Privacy & confidentiality policy & procedure

This Privacy Policy is an extract from an internal Policy Document (PP.RR.0007_Privacy and Confidentiality PP last updated 01/06/2020). Please note this is subject to change. For more information on Privacy & Confidentiality, email feedback@alliancerehab.com.au.

Purpose and Scope

This policy and procedure sets out responsibilities relating to collecting, using, protecting and releasing personal information, in compliance with privacy legislation. It applies to all: 

  • Alliance Rehabilitation team members 
  • aspects of Alliance Rehabilitation’s operations  
  • team member and participant personal information  

This policy and procedure should be read in conjunction with Alliance Rehabilitation’s Records and Information Management Policy and Procedure. It meets relevant legislation, regulations and Standards as are included in the external documents register. 

Interaction of Applicable Legislation and Associated Definitions

Privacy Act 1988 (Cth) – regulates how personal information about individuals is handled. The Act includes thirteen Australian Privacy Principles (APPs). The APPs set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information. The Act protects the privacy of an individual’s information where it relates to Commonwealth agencies and private businesses (including not-for-profit organisations) with a turnover of more than $3 million. All organisations that provide a health service and hold health information (other than in a Team Members record) are covered by the Act. 

Health Information – personal information or an opinion about: 

  • the health, including an illness, disability or injury, (at any time) of an individual 
  • an individual’s expressed wishes about the future provision of health services to the individual 
  • a health service provided, or to be provided, to an individual 

that is also:  

  • Personal Information 
  • Other Personal Information collected to provide, or in providing, a health service to an individual 
  • Other Personal Information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances 
  • genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. 

Personal Information – information or an opinion about an identified individual, or an individual who is reasonably identifiable: 

  • whether the information or opinion is true or not 
  • whether the information or opinion is recorded in a material form or not. 

Sensitive Information – personal information or an opinion about an individual’s: 

  • racial or ethnic origin 
  • political opinions 
  • membership of a political association 
  • religious beliefs or affiliations 
  • philosophical beliefs 
  • membership of a professional or trade association 
  • membership of a trade union 
  • sexual orientation or practices 
  • criminal record 

that is also: 

  • Personal Information 
  • Health Information about an individual 
  • genetic information about an individual that is not otherwise health information  
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification 
  • biometric templates 

National Disability Insurance Scheme Act 2013 (Cth) – regulates how personal information about NDIS participants is handled by the National Disability Insurance Agency. This limits how the Agency collects and uses personal information and when and to whom information can be disclosed. The Agency must also comply with the Privacy Act 1988 (Cth). 

Protected Information – information: 

  • about a person that is or was held in the records of the Agency 
  • to the effect that there is no information about a person held in the records of the Agency. 

Queensland

Queensland has privacy legislation that applies only to its public sector, including public sector health service providers. The Information Privacy Act 2009 (Qld) regulates how personal information is handled by Queensland public sector agencies.  

Health Information – Personal information about an individual that includes any of the following: 

  • the individual’s health at any time 
  • a disability of the individual at any time 
  • the individual’s expressed wishes about the future provision of health services to the individual 
  • a health service that has been provided, or will be provided, to the individual 
  • personal information about the individual collected for the purpose of providing, or in providing, a health service 
  • personal information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances. 

Personal Information – information or an opinion, including information or an opinion forming part of a database, whether true or not and recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. 

Sensitive Information – Personal information about the individual that includes any of the following: 

  • the individual’s racial or ethnic origin 
  • the individual’s political opinions 
  • the individual’s membership of a political association 
  • the individual’s religious beliefs or affiliations 
  • the individual’s philosophical beliefs 
  • the individual’s membership of a professional or trade association 
  • the individual’s membership of a trade union 
  • the individual’s sexual preferences or practices 
  • the individual’s criminal record 
  • information that is health information about the individual 

Private sector service providers must comply with the Privacy Act 1988 (Cth) when handling health information.  

The Queensland Office of the Information Commissioner receives and conciliates complaints related to the privacy of health information.  

The Queensland Health Ombudsman can receive and investigate complaints about health services and health service providers, including registered and unregistered health practitioners. 

Policy 

Alliance Rehabilitation recognises, respects and protects everyone’s right to privacy, including the privacy of its participants and staff. All individuals (or their legal representatives) have the right to decide who has access to their personal information. 

Alliance Rehabilitation’s privacy and confidentiality practices support and are supported by its records and information management processes (see the Records and Information Management Policy and Procedure). Privacy and Confidentiality processes interact with the information lifecycle in the following ways: 

 

All Team Members are responsible for maintaining the privacy and confidentiality of participants, clients, other Team Members, Alliance Rehabilitation, and those members of the public who have entrusted their personal information and confidential information to Alliance Rehabilitation.  

Procedures 

General 

The Information Group (as per the current Activity Map)  is responsible for ensuring Alliance Rehabilitation complies with the requirements of the Privacy Act 1988 (Cth) as well as any other relevant legislation, including that within the ‘Interaction of Applicable Legislation and Associated Definitions’. This includes developing, implementing, and reviewing processes that address: 

  • why and how Alliance Rehabilitation collects, uses and discloses personal information 
  • what information Alliance Rehabilitation collects about individuals and its source 
  • who has access to the information 
  • information collection, storage, access, use, disclosure and disposal risks 
  • how individuals can consent to personal information being collected, withdraw or change their consent and change information about them held by Alliance Rehabilitation 
  • how Alliance Rehabilitation safeguards and manages personal information, including how it manages privacy queries and complaints  
  • how information that needs to be updated, destroyed or erased is managed. 

The Information Group reviews these processes regularly, through annual Privacy Audits as per the External Audit and Internal Review Schedule. 

All Team Members are responsible for complying with this policy and procedure and their privacy, confidentiality and information management responsibilities. Team members must keep personal information about participants, other team members and other stakeholders confidential, in accordance with the confidentiality provisions in their employment or engagement contract. 

As per Alliance Rehabilitation’s Human Resources Policy and Procedure, all Team Members must undergo Induction, which includes training in privacy, confidentiality and information management. Team Members knowledge and application of confidentiality, privacy and information management processes is monitored on a day-to-day basis and through annual Performance Reviews. Additional formal and on-the-job training is provided to Team Members where required. 

Alliance Rehabilitation’s Privacy Statement must be prominently displayed in Alliance Rehabilitation’s premises and website. 

A full copy of this policy and procedure must be provided upon request by a person (or the person’s representatives) whom Alliance Rehabilitation possesses personal or confidential information regarding or to any person with the approval of the Corporate Governance Group (as per the current Activity Map) 

Photos and Videos

Photos, videos and other recordings are a form of personal information. Team Members must respect people’s choices about being photographed or videoed and ensure images of people are used appropriately. This includes being aware of cultural sensitivities and the need for some images to be treated with special care. 

Information Collection and Consent

Participant Information Collection and Consent 

Alliance Rehabilitation will only request personal information that is necessary to: 

  • assess a potential participant’s eligibility for a service 
  • provide a safe and responsive service 
  • monitor the services provided 
  • fulfil government requirements for non-identifying and statistical information 

Participant information that Alliance Rehabilitation collects includes, but is not limited to: 

  • contact details for participants and their representatives  
  • details for emergency contacts and people authorised to act on behalf participants 
  • participants’ health status and medical records 
  • service delivery intake, assessment, monitoring and review information 
  • assessments, reviews and service delivery records 
  • external agency information 
  • feedback and complaints 
  • incident reports 
  • consent forms  
  • medication records

Prior to collecting personal information from participants or their representatives, team members must explain: 

  • that Alliance Rehabilitation only collects personal information that is necessary for safe and effective service delivery 
  • that personal information is only used for the purpose it is collected and is stored securely 
  • what information is required 
  • why the information is being collected and how it will be stored and used 
  • the occasions when the information may need to be shared and who or where the information may be disclosed to 
  • the participant’s right to decline providing information 
  • the participant’s rights in terms of providing, accessing, updating and using personal information, and giving and withdrawing their consent 
  • the consequences (if any) if all or part of the information required is not provided 

Participants must be provided with Alliance Rehabilitation’s Privacy Statement and informed that a copy of this policy and procedure is available on request.  

Team Members must provide privacy information to participants in ways that suit their individual communication needs. Written information can be provided in [different languages and Easy English] or explained verbally by staff. Team Members can also help participants access interpreters or advocates where required.  

After providing the above information, team members must use a Consent Form to: 

  • confirm the above information has been provided and explained  
  • obtain consent from participants or their legal representatives to collect, store, access, use, disclose and dispose of their personal information 
  • Where it is not possible for a consent for to be completed, team members must seek verbal consent and document this accurately in the participant record. This should be considered a last only when it is not at all possible to establish written consent. Where possible the person seeking consent should seek a second witness to co-sign on verbal consent. 

Participants and their representatives are responsible for: 

  • providing accurate information when requested 
  • completing Consent Forms and returning them in a timely manner 
  • being sensitive and respectful to other people who do not want to be photographed or videoed 
  • being sensitive and respectful of the privacy of other people in photographs and videos when using and disposing of them 

NDIS Audits

Alliance Rehabilitation complies with the requirements of the National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guidelines 2018 whereby participants are automatically included in audits against the NDIS Practice Standards. Participants may be contacted at any time by an NDIS Approved Quality Auditor for an interview, or for their participant file and plans to be reviewed.  

Participants who do not wish to participate in these processes can notify any team Member, who must inform the Information Group in writing. Their decision will be respected by Alliance Rehabilitation and will be documented in their participant file. Upon commencement of any audit process, Alliance Rehabilitation notifies its Approved Quality Auditor of participants who have opted-out of the audit process. 

Team Member Information Collection and Consent

Team Member personal information that Alliance Rehabilitation collects includes, but is not limited to: 

  • tax declaration forms 
  • superannuation details 
  • payroll details 
  • employment / engagement contracts 
  • personal details 
  • emergency contact details 
  • medical details 
  • NDIS Worker Screening Checks, Police Checks and Working with Children Checks 
  • qualifications 
  • First Aid, CPR, Anaphylaxis and other relevant certificates 
  • personal resumes (to the extent that information contained within is considered personal information)

Where relevant, forms used to collect the above information will also obtain the team member’s consent to collect, store, access, use, disclose and dispose of their personal information. It is a condition of employment that team members consent to the collection, storage, access, use, disclosure and disposal of reasonable personal information regarding that team member for proper work-related and employment-related purposes.  

Storage

Refer to the Records and Information Management Policy and Procedure for details on how Alliance Rehabilitation securely stores and protects team members and participant personal information.  

Access

Team member personal information must only be accessed Corporate Governance Group, Clinical Governance Group, Clinical Coordination Group, Human Resources Group, Legal Group Activity Group Members, who may only access the information if it is required in order to perform their duties. 

Team Members must only access participants’ personal information if it is required to perform their duties. 

Team Members and participants have the right to: 

  • request access to personal information Alliance Rehabilitation holds about them, without providing a reason for requesting access 
  • access this information 
  • make corrections if they believe the information is not accurate, complete or up to date 

All participant access or correction requests must be directed to the Clinical Governance Group or a relevant manager responsible for the maintenance of the participant’s personal information.  

All Team Members access or correction requests must be directed to the Human Resources Group. Within 2 working days of receiving an access or correction request, the responding Team Member will: 

  • provide access, or explain the reasons for access being denied 
  • correct the personal information, or provide reasons for not correcting it 
  • provide reasons for any anticipated delay in responding to the request 

An access or correction request may be denied in part or in whole where: 

  • the request is frivolous or vexatious 
  • it would have an unreasonable impact on the privacy of other individuals 
  • it would pose a serious threat to the life or health of any person 
  • it would reveal trade secrets, information sensitive to a negotiation, or strategic plans; 
  • it would prejudice any investigations being undertaken by Alliance Rehabilitation or any investigations it may be the subject of 

Any participant access or correction requests that are denied must be approved by the Information Group AND the Clinical Governance Group and documented on the participant’s file. 

Any Team Members access or correction requests that are denied must be approved by the Human Resources Group or the Corporate Governance Group and documented on the team Member’s file that a denial has occurred and for what reason. 

Disclosure

Participant or team Members personal information may only be disclosed: 

  • for emergency medical treatment 
  • to outside agencies with the person’s or their representatives’ (or for child participants, parent or guardians’permission 
  • with written consent from someone with lawful authority 
  • when required by law, or to fulfil legislative obligations such as mandatory reporting 

If a team member is in a situation where they believe that they need to disclose information about a participant or other Team Member that they ordinarily would not disclose, they must consult the Information Group before making the disclosure, the Information Group may direct the team member to also seek the approval of the Corporate Governance Group or Clinical Governance Group.  

International Disclosure

Under the Privacy Act 1988, before Alliance Rehabilitation discloses personal information to an overseas recipient, it must take reasonable steps to ensure the overseas recipient does not breach the Principle 8 of the Australian Privacy Principles (APPs).  

The Information Group is responsible for undertaking these investigations. The Information Group may also obtain assistance from the IT Group and Legal Group in investigations.  

This requirement does not apply if: 

  • the overseas recipient is subject to a law or binding scheme that has the effect of protecting the information in a way that is substantially similar to protection given under the APPs, and 
  • there are mechanisms available to enforce that protection. 

Reporting

Notifiable Data Breaches Scheme 

The Notifiable Data Breaches (NDB) Scheme is a national scheme that operates under the Privacy Act 1988 (Cth). The NDB Scheme requires organisations to report certain data breaches to people impacted by the breach, as well as the Australian Information Commissioner. 

A data breach occurs when personal information about others is lost or subject to unauthorised access. A data breach may be caused by malicious action, human error or a failure in information management or security systems. 

Examples of data breaches include: 

  • loss or theft of devices (such as phones, laptops and storage devices) or paper records that contain personal information 
  • unauthorised access to personal information by a team member 
  • inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person 
  • disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures. 

In addition to harm caused to people who are the subject of data breaches, an incident like this may also cause Alliance Rehabilitation reputational and financial damage. 

Further detail about the NDB Scheme is contained in the Data Breach Preparation and Response — A Guide to Managing Data Breaches in Accordance with the Privacy Act 1988 (Cth), published by the Office of the Australian Information Commissioner (OAIC). 

Alliance Rehabilitation adopts the Data Breach Response Plan published by the Office of the Australian Information Commissioner (OAIC) and adapted for Alliance Rehabilitation use as appropriate with reporting to be directed to the Information Group. The Information Group must immediately inform the Corporate Governance Group if a data breach or NDB is suspected. The Privacy and Confidentiality Policy and Procedure contains Alliance Rehabilitation’s Data Breach Response Plan. 

Identifying a Notifiable Data Breach 

A Notifiable Data Breach, also called an ‘eligible data breach’, occurs when: 

  • there is unauthorised access to or disclosure of personal information, or information is lost in circumstances where unauthorised access or disclosure is likely to occur 
  • the disclosure or loss is likely to result in serious harm to any of the people that the information relates to. In the context of a data breach, serious harm may include serious physical, psychological, emotional, financial, or reputational harm 
  • Alliance Rehabilitation has been unable to prevent the likely risk of serious harm through remedial action 

All potential or actual data breaches must be reported to the Information Group, who will determine Alliance Rehabilitation’s response and whether the breach needs to be reported under the NDB Scheme. The Information Group must immediately inform the Corporate Governance Group if a data breach or NDB is suspected.  If Alliance Rehabilitation acts quickly to remediate a data breach and as a result it is not likely to result in serious harm, it is not considered a Notifiable Data Breach. Time is of the essence when responding to a data breach.  

Responding to a Data Breach 

If the Information Group suspects that a data breach is notifiable under the NDB Scheme, they must make an assessment to determine if this is the case. 

If the Information Group believes that the data breach is notifiable under the NDB Scheme, they must notify Alliance Rehabilitation’s Data Breach Response Team. This team comprises the Corporate Governance Group AND the Legal Group AND the Information Group AND IT Group AND Human Resources Group AND Marketing Group. 

  • Corporate Governance Group as Team Leader, responsible for leading the response team and acting as Project Manager, to coordinate the teamprovide support to its members and provide risk management support, to assess the risks from the breach 
  • Legal Group to bring privacy expertise and legal support to the team, to identify legal obligations and provide advice 
  • IT Group as Information and Communication Technology (ICT) or forensics support, to help establish the cause and impact of a data breach that involves ICT systems 
  • Information Group to provide information and records management expertise, assist in reviewing security and monitoring controls related to the breach (for example, access, authentication, encryption, audit logs) and provide advice on recording the response to the data breach 
  • Human Resources Group as Human Resources support, if the breach was due to the actions of a Team Member 
  • Marketing Group to provide media/communications expertise and assist in communicating with affected individuals and dealing with the media and external stakeholders. 

The Data Breach Response Team must notify all impacted individuals of the breach as soon as is practicable.  

All data breach incidents (whether notifiable or not) must be responded to in accordance with Alliance Rehabilitation’s Data Breach Response Plan and recorded in Alliance Rehabilitation’s Incident Register, with relevant actions tracked in its Continuous Improvement Register where appropriate.  

Where a breach is referred to the Data Breach Response Team, its response will be based on the following steps: 

  • Step 1: Contain the data breach 
  • Step 2: Assess the data breach and the associated risks 
  • Step 3: Notify individuals and the Australian Information Commissioner (where necessary) 
  • Step 4: Prevent future breaches 

Notifiable Data Breaches Involving More Than One Entity 

The NDB Scheme recognises that personal information is often held jointly by more than one entity. For example, one entity may have physical possession of the information, while another has legal control or ownership of it. Examples include: 

  • where information is held by a cloud service provider 
  • subcontracting or brokering arrangements 
  • joint ventures 

In these circumstances, an eligible data breach is considered the responsibility of both entities under the NDB Scheme. However, only one entity needs to take the steps required by the NDB Scheme and this should be the entity with the most direct relationship with the people affected by the data breach. Where obligations under the Scheme (such as assessment or notification) are not carried out, both entities will be in breach of the Scheme’s requirements. 

Other Reporting Requirements

The Corporate Governance Group must immediately notify the NDIS Commission and any relevant complaints body in ‘Interaction of Applicable Legislation and Associated Definitions’ if they become aware of a breach or possible breach of privacy legislation. 

Data breaches may also trigger reporting obligations outside of the Privacy Act 1988, such as to: 

  • Alliance Rehabilitation’s financial services provider; 
  • police or other law enforcement bodies; 
  • the Australian Securities and Investments Commission (ASIC); 
  • the Australian Prudential Regulation Authority (APRA) 
  • the Australian Taxation Office (ATO); 
  • the Australian Transaction Reports and Analysis Centre (AUSTRAC); 
  • the Australian Cyber Security Centre (ACSC); 
  • the Australian Digital Health Agency (ADHA); 
  • Federal, State or Territory Government departments; 
  • professional associations and regulatory bodies; and 
  • insurance providers. 

Archiving and Disposal

Refer to the Records and Information Management Policy and Procedure for details on how Alliance Rehabilitation archives and disposes of participants’ personal information.  

Supporting Documents

Documents relevant to this policy and procedure include:  

  • Consent Form 
  • Records and Information Management Policy and Procedure 
  • Continuous Improvement Register 
  • Participant Handbook 
  • Privacy Statement 
  • Privacy Audit Form 

Monitoring and Review

This policy and procedure will be reviewed at least every two years by the Corporate Governance Group. Reviews will incorporate Team Membersparticipants, and other stakeholder feedback. 

Alliance Rehabilitation’s feedback collection mechanisms, such as Team Members and participant satisfaction surveys, will assess: 

  • satisfaction with Alliance Rehabilitation’s privacy and confidentiality processes 
  • whether stakeholders have received adequate information about privacy and confidentiality 
  • the extent to which participants and their supporters feel their privacy and confidentiality has been protected 

Alliance Rehabilitation’s Continuous Improvement Register will be used to record improvements identified and monitor the progress of their implementation. Where relevant, this information will be considered as part of Alliance Rehabilitation’s service planning and delivery processes. 

Contact Us Today

To make a booking or to find out more, call 07 4772 1219 or click below for more contact options.