Your privacy is your fundamental human right
ACSO and McCormack Housing (‘The Group’) acknowledges that privacy is a fundamental human right and has a legal and ethical obligation to protect our clients’ right to privacy. The Group provides a range of services, such as assessments, counselling, case work and residential services. In order to provide these services effectively, we need to collect personal information of those accessing our services such as name, address and telephone number. We also need to collect sensitive information such as details about health and background information which help us to understand service needs. The purpose of this policy is to outline the Group’s management of client personal and sensitive information.
This policy applies to all personal information about clients collected, used, stored and destroyed by the Group (electronic or hard copy).
Throughout this policy, ‘personal information’ will refer to personal and sensitive information.
This policy will guide the collection, use, storage and disposal of client personal information held by ACSO to ensure our practices comply with privacy laws, contractual obligations and maintain confidence with our external stakeholders.
Access to Personal Information
You have a right, with limited exceptions, to access any personal information we hold about you. For example, obtaining a copy of a letter confirming your engagement with the Group or a copy of your assessment report.
With evidence of your consent documented, an authorised representative can access your personal information, on your behalf.
Government bodies and organisations have the right to access an individual’s personal information, without consent under relevant legislation where we are mandated to share information. For example, in response to the receipt of a subpoena. Or, when the criteria of information sharing schemes that permits us to share information has been satisfied, such as Multi-Agency Risk Assessment and Management Framework (MARAM).
Under the Privacy Act and APP 12, we reserve the right to deny or limit access to personal information when we have a valid reason, such as where giving access would be unlawful, have a reasonable impact on the privacy of other individuals and where giving access would pose a serious threat to the safety and wellbeing of an individual.
Privacy: Refers to personal information that is held by the Group and is protected from unauthorised access or disclosure. It is information given to the Group under an obligation not to disclose that information to others unless there is a statutory requirement or duty of care obligation to do so.
Personal information: Defined in the Privacy Act 1988 (Privacy Act) as information or an opinion about an identified individual, or an individual who is reasonably identifiable:
· Whether the information or opinion is true or not; and
· Whether the information or opinion is recorded in a material form or not. For example: a person’s name, address, marital status or family history
Sensitive information: A subset of personal information and is defined as information or an opinion (that is also personal information) about an individual that includes race or ethnic origin, offending history, sexual preference, religious beliefs or affiliations or health information.
Informed consent: Obtaining permission before information is obtained, used or shared. It is giving the client clear and understandable information about the type of personal information that will be requested for collection, how it will be used and stored so the client can decide what information they would like to share and give consent in full knowledge of the possible outcomes by providing their personal information.
Group People: Refers to third party contractors, consultants, students and volunteers.
Roles and Responsibilities
Board and Executive team: Responsible for ensuring this policy is implemented at an organisational level.
Senior Leadership team: Responsible for ensuring this policy is implemented at a program level.
Leadership team (Program Managers and Team Leaders):
- Promoting the rights of client’s privacy in line with all privacy policies and procedures
- Ensuring the Group employees follow the privacy policies and procedures
- Reporting on privacy breaches raised through their services
- In consultation with the Privacy Officer, assisting in responding to privacy queries, complaints and breaches and making recommendations and providing advice to the CEO and where necessary the Board and Board Committee
- Using trend data to identify and act upon opportunities for service improvements
Privacy Officers (Quality and Risk): Responsible for monitoring and reviewing privacy related processes in the Group services which includes:
- Providing consultation to stakeholders regarding privacy related matters and best practice
- Leading any response to privacy about the Group services determined, making recommendations and providing advice to the CEO and where necessary the Board and Board Committees
The Group Employees and People:
- Promoting the rights of client’s privacy in line with all privacy policies and procedures
- Ensuring that the privacy, confidentiality and dignity of clients is always maintained
- Ensuring compliance with the Group’s privacy policies and procedures
- Ensuring that clients are aware of their right to access their personal information and make a privacy complaint
- Ensuring potential or actual privacy breaches are reported to leaders immediately
- If necessary and appropriate, assisting a client to make a privacy complaint
- Collect client personal information only that is relevant to the provision of assistance to the person concerned
Workplace Privacy Guidelines
The Group Employees and People Privacy
The Group Employees’ and People’s (EP) personal information which relates to their employment with the Group is exempt from the Privacy Act. However, the Group will collect, use, store, share and destroy the EP’s personal information in a manner that aligns with the Australian Privacy Principles (APP’s), which underpin the Privacy Act and with due care. The Group will only collect, access and store EP’s personal information when it is necessary and related to employment purposes. There may be times where the Group is meeting its employment obligations, under the Fair Work Act 2009. Information that directly relates to the employment relationship can includes things such as the EP’s skills, performance, conduct, and their terms of employment.
Contractors' Access to Personal Information
Working from Home Standards
Working from home can pose increased or new types of privacy risks, such as those we share our homes with being able to view personal and sensitive information where workstations are not set up in a secure setting. To mitigate the risks of privacy breaches and to ensure cyber safety when working from home, the Group EP’s must continue to work in accordance with all aspects of this policy to ensure personal and sensitive information is protected against unauthorised access.
Policy Implementation Guidelines
Collection and Use of Personal Information
To provide services, the Group may only collect and use client personal information for the purposes for which it has been collected, the type of information may include:
- Identifying information such as name, address, telephone number, place and date of birth, gender, nationality, ethnicity, language spoken
- Next of kin details, including place and date of birth of parents and siblings, family and relationship background information, name and contact details for significant others, guardianship information
- Accommodation and respite support details, carer’s details and transport requirements
- Billing details for payment
- Sensitive information such as support requested and provided, psychosocial history, counselling reports, court reports, behavioural history, likes and dislikes and interests, photos and videos of activities, assessment and therapy sessions
- Special needs information including type, extent and support required, need assessment information, health details including medical records, medical summaries, medication reviews and history, and daily activity reports
- Program specific paperwork, forms and reports
The purposes for collecting and using client personal information may include:
- Providing a service to a client
- Referral other organisation’s services
- Assessment of support needs
- Risk reduction
- Incident management and reporting
- Service planning and improvement
Consent to Collect and Use Personal Information
The Group may only collect, use or disclose personal information it has collected and hold, for the primary purpose in which it was collected, where there is client consent. For example, to provide a service.
Personal information may be used or disclosed for a secondary purpose when;
- A client consents and it is authorised or permitted by law
- Where the client would reasonably expect the use or disclosure of the secondary purpose
- Where it is related to the primary purpose
- It is permitted to do so by an exception under the relevant privacy laws. For example, use or disclosure may be permitted where it is reasonably necessary to lessen or prevent a serious or imminent threat to an individual’s life, health, safety or welfare
- Unlawful activity or serious misconduct has occurred or alleged
The Group collects personal information through a fair and lawful means and must be collected from the client directly, unless this is unreasonable or impracticable. Where this can’t occur, personal information must be collected in ways associated with service delivery. For example, via referral information or the client’s care team.
Where client personal information is collected from someone else (where there is client consent or permitted by privacy-based laws), the Group will take reasonable steps to ensure that the client is informed of the personal information collected and the circumstances of the collection. Client do not need to be informed where so would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence. There are circumstances where federal, state and territory laws require or allow the Group to obtain or share without client consent.
Informed consent, in writing or verbal, must be obtained from clients engaging in the Group’s services at first contact, to collect and use their information, and to share their information with other services and agencies. Only then will essential and relevant details be shared.
Informed Consent - Minors (Children and Young People)
The Group will protect an individual’s personal information in line with this policy regardless of their age. In accordance with the Privacy Act 1988, the Group does not specify an age after which an individual can make their own privacy decisions. However, a child aged under 15 years is presumed to not have capacity to consent. For consent to be valid, an individual must have capacity to consent (APP B.56; Refer to section 6.3 Informed Consent).
Programs where services are delivered to children and young people will decide on a case-by-case basis if a client under the age of 18 has the capacity to consent.
Generally, a client under the age of 18 has the capacity to consent if they have the maturity to understand the private discussion occurring. If they lack maturity, the Group may determine it is more appropriate for a parent or guardian to consent on their behalf (APP B.57).
In relation to the second paragraph, if it is not practical or reasonable for the Group to assess the capacity of the individuals under the age of 18 on a case by case basis, the Group can presume that a client aged 15 or over has the capacity to consent, unless there is something to suggest something otherwise.
Dealing with Unsolicited Personal Information
If the Group received unsolicited information, it must determine whether it could have collected the information legally (see section ‘When personal information may be collected’ above).
If the Group determines that it could not have legally collected that information, then it must destroy the information or de-identify the information as soon as practicable, but only if it is lawful to do so. This does not apply to information in a Commonwealth government record. If the Group determines that it could have collected unsolicited information, it may retain that information.
The Group will take reasonable steps to ensure client information will be protected against loss, unauthorised access, use, modification or disclosure.
- The Group will take reasonable steps to make sure that the personal information it holds is accurate, complete, up to date, not misleading and remains relevant to its functions or activities
- All client records will be kept securely in password-protected electronic client management systems, electronic folders and/or locked filing cabinets, to be accessed only by the Group’s EP with authority to do so. The system has security measures in place that are designed to safeguard personal information from loss, misuse, unauthorised access and disclosure
- The Group’s EP is required to ensure that all information held by the Group remains secure against unauthorised access. This includes personal information about individuals as well as any other information about the Group’s commercial agreements and how it performs them must also be kept confidential and protected from unauthorised access or disclosure
- Client information in paper or electronic form must not be transported out of the Group’s locations unless authorised and it is necessary to do so (for example, transporting between the Group locations to Correctional facilities). When necessary, the documents should be transported securely in a locked bag or password protected electronic device. Documents must not be left in cars overnight.
- Copies of documentation containing client personal information may only be made if necessary:
- For an above purpose, and the risks have been considered and mitigated, or
- To meet legal or contractual requirements. For example, a subpoena
- If the Group discloses personal information to a third party, reasonable steps must be taken to prevent unauthorised use or disclosure by the third party
- The Group does not generally transfer personal information overseas. The Group may only transfer personal information interstate or overseas if permitted to do so under the relevant laws. It will be necessary to comply with the requirements under APP 8 of the Australian Privacy Principles and the relevant privacy laws in each state affecting by a proposed transfer of information interstate or overseas
Clean Desk Policy
To improve the security and confidentiality of data, the Group has adopted a Clean Desk Policy which all Group EP’s must comply with, regardless of whether they are working from home or a hub. Maintaining a clean desk reduces the risk of privacy/data breaches in ACSO or McCormack Housing, as it will decrease the likelihood of internal and external unauthorised access to personal or sensitive information (client, EP and the Group’s intellectual property).
‘Clean desk’ refers to how all Group Eps are required to maintain their workspace, computer, mobile devices, printed materials and access cards to enhance privacy and security information. This policy establishes requirements for how the Group EP should handle personal and sensitive information and materials (client, EP and the Group’s intellectual property) regardless of their workspace. The policy applies to the use of computers, mobile devices, printed materials, and access cards, as well as for how workspaces should be maintained.
The Group must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose, unless an exception applies. For example:
- The information is in a Commonwealth government file;
- Health service provider files must be retained for at least 7 years after the last health service they provide (and until the individual is at least 25 years old), and the Group must retain records of the individual’s name, the period covered and the deletion date once those files are deleted;
- The Group must not otherwise delete health information unless permitted or required by law
Access and Correction of Personal Information
Clients have a right to access and correct their personal information held by the Group. The Group will provide a client, or their requested representative with access to their personal information upon request, except in specific circumstances as outlined within the applicable privacy laws. Requests to access client personal information will be actioned and completed within 28 business days of receiving the request.
Requests to access client personal information can be forwarded by by the Group’s Privacy via completing the online form available on ACSO’s website: Request to access personal information form
Additionally, requests to access and correct personal information can be forwarded to the Group’s Privacy Officer, via:
Mail: Privacy Officer
1 Hoddle Street,
Richmond, VIC 3121
Where the Group holds personal information about a client and the client can establish that information is incorrect, the Group must take reasonable steps to correct information. When making a correction:
- Record the date and the name of the person making the correction; and
- If the incorrect information has previously been provided to a third party, notify them of the correction
If the Group however denies access or correction to such information, then the Group will provide the individual with reasons for such decision and advise the individual of mechanisms available to complain about the decision.
In the event that the Group and an individual disagree about the veracity of the personal information held by the Group, then if requested by the individual, the Group will take reasonable steps to record a statement relating to the disputed information on the record where the information appears.
Privacy Data Breaches
The Group will manage the process of dealing with actual or suspected data breach in accordance with the national Notifiable Data Breach Procedure which complies with Privacy Amendment (Notifiable Data Breaches) Act 2017.
Policy Implementation Monitoring
Cross-reference to Accreditation Standards
- QIC Health and Community Services Core Module standard 1.6, 1.7, 2.4
- Human Services Standards, standard 4
- NDIS Practice Standards and Quality Indicators July 2018 in its 8.0 National Disability
ACSO and McCormack Housing will comply with all relevant Federal and State legislation.
This policy will be reviewed at a minimum of every two years.