Privacy Policy

Information Management Policy and Procedure

Policy area

Information Management

Applicable to

Human Positive Behaviour Support

Version

V1

Date approved

26/06/2025

Approved by

CEO/Director

Next review date

26/6/26

Authority

Privacy Act 1988

Australian Privacy Principles

Privacy Amendment (Notifiable Data Breaches) Act 2017

Australian state and territory privacy legislation

NDIS Act 2013

NDIS Practice Standards and Quality Indicators

UN Convention of the Rights of Persons with Disabilities

NDIS Code of Conduct

Aged Care Act 1997

Aged Care Quality and Safety Standards

Aged Care Code of Conduct

PURPOSE

The purpose of this policy is to explain our organisation’s commitment and approach to information management.

SCOPE

This policy applies to all our workers (employees, contractors and volunteers).

DEFINITIONS

Term

Definition

Data Breach

Unauthorised access to, or disclosure of personal information. This includes a situation where personal information is lost and unauthorised access is likely to occur.

Official Records

These include:

• service delivery records (e.g. client files, case/progress notes, support plans, service agreements, health reports, assessments, incident reports);

• business activity records (e.g. written records on business support, project management, finances, quality and compliance);

• human resource management records (e.g. worker files, incident reports, timesheets, worker training analysis, recruitment and selection criteria, position descriptions).

Official records are records which would ‘stand up in court’ and include email correspondence, work diaries and notebooks if they contain details of client or business interactions and records of decisions or actions.

Notifiable Data Breaches Scheme (see definition of ‘data breach’ above)

This scheme operates under the Office of the Australian Information Commissioner (OAIC). All organisations covered by the Privacy Act 1988 (Cth) must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. The notification to affected individuals must include recommended steps to take in response to the data breach. A data breach may include:

• a device with individuals’ person information is lost or stolen;

• a database with personal information is hacked; or

• personal information is mistakenly given to the wrong person.

Under this Scheme, ‘likely to result in previous harm’ will be an assessment depending on factors such as the type and sensitivity of the information, whether the information is protected and the nature of the harm that may result from the breach.

Note: The NDS only applies to organisations with an annual turnover of $3 million or more and therefore smaller providers do not have to report to the OAIC. This definition is in here to provide a guide to best practice in the event of a data breach.

Personal Information

This is defined in the Privacy Act 1988 as follows:

‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not;

2. whether the information or opinion is recorded in a material form or not.’

It includes:

• information about a person’s private or family life (e.g. name, signature, email address, phone number, date of birth, medical records, bank account details and employment details);

• information about a person’s working habits and practices (e.g. work address, contact details, salary, job title);

• commentary or opinion about the person (e.g. written comments by a referee, trustee, journalist).

Information that does not identify an individual or information that is not ‘about’ an identified individual is not included in ‘personal information’.

Sensitive Information

This is a type of ‘personal information’ and includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record. Health information is also classified as ‘sensitive information’.

CONTEXT

Our organisation recognises the importance of maintaining an effective and compliant information management system for safe and quality client service delivery and business activity operations. We also recognise the importance of keeping personal and sensitive information safe and secure.

POLICY STATEMENT

1. Compliance

• We will maintain an information management system and processes that support compliance with applicable federal and state/territory legislation, regulations, standards and principles in relation to the collection, use, disclosure, retention and storage of personal and sensitive information.

• We will ensure our information management system is proportionate to the size and scale of our organisation and the scope and complexity of services and supports provided.

2. Creation and Maintenance of Information and Records

• We will create and maintain accurate and complete information and records.

• We will maintain processes for document version control and ensure information from different sources is integrated, consistent and up to date.

• We will maintain all required written client and worker consents and agreements.

3. Consent

• We will seek informed consent from the client to collect, use, store and disclose their personal information (including assessments) to other parties.

• We will ensure the client understands their right to change or withdraw their consent at any time and assist them to do this if requested.

4. Access, Distribution, Storage and Retention of Information and Records

• We will provide the client with access to their personal information and assist them to correct or change their information, if requested.

• We will provide access to client information to the client’s family/alternate decision-maker/advocate, with the client’s consent.

• We will maintain processes to ensure client information is, with the client’s consent, communicated within the organisation to authorised workers and with others outside the organisation where responsibility for care is shared (e.g. client transitioning to another environment such as hospital, hospice, respite or residential facility).

• We will provide worker and client access to the right information at the right time to ensure safe and quality service provision.

• We will discuss with the client and/or family/alternate decision-maker/advocate, in a language, mode and method they are most likely to understand, circumstances when their personal information may be accessed by authorised personnel (law enforcement, official investigation, public health order).

• We will maintain policies, procedures, forms and templates that are current, regularly reviewed, informed by contemporary evidence-based practices, and are understood and accessible by workers.

• We will store personal information securely and take reasonable steps to protect it against misuse, loss, unauthorised access or interference.

• We will retain records in accordance with legislative requirements. This includes disposal freezes and retention notices declared by bodies such as the National Archives of Australia and/or equivalent state/territory bodies that are in force from time to time.

5. Security of Information and Records

• We will maintain processes to back up online data daily and conduct periodic testing of the backed-up data to check system integrity.

• We will store hard copy records  in an onsite locked filing cabinet.

• We will maintain secure log-in credential processes to ensure that only current authorised workers have access to relevant online files, folders, drives and intranet sites.

• We will implement a business continuity plan to ensure the security of information and records during and after an emergency or disaster event.

• We will manage and report notifiable data breaches in accordance with legislative requirements and the Managing Data Breaches Procedure .

6. Complaints

• We will discuss with the client their right to lodge a complaint, both internally in our organisation and externally to a regulator, if they have a concern about their personal and sensitive information and privacy and support them to do so if requested.

7. Reviewing and Monitoring Processes

• We will conduct regular audits to ensure the integrity of our information management and privacy protection processes.

• We will review and improve the effectiveness of our information management system.

• We will maintain a Complaints Register and a Continuous Improvement Register with details, actions and outcomes of complaints and suggested improvements in relation to information management.

8. Worker Training and Supervision

• We will maintain a skilled and trained workforce which is aware of the importance of accurate and complete record-keeping, security of personal and business information and data and human and legal rights in relation to privacy.

• We will maintain processes to adequately monitor and supervise workers.

PROCEDURES

Managing Data Breaches

1. Identify Data Breach

1. Establish if a data breach has occurred by considering the following criteria:

• Is personal information involved?

• Is the personal information sensitive in nature?

• Has there been unauthorised access to, or disclosure of personal information?

• Has personal information been lost in circumstances where unauthorised access to the information is likely?

2. Report the Data Breach

2.1     Notify the Privacy Officer/Data Breach Response team member of the actual, potential or suspected data breach.

2.2     If decided it constitutes a notifiable data breach, complete a Data Breach Process Form within 48 hours of the data breach. This should include:

• description of data breach;

• summary of action(s) taken;

• summary of outcomes from action taken; and

• outline of processes taken to prevent recurrence.

2.3     Notify affected individuals in writing within 30 days of the data breach. Prepare a written statement containing:

• our contact details;

• a description of the data breach;

• the type of information concerned; and

• the recommended steps to mitigate the harm that may arise from the data breach.

3. Assess the Impact

1. Assess severity of impact of data breach by considering:

• the type and extent of personal information involved;

• the number of individuals affected;

• if the information is protected by security measures (e.g. password protection, encryption, multi-factor authentication);

• type of person or entity that has unauthorised access;

• whether there is, or may be a significant risk of serious harm to the affected individual(s); and

• if there will be or may be media or stakeholder attention due to the actual, potential or suspected data breach.

4. Further Actions

4.1     Take immediate corrective actions. This may include:

• recovering personal information to the extent possible;

• closing off further unauthorised access; and/or

• shutting down or isolating technology systems.

4.2     Document all actions and evidence.

4.3     Engage independent cyber security expert, if appropriate.

4.4     Develop a media communication strategy, if required.

4.5       Identify lessons learned and implement actions for continuous improvement.

SUPPORTING DOCUMENTS

• Document Control Register

• Data Breach Process Form

RESPONSIBILITIES

CEO/Director is responsible for:

• maintaining this policy, its related procedures and associated documents;

• ensuring the policy and procedure is effectively implemented across the service;

• monitoring workers compliance with the requirements of this policy and procedure; and

• ensuring training and information is provided to workers to carry out this policy and procedure.

All workers are responsible for complying with the requirements of this policy and procedure.

 

COMPLIANCE

Deliberate breaches of this policy and procedure will be dealt with under our misconduct provisions, as stated in the Code of Conduct Agreement.