Management of sensitive information

HeartAI platform components and HeartAI administrators and developers may have varying access and exposure to potentially sensitive information. HeartAI takes the appropriate management of sensitive information very seriously and implements formalised processes and practices to ensure that access to this information is constrained and secure. This includes understanding and complying with state and federal laws, policies, regulations, and compliance standards. In particular, this includes following the policies of SA Government generally and the corresponding policies of SA Government health organisations.

The following laws, policies, regulations, and compliance are central to HeartAI management of sensitive information:

Generally, a high-level of organisational, operational, and technical due diligence is expected of HeartAI platform components and HeartAI administrators and developers. HeartAI employees are required to understand and follow this policy and coordinate with state and federal governance authorities to ensure that HeartAI activity meets a high-level of rigour particularly within the health system context.

HeartAI policy, including this policy for the management of sensitive information, is routinely reviewed and updated. Modifications or amendments to this policy are done in coordination with governance authorities on the basis of a high-standard of diligence.

Policy

  1. HeartAI platform components and HeartAI administrators and developers must comply with SA Health and SA Government policies in relation to sensitive information. This includes, but is not limited to:
    1.1. The Privacy Act 1988, and,
    1.2. The Health Care Act 2008, and,
    1.3. The Australian Privacy Principles, and,
    1.4. The South Australian Information Classification System, and,
    1.5. The Information Classification System Policy Directive.
  2. In relation to the South Australian Information Classification System:
    2.1. The South Australian Information Classification System is the governing framework that HeartAI platform components and HeartAI administrators and developers must comply with in relation to the classification of sensitive information. The following excerpt is referenced from the South Australian Information Classification System:

    The ICS is used to assist South Australian public sector agencies to assess the confidentiality, integrity and availability of their information assets and ensure the appropriate protections, including protective markings and handling requirements, are assigned. The ICS replaces the classifications previously outlined in the Information Security Management Framework (ISMF).

  3. In relation to the Information Classification System Policy Directive:
    3.1. The Information Classification System Policy Directive describes additional policy in relation to SA Health jurisdictional data. The following excerpt is referenced from the Information Classification System Policy Directive:

    The South Australian Information Classification System (ICS) was approved by Cabinet and all South Australian public sector agencies must use the ICS when assessing the confidentiality, integrity and availability of their information assets. The ICS replaces the classifications previously outlined in the Information Security Management Framework (ISMF).

    This Policy Directive requires SA Health’s information assets to be identified, classified, labelled, managed and protected based on confidentiality. Whilst the integrity and availability markings are no longer required, consideration should always be given to the integrity and availability of information at the time of classification.

  4. In relation to approval and access to sensitive information:
    4.1. HeartAI administrators and developers should understand their responsibilities with accessibility to sensitive information. This should include this policy, the reference policies, and any applicable policies that support appropriate governance of sensitive information.
    4.2. HeartAI administrators should discuss and seek approval with governing authorities when considering any high-impact modification to sensitive information accessibility.
    4.3. HeartAI administrators should provide appropriate technical constructs to govern the accessibility of sensitive information, and should administer access on the principle of minimum necessary permissions.
    4.4. Any breach of sensitive information should be immediately reported to governing authorities.
  5. In relation to technical governance:
    5.1. A high-level of technical due diligence is expected for HeartAI administrators to ensure that HeartAI platform components are secure and well-managed. System components must be developed to a standard that meets expectations for the management of sensitive information. This must include aligning with SA Health and SA Government policies.
    5.2. HeartAI administrators should regularly coordinate system development with corresponding governing authorities and domain administrators such that technical and process standards are achieved.
  6. In relation to the ongoing review of this policy:
    6.1. This policy should be reviewed at least every 6 months. This review should assess the appropriateness of the existing policy, and should propose any modifications or extensions to the policy where needed.
    6.2. Modifications or extensions to this policy should be reviewed and approved by corresponding governing authorities.
    6.3. This policy welcomes suggestions and feedback.
  7. In relation to the governance and compliance of this policy:
    7.1. This policy must be understood and agreed to by HeartAI administrators and developers before the approval of access to HeartAI platform components.
    7.2. Where this policy does not provide a specification to, or conflicts with, a mandated SA Health or SA Government policy, the existing SA Health or SA Government policy will take precedence. HeartAI administrators will resolve policy deficits by approved modification or extension to HeartAI policy.
    7.3. HeartAI administrators are responsible for ensuring that this policy is compliant with SA Health and SA Government policies.