliance Monitoring section and removed Health Service Providers; removed detailed mandated requirements to the new related document 'Information Breach Response Standard'; amendments to the related document: 'Information Breach Notification Form'; supporting information documents developed 'Information Breach Response Checklist' and 'Information Breach Response Guide' and removed definitions that are not captured in the policy. 
46  9 May 2023  New mandatory policy-MP 0178/23 Information Quality Policy.  This policy supersedes MP 0057/17 Data Quality Policy.  The purpose of Information Quality Policy is to provide information users with the minimum requirements to ensure a high standard of information quality for information assets and associated outputs. 
45 8 March 2023  Minor amendment to MP 0152/21 Information Management Governance Policy. Inclusion of statement to Section 3: Steward Recommendation within the Related Document forms:  Recommendation of Sponsor Form, Recommendation of Custodian Form and Recommendation of Administrator Form. 
44  16 February 2023 Amendment to MP 0144/20 Information Retention and Disposal Policy.  Amended Digitalization Specifications link within related document: Patient Information Retention and Disposal Schedule Requirements.  Amended related document link: Digitalization Specifications link. 
43 3 February 2023 Amendment to MP 0164/21 Patient Activity Data Policy - minor amendment to one URL link within related documents: Hospital Morbidity Data Collection Data Specifications and Mental Health Data Collection Data Specifications.  
42 31 August 2022 Amendment to MP 0164/21 Patient Activity Data Policy - minor amendment to Supporting Information document Patient Activity Data Policy Information Compendium.
41 29 August 2022 Amendment to MP 0164/21 Patient Activity Data Policy - minor amendments to Related Document Non-Admitted Patient Data Collection Data Dictionary.
40 26 July 2022 Amendment to MP 0152/21 Information Management Governance Policy.  Amendments to Related Documents and Supporting Information to reflect the Collection and Disclosure of Health Information Delegations 2022. Included updated definition for WA health system. 
39 24 June 2022 Amendment to MP 0144/20 Information Retention and Disposal Policy. Replaced the related document RD 2014001 Patient Information Retention and Disposal Schedule PIRDS with DA 2019-008 Patient Information Retention and Disposal Schedule.  Included Patient Information Retention and Disposal Schedule Requirements as a related document. 
38 22 June 2022 Annual review and amendment to MP 0164/21 Patient Activity Data Policy - inclusion of 2022-2023 Related Documents and Supporting Information. 
37 29 November 2021
Amendment to MP 0015/16 Information Access, Use and Disclosure Policy - amendment to page 29 of Supporting Information document Information Access, Use and Disclosure Policy Resource Compendium. Removed reference to Data Practice Code document as no longer relevant. 
36 9 September 2021
Minor Amend to MP 0164/21 Patient Activity Data, revision and link update to Supporting Information - Contracted Care Supplementary Information - referenced in the Information Compendium.
35 19 August 2021
MP 0146/20 Information Classification Policy  - Amend links to the Related Document- Western Australian Information Classification Policy  and to Supporting Information - Western Australian Information Classification Policy Assessment Flow Chart and Western Australian Information Classification Policy Business Impact Levels Tool.
34 23 July 2021
Minor Amendment to MP 0015/16 v.2.2 Information Access Use and Disclosure Policy - amendment to one Supporting Information document Information Access, Use and Disclosure Policy Resource Compendium.
33 29 June 2021
Minor Amendment to MP 0152/21 Information Management Governance Policy - addition of two new Supporting Information Documents (Templates).
32 15 June 2021
New MP 0164/21 Patient Activity Data Policy, published in advance of implementation on 1 July 2021. New MP  0164/21supersedes:MP 0058/17 Admission Policy, MP 0056/17 Clinical Coding Policy, MP 0143/20 Emergency Department Data Collection and Reporting Policy, MP 0059/17 Hospital Morbidity Data Reporting Cycle and Edit Protocol Policy, MP 0088/18 Elective Services Wail List Data Collection Data Reporting Requirements Policy, MP 0087/18 Non-Admitted Activity Recording and Reporting Policy, MP 0036/16 Data Reporting Requirements for Episodes of Admitted Maintenance Care Policy, MP 0061/17 Data Reporting Requirements for Episodes of Admitted Palliative Care Policy.
31 10 June 2021
Major amendment to MP 0144/20 Information Retention and Disposal Policy. Changes to Related Documents.
30 11 May 2021
New MP 0157/21 Establishment and Workforce Data Policy to supersede MP 0091/18 Workforce Data Policy.
29 28 April 2021
Minor amendment to MP 0135/20 Information Breach Policy for Related document Information Breach Notification Form.
28 18 March 2021
Major Amendment to include additional Related document to MP 0144/20 Information Retention and Disposal Policy.
27 18 February 2021
IC 0179/14 Guidelines for the Transmission of Personal Health Information by Facsimile Machine superseded by MP 0067/17 Information Security Policy.
26 16 February 2021
New MP 0152/21 Information Management Governance Policy to supersede MP 0011/16 Data Stewardship and Custodianship Policy.
25 4 December 2020 Publish MP 0145/20 Information Storage Policy to supersede OD 0559/14 Information Storage and Disposal Policy.  Publish MP 0146/20 Information Classification Policy to supersede OD 0537/14 Information Classification Policy.
24 1 December 2020
Publish New MP 0144/20 Information Retention and Disposal Policy to supersede MP 0002/16 Patient Information Retention and Disposal Schedule Policy and OD 0583/15.
23 22 October 2020
Rescinded OD 0558/14.
22 21 September 2020
New MP 0143/20 Emergency Department Data Collection and Reporting Policy superseded OD 0205/09Rescinded OD 0464/13.
21 10 August 2020
Rescindment of OD 0122/08 and OD 0574/14. 
20 13 July 2020 
Major Amendment to MP 0058/17 Admission Policy
19 29 June 2020
Minor Amendment to remove the WA Data Linkage Branch Access and Charging Policy from Mandatory requirements. 
18 15 June 2020
Rescindment of OP 1944/05 from Mandatory requirements.
17 7 May 2020
Rescindment of IC 0208/14 from Supporting Information.
16 6 May 2020
New MP 0135/20 Information Breach Policy.
15 17 October 2019
Major Amendment MP 0015/16 Information Access, Use and Disclosure Policy. Rescindment of IC 0177/14 from Supporting Information.
14 17 September 2019
Aboriginal standardised position information added to Request Form (Related Document) and Information Compendium (Supporting Information).
13 6 August 2019
Amendment to the Framework resulting from consultation and research include: purpose, principles (including key elements within the principles), realignment of the mandatory policy groupings, definitions, and addition of the General Disposal Authority for State Government Information.
12 30 July 2019 
Major Amendment MP 0087/18 Non-Admitted Activity Recording and Reporting Policy.
11 11 July 2019
Rescindment of OD 0557/14 and Department of Health Recordkeeping Plan 2013.
10 18 October 2018
Rescindment of IC 0200/14 from Supporting Information and Major Amendment to MP 0058/17 Admission Policy.
9 11 October 2018
Rescindment of OD 0564/14 from Mandatory Requirements
8 26 September 2018
New MP 0091/18 Workforce Data Policy, superseded OD 1435/01, OD 0567/14, OD 0568/14 and MP 0042/16 Standardised Position Titles Policy.
7 27 June 2018 New MP 0087/18 Non Admitted Activity Recording and Reporting Policy, superseded MP 0068/17 Non-Admitted Activity Recording and Reporting Policy. New MP 0088/18 Elective Services Wait List Data Collection Data Reporting Requirements Policy, superseded MP 0014/16 Elective Services Wait List Data Collection (ESWLDC): Data Reporting Requirements for Health Service Providers.
6 22 February 2018 Rescinded OD 0272/10, OD 0132/08 and OD 0131/08 from Mandatory Requirements.
5 4 October 2017 New MP 0068/17 Non-Admitted Activity Recording and Reporting Policy, superseded OD 0621/15 and OD 0622/15. Rescinded OD 0621/15 and OD 0622/15 from Mandatory Requirements.
4 2 August 2017 New MP 0061/17 Data Reporting Requirements for Episodes of Admitted Palliative Care.
3 1 July 2017 New MP 0058/17 Admission Policy, superseded OD 0540/14. New MP 0056/17 Clinical Coding Policy, superseded OD 0620/15. New MP 0059/17 Hospital Morbidity Data Reporting Cycle and Edit Protocol Policy, superseded OD 0136/08 and OD 0137/08. Rescinded OD 620/15, OD 0380/12, OD 0136/08, and OD 0137/08 from Mandatory Requirements and OD 0540/14 from Supporting Information.
 2 30 June 2017 Major Amendment to MP 0036/16 Data Reporting Requirements for Episodes of Admitted Maintenance Care, Major Amendment to MP 0015/16 Information Access, Use and Disclosure Policy.
1 1 July 2016 Original version

Approval

This policy framework has been approved and issued by the Director General of the Department of Health as the System Manager.

Approval byDr David Russell-Weisz, Director General, Department of Health
Approval date01 July 2016
Date published19 July 2019
File numberF-AA-40150

Compliance

This policy framework is binding on those to whom it applies or relates. Implementation at a local level will be subject to audit.

Glossary of terms

Term Meaning
Access The direct access by authorised users (both internal and external to the WA health system) to information within data collections managed by the Department or Health Service Providers. Typically, direct access is gained via a network and/or system login and password to a front-end information system or to a back-end database.
Business information Includes, but is not limited to, administration, corporate, workforce, human resources, financial or accounting information that may contain personal information.
Confidentiality Obligation imposed on persons by common law, statute and/or equity which requires that information of a certain character (e.g. personal or otherwise sensitive information) be treated in confidence by those to whom it is made known or becomes known.
Data The term 'data' generally refers to unprocessed information, while the term 'information' refers to data that has been processed in such a way as to be meaningful to the person who receives it. In this policy the terms 'data' and 'information' have been used interchangeably and should be taken to mean both data and information.
Data linkage A complex technique connecting data records within and between datasets thought to relate to the same person, place, family or event. Data linkage typically uses demographic data (for example: name, date of birth, address, sex, medical record number) and facilitates analysis of linked information in a way that protects individual privacy.
Disclosure A person discloses information if they: cause the information to appear, allow the information to be seen, make the information known, reveal the information or lay the information open to view.
Disposal Refers to the action or process to destroy.
Duty of confidentiality Obligation imposed on persons by common law, statute and /or equity which requires that information of a certain character (e.g. personal or otherwise sensitive information) be treated in confidence by those to whom it is made known or becomes known.
Health information Has the meaning given in the Health Services Act 2016 in section 213 as:
(a) information, or an opinion, that is also personal information, about:
      (i) the health (at any time) of an individual; or
      (ii) a disability (at any time) of an individual; or
      (iii) an individual's expressed wishes about the future provision of health services to the individual; or
      (iv) a health service provided, or to be provided, to an individual; or
(b) other personal information collected to provide, or in providing, a health service.
Health Service Provider Health Service Provider means a health service provider established under section 32 of the Health Services Act 2016 and may include North Metropolitan Health Service (NMHS), South Metropolitan Health Service (SMHS), Child and Adolescent Health Service (CAHS), WA Country Health Service (WACHS), East Metropolitan Health Service (EMHS), Quadriplegic Centre, PathWest and Health Support Services (HSS).
Human Research Ethics Committee (HREC) A human research ethics committee constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research.
Information Refer to data.
Information Governance Refers to the processes used to manage the availability, usability, integrity and security of information assets.
Information Lifecycle Information lifecycle is the sequence of operational activities for managing information from creation to disposal. The activities within the information lifecycle are collection, storage, access/disclosure, use and disposal.
Information Management Refers the management of information across all stages of the information lifecycle.
National Statement Refers to the National Statement on Ethical Conduct in Human Research which are a series of guidelines that are produced in accordance with the National Health and Medical Research Council Act 1992 (Cwlth) clause 7(1) (a).
Personal information

Has the meaning given in the Freedom of Information Act 1992 in the Glossary clause 1:

Means information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead -

(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or

(b) who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.

Privacy1 An individual's right or expectation that their information will be maintained securely and in confidence.
Secure/Protected Refers to information that is secured and protected from unauthorised access or misuse across all stages of the information lifecycle.
Use A person ‘uses’ information if they: employ the information for some purpose, put the information into service, turn the information to account, avail themselves of the information or apply the information for their own purposes.
WA health system Pursuant to section 19(1) of the Health Services Act 2016, means the Department of Health, Health Service Providers and to the extent that Contracted Health Entities provide health services to the State, the Contracted Health Entities.

1National Health and Medical Research Council - Principles for Accessing and Using Publicly Funded Data for Health Research Canberra
https://www.nhmrc.gov.au/about-us/publications/principles-accessing-and-using-publicly-funded-data-health-research