Privacy Policy

Information Management Policy

Carers and Advocates ABN 47 629 928 105

1. Introduction

1.1 Purpose

This Policy and the Policies and Procedures and related documentation set out in section 1.5 below (Related Documentation) support Carers and Advocates to apply the Information Management NDIS Practice Standard.

1.2 Policy Aims

Carers and Advocates is committed to ensuring that management of each participant’s information ensures that it is identifiable, accurately recorded, current and confidential. Each participant’s information is easily accessible to the participant and appropriately utilised by relevant workers.

1.3 NDIS Quality Indicators

In this regard, Carers and Advocates aims to demonstrate each of the following quality indicators through the application of this Policy and the relevant systems, procedures, workflows and other strategies referred to in this Policy and the Related Documentation:

Information Management

  • Each participant’s consent is obtained to collect, use and retain their information or to disclose their information (including assessments) to other parties, including details of the purpose of collection, use and disclosure. Each participant is informed in what circumstances the information could be disclosed, including that the information could be provided without their consent if required or authorised by law.
  • Each participant is informed of how their information is stored and used, and when and how each participant can access or correct their information, and withdraw or amend their prior consent.
  • An information management system is maintained that is relevant and proportionate to the size and scale of the organisation and records each participant’s information in an accurate and timely manner.
  • Documents are stored with appropriate use, access, transfer, storage, security, retrieval, retention, destruction and disposal processes relevant and proportionate to the scope and complexity of supports delivered.

1.4 Scope

  • This Policy applies to the provision of all services and supports at Carers and Advocates.
  • All permanent, fixed term and casual staff, contractors and volunteers are required to take full responsibility for ensuring full understanding of the commitments outlined in this Policy.

1.5 Related Documentation

The application of the above NDIS Practice Standard by Carers and Advocates is supported in part by and should be read alongside the Policies and Procedures and related documentation corresponding to this Policy in the Policy Register.

2. Definitions

In this Policy:

Carers and Advocates: Carers and Advocates Australia Pty Ltd ABN 47 629 928 105.

Client: A client of Carers and Advocates (including an NDIS participant).

Key Management Personnel: Claire-Louise McCrackan and other key management personnel involved in Carers and Advocates from time to time.

Legislation Register: The register of legislation, regulations, rules and guidelines maintained by Carers and Advocates.

Personal information: Information or an opinion (whether true or not and whether recorded in a material form or not) about an individual who is identified or reasonably identifiable from the information.

Policy Register: The register of policies of Carers and Advocates.

Principal: Claire-Louise McCrackan.

Related Documentation: Has the meaning given to that term in section 1.1.

Sensitive information: A subset of personal information that is generally afforded a higher level of privacy protection. Sensitive information includes health and genetic information and information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record and some types of biometric information.

Worker: A permanent, fixed term or casual member of staff, a contractor or volunteer employed or otherwise engaged by Carers and Advocates and includes the Principal.

3. Policy Statement

3.1 Consent to collection, use, retaining and disclosing Client information

Client’s consent must be obtained to collect, use and retain their information or to disclose their information (including assessments) to other parties, including details of the purpose of collection, use and disclosure. Such consent is obtained in accordance with:

  • The Privacy Consent Form.
  • The Service Agreement between Carers and Advocates and the Client.

The Privacy Consent Form informs Clients that their information could be disclosed or provided without their consent if required or authorised by law.

3.2 How is information stored and used?

Carers and Advocates holds personal information in a number of ways, including in hard copy documents, electronic databases, email contact lists, and in paper files held in drawers and cabinets. Paper files may also be archived in boxes and stored offsite in secure facilities.

Carers and Advocates must take reasonable steps to:

  • Ensure the personal information collected, used and disclosed is accurate, up to date and complete and (in the case of use and disclosure) relevant.
  • Protect the personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
  • Destroy or permanently de-identify personal information that is no longer needed for any purpose that is permitted by the Australian Privacy Principles, subject to other legal obligations and retention requirements applicable to Carers and Advocates.

Employees must only access and use personal information for valid work purposes. When handling personal information, employees should:

  • Confirm recipient details before sending faxes or emails.
  • Securely store hard copies not being used.
  • Be aware of surroundings and people nearby.
  • Limit removing hard copies from secure sites.
  • Secure information while travelling.
  • Dispose of unneeded copies securely.
  • Ensure access only for those who need it.

Carers and Advocates employees may only share personal information as set out under this policy and in circumstances permitted under law.

3.3 What third parties does Carers and Advocates disclose personal information to?

Carers and Advocates may disclose personal information to third parties where appropriate, including:

  • Carers and Advocates’s funding providers.
  • Government and regulatory bodies, including the National Disability Insurance Agency, Medicare, the Department of Social Services, the Department of Health & Human Services, and the Australian Taxation Office.
  • People acting on their behalf including their nominated representatives, legal guardians, executors, trustees and legal representatives.
  • The police, NDIS Commission, courts, or government agencies.
  • Financial institutions for payment processing.
  • Referees whose details are provided to Carers and Advocates by job applicants.
  • Carers and Advocates’s contracted service providers, including:
    • IT providers.
    • Invoice processors.
    • Freight and courier services.
    • External advisers (e.g. recruitment, audit, legal).

In the case of these contracted service providers, Carers and Advocates may disclose personal information to the service provider and the service provider may, in turn, provide Carers and Advocates with personal information collected from individuals in the course of providing the relevant products or services.

3.4 How is personal information kept secure?

The steps Carers and Advocates takes to secure the personal information Carers and Advocates holds include:

  • Website protections (encryption, firewalls, antivirus).
  • Login/password restrictions for systems and cloud services (e.g. Google Drive, OneDrive).
  • Controlled access to premises.
  • personnel security (including restricting the use of personal information by Carers and Advocates employees to those who have a legitimate need to know the information for the purposes set out above).
  • Training and workplace policies.

3.5 Information retention

Unless otherwise required by law, all Client records and personal information will be retained for:

  • Clients that are adults, at least seven years after the Client ceases to be a client.
  • Clients that are adults, at least seven years after the Client ceases to be a client.

3.6 Information disposal

Before disposing of information, employees must ensure retention requirements are met. When disposing of personal information:

When disposing of personal information, employees should:

  • Place unneeded working documents or copies of information in secure bins or adequate shredders.
  • Ensure any electronic media including computers, hard drives, USB keys etc. are sanitised when no longer required.

3.7 Privacy incidents

Privacy incidents may result from unauthorised people accessing, changing or destroying personal information. Examples of situations from which incidents may arise include:

  • Virus downloads on agency computers.
  • Sharing info on social media.
  • Theft/loss of data devices.
  • Improper disposal (e.g. paper in recycling).
  • Sending documents to wrong fax/email.
  • Use of unsecured personal email accounts.

Incidents can be accidental or deliberate, due to human or technical error, and apply to data in any form.

3.8 Incident reporting

It is vital all privacy incidents are reported as soon as possible so that their impact may be minimised.Employees should be aware of:

  • Know how to identify privacy incidents.
  • Understand reporting is to reduce harm, not to punish.
  • Report to their manager immediately.

Carers and Advocates must report all Client related privacy incidents to the:

  • Department of Health and Human Services.
  • NDIS Commission.
  • Office of the Australian Information Commissioner.

as applicable, within one business day of becoming aware of, or being notified of a possible privacy incident,or within one business day of an allegation being made of a potential breach. A breach of Client privacy may have a major impact, a non-major impact, or be a near miss or an incident withno apparent impact on a Client. In each case, the incident has to be reported and managed in accordance withthe Incident Management and Reporting Policy.

3.9 Access and Correction

Clients have a legal right to request access or correction of their personal information held by Carers and Advocates. Clients may ask individuals to verify their identity before processing any access or correction requests, to ensure that the personal information Carers and Advocates holds is properly protected.

3.10 Complaints

If a Client has a complaint about how Carers and Advocates has collected or handled their personal information, it will be managed in accordance with the Carers and Advocates Feedback and Complaints Management System.

4. General

4.1 Relevant Legislation, Regulations, Rules and Guidelines

Legislation, Rules, Guidelines and Policies apply to this Policy and Related Documentation as set out in the Legislation Register.

4.2 Inconsistency

If and to the extent that the terms of this Policy are or would be inconsistent with the requirements of any applicable law, this Policy is deemed to be amended but only to the extent required to comply with the applicable law.

4.3 Policy Details

Approved By: The Board of Carers and Advocates Australia Pty Ltd
Approval Date: February 2022
Version: 2
Next Scheduled Review: February 2027