Privacy Policy

PRIVACY AND CONFIDENTIALITY POLICY

V2.0 - Approved 16/09/2020 by GMO - Due to be reviewed 16/09/2023

Purpose of Policy

Olivia’s Place, in providing health and related support services, will comply with Commonwealth and Victorian State legislative and regulatory requirements in protecting client, staff and volunteer information that is deemed to be private.

Policy Guidelines

Olivia’s Place will undertake the responsible handling of personal, sensitive, client and health information. This includes any referral made and received, with client consent being retained in their file.

Privacy and managing private information are aspects of effective management and clinical governance.

In accordance with the Code of Ethics (part 2A), the organisation recognises the right to privacy of all personnel, clients, and those with whom they come into professional contact.

Staff may have access to confidential information; this information must be treated with respect and the privacy of individuals maintained, unless otherwise required by law.

Access, by a client or their authorised representative, to records held about a client shall be facilitated through a face-to-face meeting, or the completion of a request for information form signed by the applicant.

A staff member or volunteer wishing to see their personnel files shall be permitted to do so under a process described on the following pages. It is noted that these records are exempt from privacy legislation. Information may be anonymously shared between Olivia’s Place personnel for the purpose of training and education.

 

Definitions

Information’ means personal information and/or health information as applicable.

Privacy’ The act of remaining private, including not divulging another person’s personal information and the right to exercise control over one’s personal information. Privacy can range from physical (for example, bag searching, DNA sampling), to information (the way in which organisations, including governments handle personal information), to freedom from excessive surveillance (in personal spaces and detracting from individual’s right to go about daily lives).

Confidential’ is defined as ‘entrusted with private information and the confidence of another’ and information that is given in confidence or secret. Its also a level of official classification for documents that are different from above restricted and below secret. This means only authorised people have access to the documents or information that are relevant for them to conduct their function or duties.

Client’ is the recipient of care and support from Olivia’s Place.

Authorised person’ is one who is authorised by a client or a person in law to apply for information to be released.

Procedures

Policy Exceptions

Personal information will be released in accordance with mandated notification requirements to relevant Government bodies or Police.

Record Keeping and Security of Records

Personnel will maintain notes and statistical data on forms and restricted access software provided. Notes are to be sufficient in detail to track the sequence and nature of professional services rendered and consistent with any legal or organisational requirement. The security of such notes is to be maintained in accordance with the requirements of confidentiality.

All written notes are to be locked securely in a place without public access. Computer records are to be password protected and all computers to have up-to-date virus and firewall protection if the computer is ever used to connect to the internet.

Passwords are not to be given to unauthorised personnel. Passwords should be changed periodically and must be changed upon relevant staff turnover.

The General Manager Operations or Program Coordinators with appropriate authorisation may request access to files for such purposes as Performance Reviews or to ensure continuity of client care during staff absence.

Health Information

The Health Records Act 2001 (Vic) is a Victorian law that protects health information when it is handled by public and private sector organisations in Victoria. Under this law, health information is:

a. information or an opinion about physical, mental, or psychological health;
b. information or an opinion about a disability; or
c. any personal information that is collected from the client while providing the client with a health service – for example, if a hospital collects details such as a person’s name when they arrive at an emergency department for treatment.

Australian Privacy Principles

The Australian Privacy Principles (thirteen) apply because health records are maintained by Olivia’s Place and is supported by the Privacy and Data Protection Act (Vic) 2014.

APP1 - Open and transparent management of personal information

The client must be informed that the information is being collected, why it is being collected and who will be storing and using it. Olivia’s Place should also tell each client they can see and ensure the information is correct (Refer to APP13).

APP2 - Anonymity and pseudonymity

This provides that individuals must have the option of dealing anonymously or by pseudonym with an APP entity. An APP entity is not required to provide those options where:

  • the entity is required or authorised by law or a court or tribunal order to deal with identified individuals, or
  • it is impracticable for the entity to deal with individuals who have not identified themselves.

Anonymity means that an individual dealing with an APP entity cannot be identified and the entity does not collect personal information or identifiers, which does not apply to Olivia’s Place because of the services offered and provided.

APP3 - Collection of solicited personal information

When personal information is collected, the information must be collected for a lawful reasonable purpose and be directly related to the organisation’s activities and necessary for that purpose.

APP4 - Dealing with unsolicited personal information

Unsolicited personal information is personal information received where there have been no active steps to collect the information. This information, if not in part of a Commonwealth record, must be de-identified or destroyed as soon as it is practicable, meeting lawful requirements.

APP5 - Notice of the collection of personal information

Olivia’s Place must take reasonable steps, before, or at the time it collects personal information to inform why it is collecting the information and any consequences if the information is not collected. Information must be collected directly from the client, unless the client has given consent otherwise. Parents and guardians can give consent for minors.

APP6 - Use or disclosure of personal information

Olivia’s Place will only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. Secondary purposes include consent being given to refer to another provider and if disclosure is required under Australian law (amongst other matters in APP6).

APP7 - Direct marketing

Olivia’s Place will not use or disclose personal information it holds for the purpose of direct marketing (direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services) unless an exception applies. The client must be able to request not to receive marketing information.

APP8 - Cross-border disclosure of personal information

Any possible disclosure of personal information held by Olivia’s Place to an overseas entity or recipient, must have reasonable steps taken to ensure that the overseas recipient does not breach the APPs.

APP9 - Adoption, use or disclosure of government related identifiers

This APP restricts the adoption, use and disclosure of government related identifiers by organisations. An identifier is a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual. This APP is to restrict general use of government related identifiers by organisations so that they do not become universal identifiers. That could jeopardise privacy by enabling personal information from different sources to be matched and linked in ways that an individual may not agree with or expect.

APP10 - Quality of personal information

Olivia’s Place will take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. Further, any personal information that is used or disclosed, related to the purpose of the use or disclosure will be accurate, up-to-date, complete and relevant.

APP11 - Security of personal information

Olivia’s Place will take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Retention of personal information must also be considered.

Olivia’s Place will ensure information a client has provided will be disclosed only with client consent or if the client was told at the time the information was collected, that they would do so. Further, the organisation can only disclose sensitive information without the client’s consent in order to deal with a serious and imminent threat to any person’s health or safety. However, there are other limited circumstances in which this information may be disclosed.

Privacy Breaches

The Privacy and Data Protection Act 2014 (Vic) (the Act) regulates how personal information is handled within the Victorian public sector. If Olivia’s Place has collected information that was unsolicited and is not necessary for the functioning of Olivia’s Place, the information must as soon as practicable be destroyed or deleted and/or ensure the information is de-identified.

All privacy breaches must immediately be reported to the relevant manager. This includes both intentional and unintentional breaches. Program managers, in consultation with the General Manager of Operations will assess the identified breach and decide how it can be responsibly and reasonably managed. Any suspected breach of data security also must be reported to the General Manager of Operations. Olivia’s Place has a responsibility to ensure individual privacy rights are upheld and best practice is maintained when dealing with an individual's personal information.

APP12 - Access to personal information

Olivia’s Place must provide each client with enough details about what personal information they are storing, why they are storing it and what rights each client has to access it, without unreasonable delay and expense.

APP13 - Correction of personal information

Olivia’s Place will take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. Each client must be allowed to update, correct or amend personal information where the client believes there maybe inaccuracies in the held information.

Client Information Request

Access, by a client or their authorised representative, to records held about a client shall be facilitated through a face-to-face meeting, or the completion of a request for information form signed by the applicant.

This access is based upon the APPs and the Privacy Data Protection Act Victoria Act 2014, where a client can access their personal information or amend incorrect information about them. This Act applies to organisations that do not have to comply with the Freedom of Information Act 1982 (and amended in March 2020).

Staff or Volunteer Information Request

A staff member or volunteer wishing to see their personnel files shall be permitted to do so. It is noted that these records are exempt from privacy legislation. The process for current staff or volunteers is to:

  • Inform the General Manager Operations that they want to access their personnel file
  • The General Manager Operations will agree a suitable time to view the file
  • The General Manager Operations will ensure that any third-party information is blacked out from the contents of the file prior to the staff or volunteer sighting the record
  • If the staff member or volunteer does not agree with any of the file content or believes there is incorrect information within the file, they should advise this in writing to the General Manager Operations, who will then undertake a review and correction of information in the file, if the sighted information is incorrect.

For non-current staff member or volunteer requests to access their personnel file, application must be made in writing to the General Manager Operations.

 

References - External

Privacy Act Cwlth 1988

Privacy Amendment (Enhancing Privacy Protection) Act (including the Australian Privacy Principles) Cwlth 2012

Privacy Amendment (Notifiable Data Breaches) Act Cwlth 2017

Australian Human Rights Commission Act Cwlth 1986

Health Records Act Vic 2001

Information Privacy Act Vic 2000

Privacy and Data Protection Act Vic (including the Information Privacy Principles) 2014

Health Privacy Principles (HPP) (Vic)

Charter of Human Rights and Responsibilities Act Vic 2006

Protected Disclosures Act Vic 2012

Protected Disclosure Regulations Vic 2013

Enhancing Whistleblower’s Protections Act Vic 2019 Freedom of Information Act (Cwlth) 1982 and amended in March 2020.

 

References - Internal

Olivia’s Place Constitution

Code of Conduct

Records Management Policy

Consent Policy

Client Consent to Receive Services Form

Client Consent to Speak with Other Services Form

Olivia’s Place Rights and Responsibilities Services Brochure Volunteer Handbook & Agreement