Policies & Procedures | Privacy and Confidentiality
As an organisation we regularly discuss, review and retain personal and sensitive information. This activity or exposure is central to our day to day operations. The Privacy and Confidentiality Policies and Procedures have been developed to support both Ability Connect staff, our clients, their families and other service providers. This document identifies the way in which Ability Connect protects personal and other confidential information.
– Transparency for how we will collect, hold, manage and handle a customer, employee or client information;
– Outline how we will disclose this policy to all stakeholders; and
– Internal quality programs support the outlined processes and procedures.
The Ability Connect Director is responsible for ensuring the content of this document and the external documents that it references are accurate, current and reflective of industry best practice qualitative standards.
Ability Connect is committed to protecting the privacy of personal information which the organisation collects, holds and administers about various stakeholders including, but not limited to, clients and employees. Personal information will not be disclosed to any unauthorised third party without the consent of the individual.
All personal information, including sensitive information, collected by Ability Connect, is collected in accordance with the Privacy Act 1988 (Cth), with its thirteen Australian Privacy Principals. It is also collected in compliance with the National Disability Service Standards and Article 22 of the United Nations Convention of the Rights of Persons with Disabilities (“together the Principles and Standards”).
As a client of Ability Connect you have the right to have your information managed in accordance with the Principles and Standards. As an employee you have the right to have your information managed in accordance with the Principles. This means Ability Connect will ensure the following:
- We will keep your personal information private and secure regardless of the format that the information is obtained, retained or recorded;
- We will only collect information that is necessary for the provision of support services, or for the operation of our business;
- We will ask and obtain your permission prior to sharing your personal information with a third party;
- We will provide reasonable access to all the information that Ability Connect has kept about you and complete all requests within 5 working days;
- We will provide clear written as well as verbal explanation for any information we decline to provide you and for any information that you may not competently understand within 5 working days from the date of your request;
- We will ensure we amend information where you have demonstrated is inaccurate, incomplete, irrelevant or not current within 24 hours (1 working day) of your notification.
Personal Information Must Never Be Used For Personal Gain
Ability Connect takes reasonable steps to protect any personal information received from clients, families, employees or other service providers. These steps apply to the way the organisation collects, stores, uses or discloses these types of information. The type of information we collect, and the way we use this will depend on the individual’s relationship with Ability Connect (e.g. as a client, family member/carer, employee or other service provider).
All Ability Connect staff must comply with the standards and processes detailed in this policy and must not release personal information without proper authorisation to do so.
- Types of personal information collected and/or retained by the organisation
- Approach the organisation applies in order to keep personal information secure
- How we collect personal information
- Purposes for which personal information is collected, stored, used and disclosed
- How individuals are able to access, update or correct their personal information
- Our service practice approach and time frame in supporting a request for personal information.
- How an individual can make a complaint if they feel Ability Connect has breached the Australian Privacy Principles.
A breach of this policy by an employee may result in disciplinary action up to and including termination of employment, other appropriate sanctions, including legal action.
“Australian Privacy Principles (APP)”:
– The APP are legally binding principles which establish the privacy protection framework in the Privacy Act 1988 (Cth),
– The APP outlines standards, rights and obligations in relation to handling, holding, accessing and correcting personal information, and
– apply to most Australian Government agencies and some private sector organisations
The APPs are grouped into five parts to reflect the personal information lifecycle:
– Part 1 — Consideration of personal information privacy
– Part 2 — Collection of personal information
– Part 3 — Dealing with personal information
– Part 4 — Integrity of personal information
– Part 5 — Access to, and correction of, personal information
• “Personal information” – is any information or an opinion about an individual who has been identified, or an individual who is reasonably identifiable. Personal information we collect may include:
• De-identified information – personal information is de-identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’. Generally, de-identification includes:
1) Removing personal identifiers, such as an individual’s name, address, date of birth or other identifying information,
2) Removing or altering other information that may allow an individual to be identified, for example, a unique characteristic of the individual.
De-identification may not altogether remove the risk that an individual can be re-identified.
• Sensitive information – is part of the personal information about an individual, and includes health information, and other sensitive information such as opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record
• Reasonable Steps – it is the responsibility of Ability Connect to be able to justify that reasonable steps were taken in all actions.
• Government identifier – an identifier is a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.Application of Privacy Principles within Ability Connect
Consideration of Personal Information Privacy
Open, Honest and Transparent Management of Information
b. All clients will be advised by the Ability Connect employee that we have complete Privacy and Confidentiality Policy and that on request it can be provided to them at any time.
c. Ability Connect Management and will ensure that the policy is easy to read, remains up-to-date and readily accessible to all stakeholders.
e. Ability Connect has procedures for dealing with privacy related inquiries and complaints please refer to Ability Connect Complaints and Feedback Policies and Procedures.
Collection of Personal Information
What personal information we collect
Ability Connect may only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities. The personal information we collect is generally limited to:
• an individual’s name;
• identification documents;
• address, telephone or mobile number;
• date of birth;
• bank account details and/or employment details.
However, we may also collect sensitive information from you with your consent, such as where we ask for information about your health.
How we collect personal information
Ability Connect will only collect personal information:
• when you give it to us, such as via any forms, phone, email, or any comments or feedback;
• when someone you consent to giving information gives it to us, such as where you have authorised a family member or guardian; where we are required or authorised to collect it by law and it is impracticable to obtain it directly from you.
Why do we collect your personal information?
We collect your personal information to:
• communicate with you in relation to any enquiry;
• to conduct our business and enable your use of our services, and in some cases to
• comply with our legal obligations such as record keeping.
When we disclose personal information
We take reasonable precautions to protect your personal information, including against loss, unauthorised access, disclosure, misuse or modification.
We generally will not disclose your personal information unless:
• you consent;
• we are required or authorised by law; or
• it is reasonably necessary for one of the purposes for which we collect it.
We will only disclose your sensitive information for the purpose for which you have it to us, or for directly related purposes that you would reasonably expect or if you otherwise agree.
This Ability Connect may only collect sensitive information where:
Where it receives unsolicited personal information, Ability Connect must decide within a reasonable period of time whether that personal information about an individual could have been lawfully collected by us, and:
– If not, and the information is not contained within a Commonwealth record, Ability Connect will, as soon as practicable, but only if lawful and reasonable to do so, destroy the information or ensure the information is de-identified.
Notification of Collection
Ability Connect will ensure that at the time, or as soon as reasonably practical to do so the organisation will take all reasonable efforts to make the individual aware:
1) Ability Connect is the collector of the personal information;
2) of contact details, telephone number and email address, for the person responsible for collecting and handling the information;
3) how, when and from where the personal information was or will be obtained;
4) if the collection is required or has been authorised by law;
5) the purposes for which the information has been collected and how it will be used;
6) any consequences if all or part of the personal information is not obtained or retained;
7) the organisations (or the types of organisations) to which Ability Connect may disclose the personal information and the reason behind this;
8) whether the personal information will be transferred overseas, and if practicable or known, to which the countries and why this may occur;
Who will have access to the personal information?
Ability Connect staff and workers will have access to the personal information.
If an individual becomes concerned about how Ability Connect handles their personal information or that they have breached the APP they are entitled, to make a complaint using various means:
I. directly to Ability Connect – please refer to the Ability Connect Complaints and Feedback Policy and Procedure, the organisation manages all complaints in line with our Complaints Procedure, a copy of which is available on request.
II. to the Office of the Australian Information Commissioner (OAIC). Further information is available on their website: http://www.oaic.gov.au/privacy/privacy-complaints
Handling of Personal Information
Special circumstances of Disclosure
Ability Connect can only use or disclose personal information for the primary purpose for which it was collected. Where the information is sensitive information, Ability Connect may only use that information for a primary purpose or a directly related purpose the individual has consented to.
Personal information may be used by Ability Connect for a secondary purpose but only in the following circumstances:
– consent has been obtained to do so; or
– there is a reasonable expectation that Ability Connect would need to use or disclose the secondary information and the information is related to the primary purpose, or is required or authorised by an Australian law, tribunal or court order.
Special situations outlined by the law provide the organisation with the ability to use some of the personal information in special situations without personal consent. In these situations, Ability Connect will comply with the relevant Australian Privacy Principle or Rules made by the Privacy Commissioner.
Some of these situations are:
– we reasonably believes the use or disclosure is necessary to reduce or prevent a serious threat to the life, health or safety of an individual or to public health or safety;
– there is reason to suspect an individual may have done something unlawful or engaged in serious misconduct that relates to our organisational functions or activities, and the organisation deems there is a reasonable risk and there is a need to disclose the information so that it can take appropriate action;
– Ability Connect reasonably believes that the use or disclosure of the information is reasonably necessary for enforcement related activities. Detailed file notes will be recorded by the organisation outlining if we have disclosed the information, when it was disclosed, who it was provided to, the means in which it was provided and the reason for providing this.
– Ability Connect has an obligation under a Commonwealth contract, we will be required to comply with the obligation regardless of whether or not an individual has consented to the use or the disclosure.
The use of personal information about an individual for direct marketing will only be used where an exception applies under the law. In every situation where the organisation is permitted to use or disclose personal information for direct marketing Ability Connect will seek the consent of the individual prior to proceeding. Ability Connect will honour the decision of the individual.
Personal information will only be used (other than sensitive information) about an individual for direct marketing as long as there is a reasonable expectation being the individual would be expecting Ability Connect to disclose the information for direct marketing purposes.
If Ability Connect uses or discloses personal information about an individual for direct marketing, an individual may ask the organisation to stop sending direct marketing communications from the organisation and Ability Connect will comply to the request within 7 days after receiving the request unless exceptional circumstances apply.
The individual may request Ability Connect provide details of where his or her personal information came from (e.g. which other organisation referred the information) the organisation will comply with this request within 7 days if reasonable to do so. There will be no charge applied to these requests.
Ability Connect will only send information overseas if it has taken reasonable steps to ensure the transferred information will be held, used or disclosed by the recipient organisation consistent with the APP.
Adoption Use or Disclosure of Government Identifiers
Ability Connect will not adopt a government related identifier of an individual as its own identifier of the individual unless the adoption of the government related identifier is required or authorised by law or a court/tribunal order and we will not use or disclose a government related identifier of an individual unless:
– disclosure of the identifier is reasonably necessary for Ability Connect to fulfil its obligations to an agency or a State or Territory authority; or
– the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
– some of the ‘special situations’ under the law allow the use or disclosure. In each case, if it does this, Ability Connect will comply with the relevant APP or Rules made by the Privacy Commissioner. Some of these ‘special situations’ are where we reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety;
– there may be reason to suspect an individual may have performed or engaged in something unlawful or serious misconduct that relates to Ability Connect functions or activities, and the organisation identifies that it needs to disclose the information so that it can take appropriate action; – Ability Connect reasonably believes that the use or disclosure of the information is reasonably necessary for an enforcement related activity. All actions taken by Ability Connect will be documented; or
– Ability Connect has been provided with consent to share the information for the purpose of undertaking the relevant client service.
Integrity of personal information
Quality of Personal Information
Ability Connect will apply best practice measures to ensure that the personal information it collects is accurate, complete, up-to-date and relevant, having regard to the purposes for the use or disclosure of the personal information that is collected.
Security of Personal Information
Ability Connect will take all reasonable steps to protect the personal information it holds from misuse, interference (which may include measures to protect against computer attacks), loss, unauthorised access, modification or disclosure.
Client management records (that include personal, sensitive and health information) are stored on a central database – the Case Management System. Each client’s records are assigned to a particular handler depending on their service, program and experience requirements. All referrals are triaged by the Ability Connect Director or Service Manager and then assigned to the appropriate case handler. Client information can only be accessed by Ability Connect workers.
– Within each team, workers have different levels of access to client information, which is determined by their role within the team (Function Based Security)
– Ability Connect Management Team have access to the full database and functions
Client records stored on the Case Management System are not able to be deleted or removed. Where a client leaves the program/service or is deceased their records can be de-activated. However, records need to be retained in line with legislated or relevant government organisational time frames.
Access to, and correction of, personal information.
Access to personal information
Ability Connect will provide access to any personal information that we retain about that person upon request. There are some circumstances where we may refuse the request. The following grounds outline the situations that would require us to refuse the request being:
– there is reasonable grounds to suspect providing information would pose a serious threat to the life, health or safety or any individual, public health or public safety; – providing the information would have an unreasonable impact upon the privacy of other individuals.
– the information related to existing or anticipated legal proceedings between Ability Connect and the individual, and the information would not be provided through the process of discovery in those proceedings;
– providing access would be unlawful;
– denying access is required or authorised by or under an Australian law or a court/tribunal order;
– providing access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Correction of Personal Information
Ability Connect will take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading.
We will comply with the APP and
• take reasonable steps to notify other APP entities of a correction to an individual’s personal information;
• respond to a request for correction or to associate a statement;
• not charge an individual for making a request, correcting personal information or associating a statement;
If Ability Connect refuses to make changes or correct the personal information requested to do so by an individual the decision not to make the correction will be provided in writing, with supported reasoning, as well as the actions that the individual can take to lodge a review or formal complaint of the decision.
Special considerations apply to Commonwealth records, which can only be destroyed or altered in accordance with the Archives Act 1983.
Confidentiality of Corporate information
Confidential information includes, but is not limited to, the following stored in any form or manner (except where it is or has been made generally known by the organisation to the public or is otherwise already in the public domain):
– Any information about, and any documents relating to, our commercial clients and/or the people we support.
– Any information about and any documents relating to our workers.
– Information in any personnel or employment manuals, policy documents and/or quality assurance manuals (or similar documents) developed from time to time by the organisation.
– The investigation of any matter and the materials contained in any investigation reports.
– Any information and documents relating to our strategy, business plans, budgets and/or financial position.
– Any information about our suppliers and/or or price lists of such suppliers.
– Any information from any supplier listing services, goods or products used by the organisation.
– Any information about the method of presentation or supply of services.
– Any information, research programs, concepts or results connected with any proposed or new services that may be supplied by Ability Connect before the general introduction or availability to the public of that service.
– Any information in connection with any advertising and promotional activities proposed to be undertaken by or for the organisation prior to the general introduction of that advertising or promotional material to the public or prior to such advertising and promotional activity first being undertaken.
– Any information maintained in any database maintained by the organisation in connection with its business.
– Any information, know how or expertise relating to the business of the organisation, including knowledge, whether or not it is the product of any research concerning investment opportunities.
– Any information about the contents of any training programs or materials used in any training proposed or undertaken by us relating to training of our workers.
– Any information about any new or proposed trademark, service mark, patent or copyrighted work that it is intended to introduce for use the business prior to the lodging of any relevant application.
Confidential corporate information must be securely stored in a manner, which protects the confidentiality of the information. All workers must keep corporate information confidential and not disclose it unless with the prior written consent of the Ability Connect Director.
Permission for service participant or employee participation in research programs must be referred to the Ability Connect Director for consideration and approval.
Reference Documents Revision History – the Following Acts as at July 2020.
Privacy Act 1988
Australian Privacy Principles
NSW Disability Act 1993
Disability Service Standards
United Nations Convention of the Rights of Persons with Disabilities – Article 22
Archives Act 1983
AC Corporate Internal Quality Training Process
Management Activity Supporting Ability Connect Employees
All employees will be provided with a copy of Ability Connect’s Privacy Processes and Procedures Policy as part of their induction.
All employees will be required to sign a term of acknowledgement statement identifying that they have:
– Read the Policy and Procedures,
– Understand the Policy and Procedures; and
– Are able to apply their knowledge of the Policy, its processes and Procedures.
Employees who are unable to declare the above through written agreement due to competency issues will need to undergo internal training and will be unable to action any Ability Connect related employee or client information until the above competency has been achieved.