Privacy Policy

How ACSO collects, uses and stores client personal information


ACSO acknowledges that privacy is a fundamental human right and has a legal and ethical obligation to protect our clients right to privacy.

ACSO provides a range of services, such as assessments, counselling, case work and residential services. To provide these services effectively, ACSO need to collect personal information of those accessing our services such as name, address and telephone number. We also need to collect sensitive information such as details about health and background information which help us to understand service needs.

Access and Correction of Personal Information 

If you would like to request access to your personal information that ACSO holds, or correct information please contact ACSO’s Privacy Officer via:



Mail: 1 Hoddle Street,

Richmond VIC  3121

In accordance with ACSO’s privacy policy and procedures, please submit a Request for personal information form outlining details of your request to ACSO’s Privacy Officer.


i. Clients have a right to access and correct their personal information held by ACSO. ACSO will provide a client, or their requested representative with access to their personal information upon request, except in specific circumstances as outlined within the applicable privacy laws. Requests to access client personal information will be actioned and completed within 28 business days of receiving the request.

Where ACSO holds personal information about an client and the client is able to establish that information is incorrect, ACSO must take reasonable steps to correct information as soon as is practicable but within 30 days of the request.


When making a correction:

  • Record the date and the name of the person making the correction; and

  • If the incorrect information has previously been provided to a third party, notify them of the correction.

ii. If ACSO however denies access or correction to such information, then ACSO will provide the individual with reasons for such decision and advise the individual of mechanisms available to complain about the decision. In the event that ACSO and an individual disagree about the veracity of the personal information held by ACSO, then if requested by the individual, ACSO will take reasonable steps to record a statement relating to the disputed information on the record where the information appears. (Refer to 'Data retention' above in relation to requests to delete information.)

iii. All clients engaging in ACSO’s services will be provided with information about how to make a complaint should they not agree with ACSO’s decision to deny access or correction to their personal information, or they become aware or suspect their privacy has been breached. All complaints, including complaints made on a clients behalf will be responded to according to ACSO’s Feedback Management Policy.

iv. An individual may complain about ACSO's handling of personal information. ACSO’s complaints resolution processes will endeavour to be fair and equitable. The privacy, confidentiality and dignity of the complainant shall be maintained. All complaints shall be investigated and followed up promptly and courteously by the Complaints Officer with active engagement of the complainant and/or their representative.


Privacy: Refers to personal information that is held by ACSO and is protected from unauthorised access or disclosure. It is information given to ACSO under an obligation not to disclose that information to others unless there is a statutory requirement or duty of care obligation to do so.

Personal information: Defined in the Privacy Act 1988 (Privacy Act) as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and

  • whether the information or opinion is recorded in a material form or not. For example: a person's name, address, marital status or family history.

Sensitive information: A subset of personal information and is defined as information or an opinion (that is also personal information) about an individual that includes race or ethnic origin, offending history, sexual preference, religious beliefs or affiliations or health information.

Informed consent: Obtaining permission before information is obtained, used or shared. It is giving the client clear and understandable information about the type of personal information that will be requested for collection, how it will be used and stored so the client can decide what information they would like to share and give consent in full knowledge of the possible outcomes by providing their personal information.

Policy Implementation Guidelines


Collection and Use of Personal Information

To provide services, ACSO may only collect and use client personal information for the purposes for which it has been collected, the type of information may include:

  • Identifying information such as name, address, telephone number, place and date of birth, gender, nationality, ethnicity, language spoken

  • Next of kin details, including place and date of birth of parents and siblings, family and relationship background information, name and contact details for significant others, guardianship information.

  • Accommodation and respite support details, carer’s details and transport requirements.

  • Billing details for payment

  • Sensitive information such as support requested and provided, psychosocial history, counselling reports, court reports, behavioural history, likes and dislikes and interests, photos and videos of activities, assessment and therapy sessions.

  • Special needs information including type, extent and support required, need assessment information, health details including medical records, medical summaries, medication reviews and history, and daily activity reports

  • Program specific paperwork, forms and reports.

    The purposes for collecting and using client personal information may include:

  • Providing a service to a client

  • Referral other organisation’s services

  • Assessment of support needs

  • Risk reduction

  • Incident management and reporting

  • Service planning and improvement

Consent to Collect and Use Personal Information

ACSO may only collect, use or discloses personal information it has collected and holds, for the primary purpose in which it was collected, where there is client consent. For example, to provide a service

Personal information may be used or disclosed for a secondary purpose when;

  • A client consents and it is authorised or permitted by law

  • Where the client would reasonably expect the use or disclosure of the secondary purpose

  • Where it is related to the primary purpose

  • It is permitted to do so by an exception under the relevant privacy laws. For example, use or disclosure may be permitted where it is reasonably necessary to lessen or prevent a serious or imminent threat to an individual's life, health safety or welfare.

  • Unlawful activity or serious misconduct has occurred or alleged

ACSO collects personal information through fair and lawful means and must be collected from the client directly, unless this is unreasonable or impracticable. Where this can’t occur, personal information must be collected in ways associated to service delivery. For example, via referral information or the clients care team.

Where client personal information is collected from someone else (where there is client consent or permitted by privacy based laws), ACSO will take reasonable steps to ensure that the client is informed of the personal information collected and the circumstances of the collection. Clients do not need to be informed where so would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence. There are circumstances where federal, state and territory privacy laws require or allow ACSO to obtain or share sharing without client consent.

Informed Consent

Informed consent, in writing or verbal, must be obtained from clients engaging in ACSO’s services at first contact, in order to collect and use their information, and to share their information with other services and agencies. Only then will essential and relevant details be shared.

ACSO are to provide the following information to clients about the way ACSO uses and stores their information:

  • Purpose of collecting their client information and how it will be used, including whom ACSO will share the information.

  • That consent is voluntary and can be withdrawn at any time.

  • Limits to privacy of client information. For example, mandatory reporting and limits to withdrawn consent

  • How clients can access or amend their personal information

  • How clients can make a complaint if they feel their privacy has been breached

Clients’ informed consent is to be obtained in writing through the completion of ACSO’s ‘Release and Obtain Information Form’ (ROI). Clients’ ROI’s are valid whilst ACSO is delivering services to the client, or for a maximum period of 12 months. After 12 months, the completion of a new ROI will be completed. Where client consent cannot be obtained in writing, For example, telephone based services are provided, informed consent will be obtained verbally and the ACSO employee who collected the consent will complete the ROI over the phone with the client. The ROI’s will be stored in the client’s case file within their client file.

Clients have the right to withdraw their consent to the collection or use of all or part of their personal information at any time. If a client requests to withdraw their consent, the relevant employee will:

  • Discuss the reasons for the withdrawn and any implications for service delivery with the client. For example, ACSO may be unable to arrange support services for the client.

  • Record the withdrawn consent in a case note in the clients file.

Clients also have the right to anonymity by using an alias or not identifying themselves during engagement with ACSO, where it is lawful and practicable.

A unique identifier (combination of letters and/or number) is assigned to client files to identify the client for the purposes of operation. ACSO will not adopt a government assigned individual identifier number e.g. Medicare number as if it were its own identifier.

Dealing with Unsolicited Personal Information

If ACSO receives unsolicited information, it must determine whether it could have collected the information legally (see section 'When personal information may be collected' above).

If ACSO determines that it could not have legally collected that information, then ACSO must destroy the information or de- identify the information as soon as practicable, but only if it is lawful to do so. This does not apply to information in a Commonwealth government record. If ACSO determines that it could have collected the unsolicited personal information, ACSO may retain that information.

Data Security and Data Retention 

Data Security 

ACSO will take reasonable steps to ensure client information will be protected against loss, unauthorised access, use, modification or disclosure.

  • ACSO will take reasonable steps to make sure that personal information ACSO holds is accurate, complete, up to date, not misleading and remains relevant to its functions or activities.

  • All client records will be kept securely in password-protected electronic client management systems, electronic folders and/or locked filing cabinets, to be accessed only by ACSO employees with authority to do so. The system has security measures in place that are designed to safeguard the personal information from loss, misuse, unauthorised access and disclosure.

  • ACSO employees are required to ensure that all information held by ACSO remains secure against unauthorised access. This includes personal information about individuals as well as any other information about ACSO's operations that is not already public knowledge. Information about ACSO's commercial agreements and how it performs them must also be kept confidential and protected from unauthorised access or disclosure.

  • Client information in paper or electronic form must not be transported out ACSO locations unless authorised and it is necessary to do so (for example, transporting between ACSO locations to Correctional facilities) When necessary, the documents should be transported securely in locked bag or password protected electronic device. Documents must not be left in cars overnight.

  • Copies of documentation containing client personal information may only be made if necessary:

    • For an above purpose, and the risks have been considered and mitigated, or

    • To meet legal or contractual requirements. For example, a subpoena

  • If ACSO discloses personal information to a third party, reasonable steps must be taken to prevent unauthorised use or disclosure by the third party.

  • ACSO does not generally transfer personal information overseas. ACSO may only transfer personal information interstate or overseas if it is permitted to do so under the relevant laws. It will be necessary to comply with the requirements under APP 8 of the Australian Privacy Principles and the relevant privacy laws in each state affecting by a proposed transfer of information interstate or overseas.

Data Retention

ACSO must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose, unless an exception applies. For example:

  • The information is in a Commonwealth government file;

  • Health service provider files must be retained for at least 7 years after the last health service they provide (and until the individual is at least 25 years old), and ACSO must retain records of the individual's name, the period covered and the deletion date once those files are deleted;

  • ACSO must not otherwise delete health information unless permitted or required by law.

Privacy Data Breaches

ACSO will manage the process of dealing with actual or suspected data breach in accordance with the national Notifiable Data Breach Procedure which complies with Privacy Amendment (Notifiable Data Breaches) Act 2017.

This policy will be reviewed at least every two years. ACSO reserves the right to change the terms of this Privacy Policy from time to time, without notice.  

Last updated: 23 Mar 2021