Privacy Policy

OUR PRIVACY POLICY

PRIVACY AND CONFIDENTIALITY POLICY & PROCEDURE

Purpose and Scope

The purpose of this policy and procedure is to set out staff responsibilities relating to collecting, using, protecting and releasing personal information in compliance with privacy legislation. This procedure meets relevant legislation, regulations and standards as set out in Schedule 1, Legislative References for NDIS Services. Relevant legislation, regulations and standards for Aged Care - Home Care are listed below.

This policy and procedure applies to all:

Empowering Angels’s staff;
aspects of Empowering Angels’s business; and
staff and client personal and health information.

This policy and procedure should be read in conjunction with Empowering Angels’s Records and Information Management Policy and Procedure.

NDIS documents relevant to this policy and procedure:

Records and Information Management Policy and Procedure
Continuous Improvement Register
Client Handbook
Privacy Statement
Privacy Audit Form

Definitions

Health information - Any information or an opinion about the physical, mental or psychological health or ability (at any time) of an individual.

Personal information - Recorded information (including images) or opinion, whether true or not, about a living individual whose identity can reasonably be ascertained.

Sensitive information - Information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political party, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preference or practices, or criminal record.

Policy

Privacy and confidentiality are of paramount importance to Empowering Angels. Empowering Angelsrecognises the importance of protecting the personal information of individuals. Clients’ right to privacy and confidentiality is recognised, respected and protected in all aspects of their contact with Empowering Angels. All clients or their legal representatives have the right to decide who has access to their personal information.

Empowering Angelswill collect, use and disclose information in accordance with relevant state and federal privacy legislation. All staff are responsible for upholding Empowering Angels’s privacy and confidentiality responsibilities. Empowering AngelsPrivacy Policy & Procedure Date of issue: 14/01/2024

Empowering Angelswill only collect information necessary for safe and effective service delivery. It will only use information collected for the purpose it was collected, and secure it appropriately. Information related to clients will not be released to other individuals or services without informed consent from the client or their representative, or in exceptional circumstances.

Procedures

Empowering Angelsmust provide adequate and appropriate secure storage for personal information collected by staff (see Empowering Angels’s Records and Information Management Policy and Procedure).

The General Manager is responsible for ensuring Empowering Angelscomplies with the requirements of the Privacy Principles as outlined in the Health Records and Information Privacy Act 2002, and, where applicable, the Privacy Act 1988 by developing, reviewing and implementing processes and practices that identify:

how people can consent to their information being collected;
what information Empowering Angelscollects about individuals, and the source of the information;
why and how Empowering Angelscollects, uses and discloses the information;
who will have access to the information; and
risks in relation to the collection, storage, use, disclosure or disposal of and access to personal and health information collected by Empowering Angels.

Empowering Angelswill review its privacy and confidentiality arrangements annually, through a Privacy Audit.

The General Manager must immediately notify the NDIS Commission and/or relevant state government agency if they become aware of a breach or possible breach of privacy legislation.

All staff will receive formal induction and ongoing training in privacy, confidentiality and information management. Staff knowledge and application of confidentiality and privacy principles will be monitored on a day-to-day basis and through annual Performance Reviews. Additional on-the-job and formal training will be provided to staff where required.

Staff are responsible for complying with this policy and procedure and their responsibilities in relation to collecting, storing, using, disclosing and disposing of personal and health information, in accordance with this policy and procedure.

Staff must keep personal information of clients, other staff and other stakeholders confidential, in accordance with the confidentiality provisions in their employment or engagement contract.

When collecting personal information from clients or their supporters, staff must explain:

what information is required;
the occasions when information may need to be released;
why information is being collected and how it will be used;
their right to decline providing information;
their rights in terms of providing, accessing, updating and using personal information, and giving and withdrawing consent;
who or where their information may be disclosed; and
the consequences (if any) if all or part of the information required is not provided.
providing accurate information when requested;
maintaining the privacy of any personal or health information provided to them about others, such as contact details;
completing all consent and permission forms and returning them to the service in a timely manner;
being sensitive and respectful to other people who do not want to be photographed or videoed; and
being sensitive and respectful of the privacy of other people in photographs and videos when using and disposing of them.

Prior to collecting information, staff must obtain consent from the client or their supporter, using the relevant Consent Form where required.

Information must be collected sensitively and within lawful limits and only for a specific purpose. Staff must collect

Staff must respect people’s choices about being photographed or videoed and ensure images of people are used appropriately. This includes being aware of cultural sensitivities and the need for some images to be treated with special care;

Clients and their families must be provided with Empowering Angels’s Privacy Statement and informed that a copy of the complete policy is available on request. The Privacy Statement is to be prominently displayed and included in Empowering Angels’s Client Handbook.

Staff will provide information to clients about their privacy and confidentiality in ways that suit clients’ individual communication needs. This includes using the language, mode of communication and terms that the client is most likely to understand. Methods include providing written information in Easy English, explaining information either face-to-face or over the phone and using interpreters and advocates. Where a client is a child, Empowering Angelswill provide information to their family in the language, mode of communication and terms that they are most likely to understand.

Client and Representative Privacy and Confidentiality

Clients and their representatives and families are responsible for:

Empowering Angelswill only request and retain personal or health information that is necessary to:

assess a potential client’s eligibility for a service;
provide a safe and responsive service;
monitor the services provided; and
fulfil contractual requirements to provide non-identifying data and statistical information to a funding body.

Information Empowering Angelscollects includes, but is not limited to:

contact details for clients and their representatives or family members;
details for emergency contacts and persons authorised to act on behalf clients;
clients’ health status and medical records;
medication records;
service delivery intake, assessment, monitoring and review information;
service delivery records, plans and observations.;
external agency information;
feedback and complaints;
incident reports; and
consent forms.

Access

Client and their representative’s or family’s information supporter information may be accessed by relevant staff with a genuine need to know.

Individuals have the right to:

request access to personal information Empowering Angelsholds about them, without providing a reason for requesting access;
access this information; and
make corrections if they consider the information is not accurate, complete or up to date.

There are some exceptions set out in the Privacy and Personal Information Protection Act 1998, where access may be denied in part or in total. Examples of some exemptions are where:

the request is frivolous or vexatious;
providing access would have an unreasonable impact on the privacy of other individuals;
providing access would pose a serious threat to the life or health of any person; and
the service is involved in the detection, investigation or remedying of serious improper conduct and providing access would prejudice that.

If an individual requests access to or the correction of personal information, within a service benchmark of 2 working days (and no more than 45 days after receiving the request), staff will:

provide access, or reasons for the denial of access;
correct the personal information, or provide reasons for the refusal to correct the personal information; or
provide reasons for the delay in responding to the request for access to or correction of personal information.

Information Storage

Personal files are kept in a secure filing cabinet in a private room, which is kept locked outside of operational hours. Computerized records are stored safely and secured with a password for access. Personal files are available for viewing upon request. Empowering AngelsPrivacy Policy & Procedure Date of issue: 14/01/2022

Information Disclosure

Client personal and health information will only be disclosed:

for medical treatment or emergency;
to outside agencies with the clients’ or parent or guardians’ permission;
with written consent from person/s with lawful authority; or
when required by Commonwealth Law, or to fulfil legislative obligations such as mandatory reporting.

If a staff member is in a situation where they believe that they need to disclose information about a client that they ordinarily would not disclose, they should seek the advice of a Management Team member before making the disclosure.

Staff Privacy and Confidentiality

Staff information Empowering Angelscollects includes, but is not limited to:

tax declaration form;
employment / engagement contract;
personal details;
emergency contact details;
medical details;
Police and Working with Children Check records;
Qualifications;
First Aid, CPR and Anaphylaxis certificates;
medical history;
personal resume;
payroll information; and
Superannuation details

Access

Staff information may be accessed the Management Team.

Staff have the right to:

request access to personal information Empowering Angelsholds about them, without providing a reason for requesting access;
access this information; and
make corrections if they consider the information is not accurate, complete or up to date.

There are some exceptions set out in the Privacy and Personal Information Protection Act 1998, where access may be denied in part or in total. Examples of some exemptions are where:

the request is frivolous or vexatious;
providing access would have an unreasonable impact on the privacy of others;
providing access would pose a serious threat to the life or health of any person; and
the service is involved in the detection, investigation or remedying of serious improper conduct and providing access would prejudice that.

If an individual requests access to or the correction of personal information, within a service benchmark of 2 working days (and no more than 45 days after receiving the request), staff will:

provide access, or reasons for the denial of access;
correct the personal information, or provide reasons for the refusal to correct the personal information; or
provide reasons for the delay in responding to the request for access to or correction of personal information.

Information Storage

Staff records are maintained by the General Manager, supported by the Administration Manager, in a locked filing cabinet in their office, which is kept locked outside of operational hours. Computerized records are stored safely and secured with a password for access.

Information Disclosure

Staff personal and health information will only be disclosed:

for medical treatment or emergency;
with written consent from the staff member; or
when required by Commonwealth Law, or to fulfil legislative obligations such as mandatory reporting

Privacy Audits

Empowering Angelswill conduct annual privacy audits as per its External Audit and Internal Review Schedule.

The audit will be based on Empowering Angels’s Privacy Audit Form and review:

what sort of personal information Empowering Angelscollects, uses, stores and discloses;
how Empowering Angelssafeguards and manages personal information, including how it manages privacy queries and complaints; and
how personal information that needs to be updated, destroyed or erased is managed.

Monitoring and Review

This policy and procedure will be reviewed at least biennially by the Management Team. Reviews will incorporate staff, client and other stakeholder feedback.

Annual satisfaction surveys will include questions regarding:

satisfaction with Empowering Angels’s privacy and confidentiality processes;
whether stakeholders have received adequate information about privacy and confidentiality; and
the extent to which clients and their supporters feel their privacy and confidentiality has been protected.

Empowering Angels’s Continuous Improvement Register will be used to record identified improvements and monitor the progress of their implementation. Where relevant, this information will be fed into Empowering Angels’s service planning and delivery processes.