CONFIDENTIALITY AND PRIVACY
Purpose
The Confidentiality and Privacy Policy provides the guidelines for all staff who in the course of performing their duties may be required to handle confidential and / or sensitive material of a verbal or written nature. This includes (but is not limited to) client records, recruitment, selection, separation, payroll, performance management and staff assistance documentation or other information.
Scope
The Confidentiality and Privacy Policy applies to all staff members, (full-time, part-time, contract, casual, voluntary and temporary) of Ravenshoe Community Centre Inc. with access to any confidential Organisational documents,client records or sensitive material of a verbal or written nature.
Australian Privacy Principles
The Australian Privacy Principles (APP’s) are a set of rules that outline the responsibilities of organisations and services such as the Ravenshoe Community Centre Inc. These rules are contained within the national laws relating to privacy.
The APP’s replaced the previous rules around privacy and confidentiality known as the National Privacy Principles (NPP’s) and Individual Privacy Principles (IPP’s) in order to provide consistency for all organisations dealing with personal and sensitive information.
For more information on the Australian Privacy Principles please see the Addendum on page 5.
What is Personal Information?
Personal information refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a) Whether the information or opinion is true or not, and
b) Whether the information or opinion is recorded in a material form or not.
This definition is broad and can include information about a person such as:
- Name or alias
- Residential or postal address
- Contact numbers
- Email address
- Photographs and images
- Information about opinions or what a person does or does not like.
What is sensitive Information?
Different to personal information, sensitive information and the way in which this information is handled requires particular care. Sensitive information includes information or an opinion relating to:
- A person’s racial or ethnic origin
- Health or medical information
- Political opinion
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual orientation or practices
- Criminal record, or
- Biometric information
Please note that any information collected may be provided to the relevant funding body for the purpose of ensuring that service users are provided with a quality service, during an audit or investigative process.
Legislative References
Privacy Amendment (Private Sector) Act 2000, FOI
Confidentiality and Privacy Policy
Principles
In order to protect the rights of clients, and people in general, it is imperative that every member of staff, when dealing with others’ details, observe the strictest confidence in discharging their duties and professional responsibilities. Any improper disclosure or discussion of records or information concerning clients of the Organisation will be regarded as a serious breach of confidentiality and could lead to dismissal. Such information and records would include, but are not exclusive to:
- Client records
- Employee records
- The Organisation’s documents
- Computer records and passwords
- Meeting discussions.
Employees will take care in maintaining the integrity and security of official documents and information for which they are responsible, Misuse of information includes:
1. Disclosing information without proper authority to:
- other employees, members of the public, government departments /agencies;
- banks, credit agencies, the media and private investigators
- Accessing information for personal interest, benefit or advantage, or for the interest, benefit or advantage of another person
- Seeking to take advantage, for any reason, of another person on the basis of information about that person held in official records.
- The Golden Rule is “What is said in the centre – or in places associated with the centre – stays within the Organisation.”
All employees, contractors and volunteers (including Management Group members) are required to sign a Workplace Confidentiality Agreement prior to commencing with the Organisation
Information Systems
Citrix passwords issued to staff must be kept confidential and disclosure of the password access code to other staff members, family, friends, or unauthorised persons is strictly prohibited.
Staff required to log into a computer system must use their own individual security password access code. The use of borrowed or another staff member’s security password access code to log in is prohibited.
It is the responsibility of all staff to exit out of the system upon completion of their task. Personal computers or terminals are not to be left unattended when member or staff details are displayed on the screen.
When staff or volunteers cease employment the password to the computers that they have used should be changed. The designated ‘Citrix Administrator’ has responsibility for this task.
Publicity
No staff member is permitted to make any statement to the media concerning clients or the organisation’s business or to allow their photograph to be taken in or around the Organisation’s premises without the express approval of the RavCom Collective.
Storage, Security and Release Information
Information in the possession of the Organisation shall only be used for the purpose for which it was acquired. Employees who use such information for any improper purposes may be guilty of serious and willful misconduct, and their employment terminated in accordance with the Disciplinary Process.
Staff shall take all precautions to ensure that information is securely stored and managed so as to prevent other individuals and unauthorised persons obtaining access to personal information.
Under no circumstances may staff remove Ravenshoe Community Centre files and records from the Office unless securely stored for the purposes of transit and case management. Documents should not be shredded, destroyed or discarded without RavCom Collective approval and staff should refer to Ravenshoe Community Centre Records Management Policy.
Client Access to Files
The client’s file remains the property of Ravenshoe Community Centre. However, should the client wish to review this information, a written, signed application to the RavCom Collective must be submitted.
The client will be advised that it will take up to 10 working days to meet this request. The Program Coordinator or senior staff member will review the file for release, where necessary deleting third party information, in accordance with Freedom of Information and Privacy Act requirements.
A supervised time to view the file will then be arranged.
Documentation previously provided by a client may be copied or returned to the client after making a formal request to the RavCom Collective.
Ravenshoe Community Centre will comply with all requests to release information subpoenaed by court order unless otherwise advised by an independent legal representative.
Reportable Incidents
All staff will follow the RCC Duty of Care Policy.
Where mandatory, all forms of suspected or actual abuse of children, suspected or actual self-harm, and actual or threatened harm to property or person will be reported to the relevant authority.
See RCC Duty of Care Policy
Related Policies and Documentation
Disciplinary process
Workplace Confidentiality Agreement
Use of Email and Internet
Managing Client Records Policy
ADDENDUM
AUSTRALIAN PRIVACY PRINCIPLES (APP’S)
APP 1 – Open and transparent management of personal information
APP 2 – Anonymity and pseudonymity
APP 3 – Collection of solicited personal information
APP 4 – Dealing with unsolicited personal information
APP 5 – Notification of the collection of personal information
APP 6 – Use of disclosure of personal information
APP 7 – Direct marketing
APP 8 – Cross-border disclosure of personal information
APP 9 – Adoption, use or disclosure of government related identifiers
APP 10 – Quality of personal information
APP 11 – Security of personal information
APP 12 – Access to personal information
APP 13 – Correction of personal information
From the Office of the Australian Information Commissioner (OAPC).
APP 1 – Open and transparent management of personal information
The object of this principle is to ensure that personal information is managed in an open and transparent way.
As an organization, RCC Inc must take steps to ensure that the APP’s are implemented in its practices, procedures and systems relating to all its functions and activities. This means ensuring:
- RCC Inc complies with the APP’s and any APP code
- All staff, volunteers and Management Group members are able to deal with inquiries or complaints from individuals about compliance with the APP’s or any APP code.
APP 2 – Anonymity and pseudonymity
Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with RCC Inc in relation to a particular matter.
A pseudonym is a name – not the real or true name of a person. It may also be the nickname or abbreviated version of a name that does not reveal a person’s true name. Example – ‘Please just call me Max’.
Sometimes individuals prefer to not disclose personal information such as their name. In some instances such as telephone counseling or participating in a support group this information is not essential.
In some instances, it may not be practicable to provide services without personal information.
Where a person would like to remain anonymous but cannot access services or programs without providing personal information, staff should discuss with the individual the reasons for necessity to collect personal information.
If a person has requested anonymity and is still able to participate in services they must not be prevented to do so.
NOTE: An individual may wish to use a pseudonym due to cultural reasons. For example some Aboriginal and Torres Strait Islander communities change names for cultural or traditional ceremonies. Consideration should be made of cultural reasons for anonymity.
APP 3 – Collection of solicited personal information
RCC Inc must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of its functions or activities.
Collecting personal information is a part of delivering services each day. Solicited information is the information that is required to perform duties, functions and activities. Personal information is collected by RCC Inc for the purposes of:
- service or program delivery
- referrals
- data collection and evaluation
Information can be collected in writing and verbally. Some examples of collecting personal information include:
- information collected when completing a form such as for counseling services, emergency relief, family support etc
- a phone call from a client
- a referral from an external agency or organization
- enquiry from a legal guardian
- email correspondence
- a photo or image collected as part of an activity.
Sensitive Information
Collecting sensitive information requires further consent from an individual. Because the information requires a particular level of protection the person must understand that the information will be collected only for the purposes of activities related to RCC Inc (refer to APP 5 – Notification of the collection of personal information).
APP 4 – Dealing with unsolicited personal information
If RCC Inc receives personal information which has not been solicited under APP 3 the information must not be retained by RCC Inc.
Some information is not required to perform the duties, functions or activities such as when a client disclosed additional personal information.
Example: Bill registers for counseling and sends an email to the Family Support Worker with his bank account details.
It should be determined by the staff member as to whether the information is required as part of the function or activity. If not, the information should not be retained and destroyed or deleted (as practicable).
APP 5 – Notification of the collection of personal information
When RCC Inc collects personal information the individual must be aware of the purpose of collection.
If information is collected or solicited (refer APP 3 – Collection of solicited personal information), the individual must understand why the information is required. The purpose/s of the collection generally for RCC Inc are:
- service or program delivery
- referrals
- data collection and evaluation
- recruitment/employment
In all instances staff must explain at the collection:
- how the information is collected
- why the information is being collected
- how the information will be stored
- how a person may lodge a complaint
- in what instances the information will be disclosed
When collecting sensitive information it is important to ensure that the information is collected in a private (not public) setting. Before the collection staff should:
- read a prepared statement
- asking the client or staff member to read a collection form
- ensure the client understands and consents to the information being collected
- if necessary, access an interpreter.
Information about staff and volunteers.
Information is collected from individuals for the purpose of recruitment of staff and volunteers, and through the course of the working relationship with RCC Inc.
All personal information must be collected, where possible, directly from the individual concerned.
Information provided to the organisation through a referral from another employer, through a recruitment process will only be used for the primary purpose of collection.
Members of staff and volunteers are under no obligation to provide information of a sensitive nature, for example, religious beliefs. Where sensitive information is provided, all reasonable steps are taken to ensure this occurs in private and remains private.
APP 6 – Use of disclosure of personal information
How RCC Inc uses and discloses the personal information that it holds.
If the information has been collected for the purpose of RCC Inc functions and activities this is the primary purpose of use. If the information is then used or disclosed for another purpose (internally or externally) this is the secondary purpose.
Example: John contacts RCC Inc enquiring about emergency relief. John completes all the emergency relief paperwork and visits the emergency relief support worker (primary purpose). The emergency relief support worker then identifies a need to access other services and discusses the NILS program with John. The emergency relief support worker then requests from John that his personal information be used for a referral to the NILS program (secondary purpose).
It is important that the information used or disclosed is done with the express consent of the client. A client must be aware of what information is going to be disclosed and to whom the information is being disclosed. Disclosure may be obtained both verbally and in writing, however, it is preferred that when disclosing sensitive information the client has consented to the disclosure in writing.
The information must not be disclosed at any time to a third party where the individual has not provided consent. It is not acceptable at any time to discuss personal and sensitive information with another person, agency or service without consent. This includes discussing client information at home or to a friend outside of work. It may also include other disclosure, such as the use of social media, or to a third party to the client such as a parent or carer.
All staff and volunteers must be aware that even in instances where the disclosure would seem to benefit the client or is done in good faith, it will be regarded as a breach of this privacy policy.
APP 7 – Direct marketing
RCC Inc may only use or disclose personal information for direct marketing purposes if certain conditions are met.
What is direct marketing? Direct marketing is where an organization such as RCC Inc can advertise directly to a client or individual using email, phone calls, letters etc. This usually requires the data of the person to ‘target’ the direct marketing.
In accordance with the APP’s, RCC Inc as an organisation must not use or disclose personal information (including sensitive information) for the purposes of direct marketing unless the following exception applies:
- RCC Inc has collected the information from the individual, and
- The individual would reasonably expect the use or disclosure of the information for that purpose (direct marketing), and
- The individual may easily request not to receive direct marketing communications (such as a prominent statement in the direct marketing), and
- The individual has not already requested not to receive direct marketing.
As a general rule, RCC Inc should not be using personal information for the purposes of direct marketing to a client of RCC Inc.
There may be occasions where direct marketing is conducted such as advertising of programs in a community newsletter. In instances such as these the RavCom Collective must consider the applicability of APP 7 as well as other relevant legislation such as the Do Not Call Register Act 2006 (Cth) and the Spam Act 2003 (Cth).
APP 8 – Cross-border disclosure of personal information
RCC Inc must take steps to protect personal information before it is disclosed overseas.
Before any personal information is sent to an overseas recipient (agency or organisation) RCC Inc must ensure that the organisation complies with APP’s. It is not envisaged that any personal information will be disclosed to overseas recipients unless required as a Commonwealth Government contractor.
Instances where personal information would be disclosed to an overseas recipient by RCC Inc is limited with the following conditions:
- The individual has provided written consent to the disclosure, and
- The overseas recipient is required to receive the information to provide assistance to the individual or the disclosure is required under Australian Law, or
- The disclosure is required for enforcement purposes.
At no time is it permissible to distribute personal information to an overseas recipient to which it is expected will derive a commercial gain from the personal information. Likewise information should not be sent to another entity where personal risk would result from the disclosure.
Note that all instances of disclosure of personal information to an overseas recipient must be sent to the Management Group of the RavCom Collective prior to the disclosure of information
APP 9 – Adoption, use or disclosure of government related identifiers
The limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
As an organisation RCC Inc receives government identifier information for the purpose of providing services. This government identifier could be from commonwealth government agencies such as Centrelink or the Department of Social Services.
At no time should a government identifier be adopted by RCC Inc. The only exception to the adoption of a government identifier is where there is a requirement by an Australian law (including regulations), or a court/tribunal.
The use and disclosure of a government identifier is similarly restricted by all RCC Inc staff. Government identifiers should not be used or disclosed unless:
- The use or disclosure of the identifier is reasonably necessary to verify the identity of the individual for the purposes of RCC Inc’s activities or functions, or
- The use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority, or
- The use or disclosure of the identifier is required or authorized by or under an Australian law or a court/tribunal order, or
- The use or disclosure is for enforcement related activities conducted by, or on behalf of, an enforcement body.
APP 10 – Quality of Personal Information
RCC Inc staff and volunteers must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. All staff must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
RCC Inc staff and volunteers are required to:
- Record objective and factual information (whether face-to-face, email, phone) including, but not exclusive of, any discussions, correspondence, contacts with other service providers, actions taken, cancelled meetings etc.
- Be objective, non-judgemental, non-offending and relevant in information content. Opinions or attempting to make a ‘diagnosis’ is prohibited.
- Be transparent in respect of a client’s right to read anything that is written about them.
- Be clear, legible, logical, with entries typed or filed in chronological order.
APP 11 – Security of Personal Information
RCC Inc staff and volunteers must take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. All staff and volunteers have obligations to destroy or de-identify personal information in certain circumstances.
Staff and volunteers are not to access confidential information unless necessary and authorized for the purpose of their work.
All staff and volunteers will contribute to the security of information held by the organisation across management and planning, resourcing and finance, service delivery and evaluation, through:
- Ensuring visitors to any RCC Inc premises do not gain access to any confidential information
- Ensuring that any visitor is supervised in places where there may be unlocked confidential information
- Disclosing information only for authorised purposes
- Keeping information relating to a file either on that file or in the case of information on a computer system, in the appropriate drive path or application
- Ensuring any confidential computer files are not left open when unattended
- Not divulging passwords to applications on the computer system
- Shredding documents or drafts no longer required
- Keeping files in locked filing cabinets to protect from loss, misuse, and/or unauthorised access
- Maintaining a clean desk policy keeping hidden any personal information from inappropriate view
- Removing files from the office only in appropriate circumstances, for example, external client visit, court appearance etc. Wherever possible, copies rather than originals of documents should be taken from the premises for these purposes. Any removal of files should be checked with the relevant Program Coordinator or Senior Staff member present.
- Using appropriate methods to communicate information – Note: Email and fax are not secure
- Ensuring all email signatures contain the ‘confidentiality disclaimer’
- Using discretion when discussing information with colleagues or clients in a public space
- Ensuring confidential files remain closed when not in use
- Locking the filing cabinets (including for meal breaks etc) and the premises when they are unattended
- Ensuring that passwords become inactivated, and keys returned upon a member of staff or volunteer leaving the agency
- Ensuring that no paper used for recycling in printers or otherwise has any personal or sensitive information on it. This includes financial information, names, phone numbers, debtors, creditors etc.
Any personal or sensitive information must be destroyed or permanently de-identified when that information is no longer needed for any legal or other purposes.
Archived files are held in a locked room at all times. Any archived information stored off-site is maintained in a secure storage facility.
Any information kept unlocked in general filing systems and at individual work stations must not be of a confidential or sensitive nature.
The Program Coordinator or Senior Staff member relevant to each program area is responsible for ensuring that systems are in place to comply with APP 11.
APP 12 – Access to personal information
RCC Inc’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
Please refer to page 3 – Client Access to Files.
Clients have a right to access their information and to have it corrected where it contains errors.
Information held about a client must be provided upon request, except to the extent that:
- Providing access would pose a serious and imminent threat to the life or health of any individual, or
- Providing access would have an unreasonable impact upon the privacy of other individuals, or
- The request for access is frivolous or vexatious, or
- The information relates to existing or anticipated legal proceedings between the Organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings
- Giving access would reveal the intentions of an entity in relation to negotiations with the individual in such a way as to prejudice those negotiations, or
- Providing access would be unlawful, or
- Denying access is required or authorised by or under an Australian law or a court/tribunal order, or
- There is reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to RCC Inc’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter, or
- Giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or
- Giving access would reveal evaluative information generated within the entity in connection with a commercially (business) sensitive decision-making process.
Where an exemption applies, RavCom Collective will consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
The RavCom Collective will provide reasons for denial of access to information, in writing.
Note: Children under 18 years of age can make their own privacy decisions dependent upon their cognitive ability, maturity and understanding. Feedback is negotiated, discussed and agreed upon with a qualified staff member (eg Counsellor) and supported through an assessment of the child’s ability to understand.
APP 13 – Correction of personal information
Outlines the obligations in relation to correcting the personal information it holds about individuals.
RCC Inc staff and volunteers must take reasonable steps to correct the information if it is held, by the client or RCC Inc to be:
- Inaccurate
- Out of date
- Incomplete
- Irrelevant
- Misleading
RCC Inc must also advise any other APP agency that the personal information has been previously disclosed to, about the correction of information under APP13.
In circumstances where the organisation refuses to correct personal information, clear reasons must be provided to the individual concerned. The refusal must be in a written notice that sets out:
- The reason for the refusal except to the extent that it would be unreasonable to do so, and
- The mechanism available to complain about the refusal, and
- Any other matter relevant to the refused correction or as prescribed by law.
If the refusal is made the individual may request a statement from the RavCom Collective regarding the belief by the individual that the information is inaccurate, out of date, incomplete, irrelevant or misleading. This statement must be clear to all users of the information. This may be through a clear file note or other form of alert.
All requests for correction must be responded to within 30 days of the request for correction.
Note: Any staff or volunteers requiring further explanation, information or assistance in understanding or undertaking aspects of this policy and addendum, throughout the period of their engagement with RCC Inc, are encouraged to seek clarification from their Program Coordinator, Senior Staff Member or Manager