Privacy Policy and Procedure
Authorisation
Date of review
Purpose and scope
The purpose of this policy is to establish a comprehensive framework for Connecting Families to manage the collection, recording, handling, and storing of personal information obtained during its operations. This is to ensire compliance with ethical and legal obligations as outlined by the Australian Privacy Principles within the Privacy Act 1988 (Cth), Privacy Amendment (Enhancing Privacy Protection) Act 2012, and all other relevant legislation including the Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth).
This policy applies to all clients, their family members, carers, other supporters, and our staff.
Key definitions
- the physical, mental or psychological health (at any time) of an individual
- a disability (at any time) of an individual
- an individual’s expressed wishes about the future provision of health services to them
- a health service that is provided or to be provided to an individual
- other personal information collected to provide, or in providing, a health service
- other personal information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances
- other personal information that is genetic information about an individual in a form which is or could be predictive of health (at any time) of the individual or of any of his or her descendants.
Notifiable data breach
Where there has been unauthorised access or disclosure of personal information it holds, or such information has been lost in circumstances where it is likely to lead to unauthorised access or disclosure; and a reasonable person would conclude that such access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates.
Sensitive information means information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinion or membership of a political association;
- religious beliefs or affiliations;
- philosophical belief;
- membership of a professional or trade association;
- membership of a trade union;
- sexual preferences or practices;
- criminal record; or
- health, genetic, biometric information, or biometric templates.
Policy
Connecting Families is committed to safeguarding the privacy and confidentiality of personal, health, or sensitive information of individuals including but not limited to clients, stakeholders, and employees. Every individual and their legal representatives have the authority to decide who will have access to their private information.
Connecting Families is committed to upholding the highest standards of confidentiality and privacy in all aspects of its records and information management. We ensure that any information collected is used solely for its intended purpose and is appropriately safeguarded. Our data collection practices are designed to acquire only information essential for the effective and efficient delivery of support and services. Every employee at Connecting Families is entrusted with the responsibility of safeguarding the privacy and confidentiality of the company, our clients, and other employees.
Procedure
Collection of Personal Information
At all times we will only collect the information we need for the services we provide. The main way we collect personal information about an individual is when the individual gives it to us. For example, we collect personal information when the individual:
- enquire about services that we offer, or establish services to provide to the individual,
- offer a compliment, or raise a complaint,
- raise a Privacy matter for our consideration,
- contract to provide us goods or services, and,
- apply for a position of employment or a volunteering position.
In some situations, Connecting Families may also obtain personal information from a third-party source. If we collect information about the individual in this way, we will take reasonable steps to contact the individual and ensure that they are aware of the purpose for which we are collecting and the organisation to which we may disclose your information, subject to any exceptions under the Privacy Act.
Collection and retention of Personal Information
Connecting Families collects and holds the personal information of clients, employees, volunteers, and contractors. ‘Personal information’ means information we hold about you from which your identity is either clear or can be reasonably determined. The personal information we hold includes, but is not limited to the following:
Clients
- Name,
- Date of Birth,
- Country of Birth and whether you are of Aboriginal and/or Torres Strait Islander origin,
- Current address,
- Next of kin details,
- Person responsible for client, e.g., Power of Attorney, Enduring Power of Attorney, Guardian, Trustee, etc.
- Entitlement details including Medicare, Pension, and Health Care Fund,
- Medical history,
- Family medical history,
- Social history,
- Religion,
- Clinical information including assessments and monitoring charts,
- Service and Care Plans,
- Progress Notes,
- Pathology results,
- X-ray results,
- Commonwealth ACFI information,
- Financial and Billing information including Income and Asset Notifications,
- Accident and incident forms,
- Medication Charts,
- Client Agreements,
- Medical and allied health information,
- Photographs and Video and/or Audio recordings.
Employees
- Name,
- Date of Birth / Country of Birth,
- Address and contact details,
- Details of Next of Kin,
- Occupation,
- Employment history,
- Employment Application Form,
- Citizenship, Passport and/or Visa permit,
- Medical history or fitness for work information,
- Immunisation records,
- Employment References,
- Tax File Number,
- Bank Account Details,
- HR/Personnel Records including Superannuation Fund,
- National Police Certificate (Criminal History Record Check),
- Working with Children’s Check Records,
- Workers’ compensation or injury information,
- Qualifications, Training and Competency records,
Employees
- Name,
- Date of Birth / Country of Birth,
- Address and contact details,
- Details of Next of Kin,
- Occupation,
- Employment history,
- Employment Application Form,
- Citizenship, Passport and/or Visa permit,
- Medical history or fitness for work information,
- Immunisation records,
- Employment References,
- Tax File Number,
- Bank Account Details,
- HR/Personnel Records including Superannuation Fund,
- National Police Certificate (Criminal History Record Check),
- Working with Children’s Check Records,
- Workers’ compensation or injury information,
- Qualifications, Training and Competency records,
Volunteers
- Name,
- Date of Birth / Country of Birth,
- Address and contact details,
- Details of Next of Kin,
- National Police Certificate (Criminal History Record Check),
- Working with Children’s Check Records,
- Drivers licence if relevant.
Contractors
- Name,
- Address and contact details,
- Qualifications, licenses, etc.
- Contractor Agreement,
- Insurances including Workers Compensation, Professional and Public Liability,
- National Police Certificate (Criminal History Record Check),
- Working with Children’s Check Records.
Collection and retention of Health Information
As necessary for administering Connecting Families’ services and functions, Connecting Families may collect Health Information solely related to its members or individuals with regular engagement in its activities. When gathering Health Information from an individual, as this data falls under Sensitive Information, Connecting Families will seek consent for the collection and provide details on its intended use and disclosure.
If Health Information is obtained from a third party, Connecting Families will inform the individual about this collection and clarify how the information will be used and disclosed.
Connecting Families will strictly adhere to the consent provided by the individual for the use of Health Information, unless further consent is obtained or in compliance with exceptions outlined in the Privacy Act or other relevant laws. In cases where Connecting Families utilises Health Information for research or statistical purposes, reasonable efforts will be made to de-identify this information, if feasible.
Collection and retention of sensitive information
Connecting Families collects and retains personal information about clients and staff if it is reasonably necessary for, or directly related to, the services provided by Connecting Families or its functions or activities. Connecting Families may only solicit and collect personal information if the individual consents to that sensitive information being collected or an exception applies to Australian Privacy Principal 3.
Collection, Consent, and Use of Personal Information
In most cases, we will only collect information directly from the individual with their consent. Personal information may be gathered from forms, telephone calls, faxes, emails, face-to-face meetings, interviews, and assessments. We may also collect information through the use of photographic and video and/or audio recordings. Where information is collected from other sources, we will inform the individual that we hold their personal information.
Generally, we will only collect personal information if it is necessary to provide health services and to comply with our obligations under Australian law (e.g., tax office obligations, immigration legislation, industrial instruments, etc.) or a court/tribunal order.
Unsolicited personal information not relevant to the functions of the organisation and information that is no longer required for the delivery of health services will be destroyed or de-identified as soon as practicable if it is lawful and reasonable to do so.
Before collecting personal information from clients or their advocates, employees must clarify:
- All private and confidential information will be stored safely,
- Connecting Families will clarify why the information is being collected, exactly how it is being stored and used as well as why Connecting Families requires the information,
- Connecting Families only gathers the necessary personal information of clients for the protected and effective provision of services.
Clients, their family members, and advocates will be notified that a copy of this policy and procedure is available on request. Employees are expected to provide privacy details to Clients and their families in forms that meet their individual communication needs. Written information can be provided or clarified verbally by employees in different languages and simple English. Connecting Families employees will support clients if they need to gain access to an interpreter.
Following from the information provided in this policy and procedure. Connecting Families employees must use a Consent Form to verify and clarify the information stated in this policy and procedure and then obtain consent from the client or their advocate to gather, store, gain access to, use, disclose, and dispose of their personal information.
The potential consequences of not allowing us to collect and hold the required personal information are that we may be unable to:
- provide appropriate health care and health services and meet our legislated obligations,
- meet the individual requirements of the care recipient,
- provide continuing employment to an employee,
- continue with the services of a contractor or volunteer.
Disclosure of Personal Information
Connecting Families will only use personal information for the purpose for which it is given to us, or for the purposes of service delivery. Personal information relating to clients and employees will not be used or disclosed for other purposes such as fundraising or direct marketing activities without seeking written consent of the person or the “person responsible” for the client.
Personal information may be disclosed if we:
- are required or authorised by Australian law, law enforcement, or a court/tribunal order,
- required under Chapter 16A, Section 180, Section 248 of the Children and Young Persons (Care and Protection) Act 1998 and Section 20 of the Children and Young Persons (Care and Protection) Regulation 2022,
- are required by other regulatory bodies, such as WorkCover/ WorkSafe,
- reasonably believe that the disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health, or safety, or a serious threat to public health or safety,
- have reason to believe that suspected unlawful activity or misconduct of a serious nature has been, is being, or may be engaged in.
- Other healthcare professionals that are or may be involved in the care of clients or employees including general practitioners, hospitals, and other allied health providers,
- Other external agencies that we have contracts with to provide services to clients and employees on our behalf. In circumstances where this is necessary, these external agencies are required to provide confirmation of their compliance with the Privacy Act 1988 (Cth),
- Funding bodies and other government agencies as required by Commonwealth and State legislation,
- The person designated by the client as the “person responsible” for giving and accessing their information.
If it is necessary to transfer personal information to someone overseas, we will comply with this policy and the Australian Privacy Principles and take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles in relation to that information.
Security of Personal Information
We will take all reasonable steps to protect the personal information we hold from misuse and loss, and from unauthorised access, modification, or disclosure. All personal information will be held in a secure and confidential manner, and we will take all reasonable steps to ensure personal information is secure (e.g., all computers have password access, and personal information is kept in secure areas). We will train all staff with access to personal information about their obligations concerning the confidentiality of personal information and the privacy of individuals.
All our electronic systems that hold personal information have up-to-date security protection systems. These are reviewed on a regular basis and tested to ensure they are efficient and able to meet any potential “interference” that might occur.
In the event of loss of personal information, we will:
- seek to identify and secure the breach to prevent further breaches,
- assess the nature and severity of the breach,
- commence an internal investigation in relation to the breach,
- report the breach to police where criminal activity is suspected,
- notify the Office of the Australian Information Commissioner if the data breach is likely to cause serious harm under the Notifiable Data Breaches scheme,
- inform the affected individual(s) where appropriate and possible so that individuals can take steps to protect their personal information after a data breach.
We will ensure the secure disposal of electronic and paper-based records.
Will Your Information be Disclosed to Overseas Recipients?
Web traffic information is disclosed to Google Analytics when you visit our websites. Google stores information across multiple countries.
When clients and workers communicate with us through a social network service the social network provider and its partners may collect and hold this personal information overseas. The social networking service will also handle the personal information for its own purposes. These services have their own privacy policies. These privacy policies can be accessed on the website of the social media.
Connecting Families uses several service providers, in Australia or overseas, to whom we disclose personal information. These include providers that host our website servers, manage our Information Technology, and manage our human resources information.
To protect personal information in relation to use of overseas based service providers, we:
- enter a contract which requires the service provider to only use or disclose the information for the purposes of the contract.
- include specific privacy requirements in the service provider contract, where necessary.
Access to Personal Information
We will take all reasonable steps to provide access to the personal information that we hold within a reasonable period in accordance with the Australian Privacy Principles. Requests for access to the personal information we hold should be made in writing to the Privacy Officer.
We may not provide access to the personal information we hold about an individual when:
- release of the personal information would be unlawful,
- the information may be subject to legal proceedings,
- release of the personal information would pose a serious threat to the life, health or safety of an individual or to public health or public safety,
- release is likely to have an unreasonable impact upon the privacy of other individuals,
- the information could compromise our business operations, and
- the request is assessed as vexatious or frivolous.
We will provide reasons for denying or refusing access to personal information in writing. This correspondence will include information concerning the mechanisms for complaining.
When information is released, should the information not be accurate or up to date, we will correct or update this information.
It is noted that children and young persons or their parents have the right to ask the Children’s Guardian to access information held about a child or young person on the Voluntary Out of Home Care Register and to correct that information. We will support any requests and assist children/ young people/ parents to contact the Children’s Guardian as needed.
Quality and Correction of Personal Information
We will take all reasonable steps to ensure that the personal information we collect, use, hold, or disclose is accurate, complete, and up to date. We record personal and sensitive information in a consistent format.
Individuals may request that personal information we hold is corrected if it is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will take all reasonable steps to correct the personal information we hold.
We will provide reasons for not complying with requests to correct personal information in writing.
Use of Government-Issued Notifiers
We will not use government-issued identifiers (a number assigned by a government agency to an individual as a unique identifier) for our operations. We will not use or disclose a government issue identifier assigned unless the use or disclosure is necessary to fulfill our organisational obligations (such as tax file numbers for employees) or is required under an Australian law or a court/tribunal order.
Retention of Personal Information
We will retain your Personal Information for as long as is reasonably necessary for the purposes for which we collect this information.
In some limited circumstances, we may retain your Personal Information for longer periods, for instance where we are required to do so by legal, regulatory, tax, or accounting requirements. In specific circumstances we may also retain your Personal Information for longer periods so that we have an accurate record of your dealings with us in the event of any complaints or challenges, to ensure we meet our obligation to unsubscribe a client under the Spam Act 2003 (Cth) or if we reasonably believe there is a prospect of litigation relating to your Personal Information or dealings with us.
We aim to maintain our Services in a manner that protects information from accidental or malicious destruction. At the request of any client all data belonging to the requesting party can be removed from the system.
Anonymity
We will provide individuals the option of not identifying themselves, or of using a pseudonym, where it is lawful and practicable to do so. However, for most of our functions and activities we usually need your name and contact information and enough information about the matter to enable us to handle your inquiry, request, complaint, or application fairly and efficiently, or to act on your report.
Breaches of Privacy
Notification
Clients, families, friends, or staff who have complaints about how we have dealt with personal information may apply for an internal review. Applications for an internal review may concern conduct a person believes is:
- A breach in information protection procedure,
- A breach in the code,
- An inappropriate disclosure by us of personal information,
- Application for the internal review should be made in writing to the Privacy Officer. This application should be made within six months from the time the applicant became aware of the alleged breach or inappropriate disclosure.
Nomination of Internal Review Team
In receiving an application and conducting an internal review under the Privacy Act, we will nominate an investigation team within two weeks of receiving the complaint by the Privacy Officer.
Conducting the Internal Privacy Review
The internal review team will take the following steps in conducting the review:
- Assist the applicant as much as possible.
- Interview relevant staff, examine records, and obtain any other pertinent information on the circumstances of the alleged breach.
- Seek advice from court and legal service or from Office of the Australian Information Commissioner as required.
- Determine whether a breach of the Privacy Act has occurred and, if so, what harm or damage it has caused to the applicant.
- Prepare a report and submit the finalised investigation report to the Privacy Officer setting out the relevant facts, the conclusions reached and recommendations for action to be taken to resolve the complaint.
- If the outcome indicates a breach of the Privacy Act has been committed in line with the Notifiable Data Breach, the Privacy Officer will contact the Australian Information Commissioner regarding the finding and the corrective actions instituted.
- The Privacy Officer will indicate outcomes to the applicants and ensure that they are aware of the Office of the Australian Information Commissioner who can investigate privacy complaints from individuals about private sector organisations and government agencies.
Completion of Internal Privacy Review
Once an application for an internal review is received, the review will be completed as soon as reasonably practicable. If the review is not conducted with 60 days, the applicant can seek a review by the Privacy Officer. Once the review is completed, the Privacy Officer may decide to:
- Take no further action on the matter,
- Recommend a formal apology to the applicant,
- Take appropriate remedial action,
- Provide an understanding that the conduct will not occur again,
- Implement measures to prevent recurrence of the conduct.
Notifiable Data Breaches Scheme
Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) Scheme is a federal scheme. Organizations are required to disclose certain information breaches to those impacted by the infringement, and to the Australian Information Commissioner.
Instances of information violations include:
- Devices and documents that contain private and confidential information, either lost or stolen,
- Unapproved entry by an employee to personal information,
- Unintentional release of private and confidential information. For example, an email accidentally being sent to the wrong person,
- Release of private information to a scammer because of lacking methods for identification conformation.
Other Reporting Requirements
Breaches of information may also affect reporting obligations beyond the Privacy Act 1988, such as:
- National Disability Insurance Scheme Quality Safeguard Commission,
- Government Departments of the Federal, State or Territory,
- Insurance providers,
- The Australian Securities and Investment Commission (ASIC),
- Australian Tax Office (ATO),
- The financial service sector of Equisent Disability Services Pty Ltd,
- Professional and regulatory organizations,
- The police or other law prosecution organizations.
How to contact us
If you have a query, concern, or complaint about the manner in which your personal information has been collected or handled by us or would like to request access to or correction of the personal information we hold about you, please contact us using the details provided below:
By mail: Unit 48/2 Slough Business Park Silverwater NSW 2128
By telephone: 0403 018 000
By email: info@connectingfamilies.com.au
Further Information
We are committed to resolving any complaints and to ensuring that we are doing the right things by our clients. We will make all reasonable inquiries and your complaint will be assessed with the aim of resolving any issue in a timely and efficient manner.
If you have raised a complaint with us an you are unsatisfied with the outcome or have further concerns about the way we handle your personal information, under the Privacy Act, you may complaint to the Information Commissioner at the Office of Australian Information Commissioner using the contact details set out below:
- Phone: 1300 363 992
- Online: www.oaic.gov.au
- Email: enquiries@oaic.gov.au
- Mail: Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001
Monitoring and Review
This policy and procedure will be reviewed every 12 months by Quality and Compliance Coordinator Reviews will incorporate staff, clients, families, stakeholders, and subject matter experts’ feedback.
Version Control
This policy and procedure will be reviewed every 12 months by Quality and Compliance Coordinator Reviews will incorporate staff, clients, families, stakeholders, and subject matter experts’ feedback.
Version
Document Author
Version
1.0
1st February 2023
This is the first version of this policy.
Document Author
Risk and Compliance Manager
Version
2.0
8th February 2024
Policy review and revising the organisation chart
Document Author
Quality and Compliance Coordinator
References
- Children and Young Persons (Care and Protection) Act 1998.
- Children and Young Persons (Care and Protection) Regulation 2022.
- Child Protection Act 1999 (QLD).
- Health Records Act 2001 (Vic).
- Health Records and Information Privacy Act 2002 (NSW) .
- Information Privacy Act 2009 (QLD).
- Privacy Act 1998 (Cth).
- Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
- Privacy Amendment (Notifiable Date Breaches) Act 2017 (Cth).
Related Documents
- Information Management Policy and Procedure.
