Privacy Policy
Purpose and Scope
The purpose of this policy and procedure is to set out staff responsibilities relating to collecting, using, protecting and releasing personal information in compliance with privacy legislation.
This policy and procedure apply to all:
Can Support staff;
aspects of Can Support business; and
staff and client personal and health information.
This policy and procedure should be read in conjunction with Can Support Records and Information Management Policy and Procedure, and meets relevant legislation, regulations and standards as set out in Schedule 1, Legislative References.
Documents relevant to this policy and procedure:
Consent Form
Records and Information Management Policy and Procedure
Continuous Improvement Register
Client Handbook
Privacy Statement
Privacy Audit Form
Definitions
Health information – Any information or an opinion about the physical, mental or psychological health or ability (at any time) of an individual.
Personal information – Recorded information (including images) or opinion, whether true or not, about a living individual whose identity can reasonably be ascertained.
Sensitive information – Information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political party, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preference or practices, or criminal record.
Policy
Privacy and confidentiality are of paramount importance to Can Support. Can Support recognises the importance of protecting the personal information of individuals. clients’ right to privacy and confidentiality is recognised, respected and protected in all aspects of their contact with Can Support. All clients (or their legal representatives) have the right to decide who has access to their personal information.
Can Support will collect, use and disclose information in accordance with relevant state and federal privacy legislation. All staff are responsible for upholding Can Support’ privacy and confidentiality responsibilities.
Can Support will only collect information necessary for safe and effective service delivery. It will only use information collected for the purpose it was collected and secure it appropriately. Information related to clients will not be released to other individuals or services without informed consent from the client or their representative, or in exceptional circumstances.
Procedures
Can Support must provide adequate and appropriate secure storage for personal information collected by staff (see Can Support’ Records and Information Management Policy and Procedure).
The Director is responsible for ensuring Can Support complies with the requirements of the Privacy Principles as outlined in the Health Records and Information Privacy Act 2002 (NSW), and, where applicable, the Privacy Act 1988 (Cth) by developing, reviewing and implementing processes and practices that identify:
how people can consent to their information being collected;
what information Can Support collects about individuals, and the source of the information;
why and how Can Support collects, uses and discloses the information;
who will have access to the information; and
risks in relation to the collection, storage, use, disclosure or disposal of and access to personal and health information collected by Can Support.
Can Support will review its privacy and confidentiality arrangements annually, through a Privacy Audit.
All staff will receive formal induction and ongoing training in privacy, confidentiality and information management. Staff knowledge and application of confidentiality and privacy principles will be monitored on a day-to-day basis and through annual Performance Reviews. Additional on-the-job and formal training will be provided to staff where required.
Staff are responsible for complying with this policy and procedure and their responsibilities in relation to collecting, storing, using, disclosing and disposing of personal and health information, in accordance with this policy and procedure.
Staff must keep personal information of clients, other staff and other stakeholders confidential, in accordance with the confidentiality provisions in their employment or engagement contract.
When collecting personal information from clients or their representatives, staff must explain:
what information is required;
the occasions when information may need to be released;
why information is being collected and how it will be used;
their right to decline providing information;
their rights in terms of providing, accessing, updating and using personal information, and giving and withdrawing consent;
who or where their information may be disclosed; and
the consequences (if any) if all or part of the information required is not provided.
Prior to collecting information, staff must obtain consent from the client or their legal representative, using the relevant Consent Form where required. Information must be collected sensitively and within lawful limits and only for a specific purpose.
Staff must respect people’s choices about being photographed or videoed and ensure images of people are used appropriately. This includes being aware of cultural sensitivities and the need for some images to be treated with special care.
Clients must be provided with Can Support’ Privacy Statement and informed that a copy of the complete policy is available on request. The Privacy Statement is to be prominently displayed and included in Can Support’ Client Handbook.
Staff will provide information to clients about their privacy and confidentiality in ways that suit clients’ individual communication needs. This includes using the language, mode of communication and terms that the client is most likely to understand. Methods include providing written information in Easy English, explaining information either face-to-face or over the phone and using interpreters and advocates.
Client and Representative Privacy and Confidentiality
Clients and their representatives are responsible for:
providing accurate information when requested;
maintaining the privacy of any personal or health information provided to them about others, such as contact details;
completing all consent and permission forms and returning them to the service in a timely manner;
being sensitive and respectful to other people who do not want to be photographed or videoed; and
being sensitive and respectful of the privacy of other people in photographs and videos when using and disposing of them.
Can Support will only request and retain personal or health information that is necessary to:
assess a potential client’s eligibility for a service;
provide a safe and responsive service;
monitor the services provided; and
fulfil contractual requirements to provide non-identifying data and statistical information to a funding body.
Information Can Support collects includes, but is not limited to:
contact details for clients and their representatives;
details for emergency contacts and persons authorised to act on behalf clients;
clients’ health status and medical records;
medication records;
service delivery intake, assessment, monitoring and review information;
service delivery records, plans and observations;
external agency information;
feedback and complaints;
incident reports; and
consent forms.
Access
Client and their representative’s information may be accessed by relevant staff with a genuine need to know.
Individuals have the right to:
request access to personal information Can Support holds about them, without providing a reason for requesting access;
access this information; and
make corrections if they consider the information is not accurate, complete or up to date.
There are some exceptions set out in the Privacy and Personal Information Protection Act 1998 (NSW), where access may be denied in part or in total. Examples of some exemptions are where:
the request is frivolous or vexatious;
providing access would have an unreasonable impact on the privacy of other individuals;
providing access would pose a serious threat to the life or health of any person; and
the service is involved in the detection, investigation or remedying of serious improper conduct and providing access would prejudice that.
If an individual requests access to or the correction of personal information, within a service benchmark of 2 working days (and no more than 45 days after receiving the request), staff will:
provide access, or reasons for the denial of access;
correct the personal information, or provide reasons for the refusal to correct the personal information; or
provide reasons for the delay in responding to the request for access to or correction of personal information.
Information storage
Personal files are kept in secure cloud servers protected and printed documents are secure filing cabinet in a private room, which is kept locked outside of operational hours. Computerised records are stored safely and secured with a password for access. Personal files are available for viewing upon request.
Information disclosure
Client personal and health information will only be disclosed:
for medical treatment or emergency;
to outside agencies with the clients’ permission;
with written consent from person/s with lawful authority; or
when required by Commonwealth Law, or to fulfil legislative obligations such as mandatory reporting.
If a staff member is in a situation where they believe that they need to disclose information about a client that they ordinarily would not disclose, they should seek the advice of a Management Team member before making the disclosure.
Staff Privacy and Confidentiality
Staff information Can Support collects includes, but is not limited to:
tax declaration form;
employment / engagement contract;
personal details;
emergency contact details;
medical details;
Police and Working with Children Check records;
Qualifications;
First Aid, CPR and Anaphylaxis certificates;
medical history;
personal resume;
payroll information; and
Superannuation details
Access
Staff information may be accessed the Management Team.
Staff have the right to:
request access to personal information Can Support holds about them, without providing a reason for requesting access;
access this information; and
make corrections if they consider the information is not accurate, complete or up to date.
There are some exceptions set out in the Privacy and Personal Information Protection Act 1998 (NSW), where access may be denied in part or in total. Examples of some exemptions are where:
the request is frivolous or vexatious;
providing access would have an unreasonable impact on the privacy of others;
providing access would pose a serious threat to the life or health of any person; and
the service is involved in the detection, investigation or remedying of serious improper conduct and providing access would prejudice that.
If an individual requests access to or the correction of personal information, within a service benchmark of 2 working days (and no more than 45 days after receiving the request), staff will:
provide access, or reasons for the denial of access;
correct the personal information, or provide reasons for the refusal to correct the personal information; or
provide reasons for the delay in responding to the request for access to or correction of personal information.
Information storage
Staff records are maintained by the Director in a locked filing cabinet in their office, which is kept locked outside of operational hours. Computerised records are stored safely and secured with a password for access.
Information disclosure
Staff personal and health information will only be disclosed:
for emergency medical treatment;
to outside agencies with the person’s or for child participants, parent or guardians’ permission;
with written consent from someone with lawful authority; or
when required by law, or to fulfil legislative obligations such as mandatory reporting.
Privacy Audits
Can Support will conduct annual privacy audits as per its External Audit and Internal Review Schedule.
The audit will be based on Can Support Privacy Audit Form and review:
what sort of personal information Can Support collects, uses, stores and discloses;
how Can Support safeguards and manages personal information, including how it manages privacy queries and complaints; and
how personal information that needs to be updated, destroyed or erased is managed.
Monitoring and Review
This policy and procedure will be reviewed at least every two years by the Management Team. Reviews will incorporate staff, client and other stakeholder feedback.
Can Support’ Continuous Improvement Register will be used to record identified improvements and monitor the progress of their implementation. Where relevant, this information will be fed into Can Support’ service planning and delivery processes.