BEST PRACTICE

COVID-19 UPDATE: Best Practice is an essential service continuing to support people across Australia. Best Practice is actively monitoring the coronavirus (COVID-19) outbreak and taking steps to help keep staff and the people we support safe.

Privacy Policy

PURPOSE AND SCOPE

Best Practice Community Service is committed to protecting the privacy and confidentiality of clients, staff, Board members, students, volunteers and stakeholders in the way information is collected, stored and used.

This policy provides guidance on Best Practice Community Service’s legal obligations and ethical expectations in relation to privacy and confidentiality.

Best Practice Community Service holds two types of information which are covered by this policy, personal and organisational information.

PRINCIPLES

Best Practice Community Service is committed to ensuring that information is used in an ethical and responsible manner.

Best Practice Community Service recognises the need to be consistent, cautious and thorough in the way that information about clients, stakeholders, staff, Board members, students and volunteers is recorded, stored and managed.

All individuals including clients, stakeholders, staff, Board members, students and volunteers have legislated rights to privacy of personal information. In circumstances where the right to privacy may be overridden by other considerations (for example, child protection concerns), staff act in accordance with the relevant policy and/or legal framework.

All staff, Board members, students and volunteers are to have an appropriate level of understanding about how to meet the organisation’s legal and ethical obligations to ensure privacy and confidentiality.

OUTCOMES

Best Practice Community Service provides quality services in which information is collected, stored, used and disclosed in an appropriate manner complying with both legislative requirements and ethical obligations.

All staff and Board Directors understand their privacy and confidentiality responsibilities in relation to personal information and organisational information about Best Practice Community Service, its clients, staff and stakeholders. This understanding is demonstrated in all work practices.

RISK MANAGEMENT

Best Practice Community Service ensures mechanisms are in place to demonstrate that decisions and actions relating to privacy and confidentiality comply with federal and state laws.

All staff, volunteers, students and Board members are made aware of this policy during orientation.

All staff are provided with ongoing support and information to assist them to establish and maintain privacy and confidentiality.

POLICY IMPLEMENTATION

This policy is developed in consultation with all staff and approved by the Board of Directors. This policy is to be part of all staff orientation processes and all employees are responsible for understanding and adhering to this policy.

This policy should be referenced in relevant policies, procedures and other supporting documents to ensure that it is familiar to all staff and actively used.

This policy will be reviewed in line with Best Practice Community Service’s quality improvement program and/or relevant legislative changes.

POLICY DETAIL

The privacy of personal information is defined by legislation (Privacy Act 1988). At all times, Best Practice Community Service acts in accordance with these legal requirements which are underpinned by the policy statements 8.1- 8.6 outlined below. Best Practice Community Service also strives to respect the confidentiality of other sensitive information. However, in the spirit of partnership, we share information with clients and other involved individuals and organisations (subject to consent), where it would be in the best interest of the client, or other individual, to do so.

COLLECTION OF INFORMATION

Personal information collected by Best Practice Community Service is only for purposes which are directly related to the functions or activities of the organisation. These purposes include:

  • Enquiry about programs
  • Referral to programs
  • Providing treatment and support to clients
  • Administrative activities, including human resources management
  • Sector development activities
  • Community development activities
  • Fundraising
  • Complaint handling

Best Practice Community Service provides information to clients on collecting health and personal information including:

  • Purpose of collecting information
  • How information will be used
  • Who (if anyone) information may be transferred to and under what circumstances information will be transferred
  • Limits to privacy of personal information
  • How a client can access or amend their health information
  • How a client can make a complaint about the use of their personal information.

USE AND DISCLOSURE

Best Practice Community Service only uses personal information for the purposes for which it was given, or for purposes which are directly related to one of the functions or activities of the organisation. It may be provided to government agencies, other organisations or individuals if:

  • The individual has consented
  • It is required or authorised by law
  • It will prevent or lessen a serious and imminent threat to somebody’s life or health.

DATA QUALITY

Best Practice Community Service takes steps to ensure that the personal information collected is accurate, up-to-date and complete. These steps include maintaining and updating personal information when we are advised by individuals that it has changed (and at other times as necessary), and checking that information provided about an individual by another person is correct.

Reasonable physical safeguards include:

  • Locking filing cabinets and unattended storage areas
  • Physically securing the areas in which the personal information is stored
  • Not storing personal information in public areas
  • Positioning computer terminals and fax machines so that they cannot be seen or accessed by unauthorised people or members of the public.

Reasonable technical safeguards include:

  • Using passwords to restrict computer access, and requiring regular changes to passwords
  • Establishing different access levels so that not all staff can view all information
  • Ensuring information is transferred securely (for example, not transmitting health information via non-secure email)
  • Using electronic audit trails
  • Installing virus protections and firewalls.

Reasonable administrative safeguards include not only the existence of policies and procedures for guidance but also training to ensure staff, Board members, students and volunteers are competent in this area.

ACCESS AND CORRECTION

Individuals may request access to personal information held about them. Access will be provided unless there is a sound reason under the Privacy Act or other relevant law. Other situations in which access to information may be withheld include:

  • There is a threat to the life or health of an individual
  • Access to information creates and unreasonable impact on the privacy of others
  • The request is clearly frivolous or vexatious or access to the information has been granted previously
  • There are existing or anticipated legal dispute resolution proceedings
  • Denial of access is required by legislation or law enforcement agencies.

Best Practice Community Service is required to respond to a request to access or amend information within 45 days of receiving the request.

Amendments may be made to personal information to ensure it is accurate, relevant, up-to-date, complete and not misleading, taking into account the purpose for which the information is collected and used. If the request to amend information does not meet these criteria, Best Practice Community Service may refuse the request.

If the requested changes to personal information is not made, the individual may make a statement about the requested changes which will be attached this to the record.

Operating Manager is responsible for responding to queries and requests for access/amendment to personal information.

ANONYMITY AND IDENTIFIERS

Wherever it is lawful and practicable, individuals will have the option of not identifying themselves or requesting that Best Practice Community Service does not store any of their personal information.

As required by the Privacy Act 1988, Best Practice Community Service will not adopt a government assigned individual identifier number e.g. Medicare number as if it were its own identifier/client code.

COLLECTION USE AND DISCLOSURE OF CONFIDENTIAL INFORMATION

Other information held by Best Practice Community Service may be regarded as confidential, pertaining either to an individual or an organisation. The most important factor to consider when determining whether information is confidential is whether the information can be accessed by the general public.

Staff members are to refer to the CEO/Manager before transferring or providing information to an external source if they are unsure if the information is sensitive or confidential to Best Practice Community Service or its clients, staff and stakeholders.

ORGANISATIONAL INFORMATION

All staff, Board members, students and volunteers agree to adhere to the Best Practice Community Service Code of Conduct when commencing employment, involvement or a placement. The Code of Conduct outlines the responsibilities to the organisation related to the use of information obtained through their employment/ involvement/ placement.

STAKEHOLDER INFORMATION

Best Practice Community Service works with a variety of stakeholders including private consultants. The organisation may collect confidential or sensitive information about its stakeholders as part of a working relationship. Staff at Best Practice Community Service will not disclose information about its stakeholders that is not already in the public domain without stakeholder consent.

The manner in which staff members manage stakeholder information will be clearly articulated in any contractual agreements that the organisation enters into with a third party.

BREACH OF PRIVACY OR CONFIDENTIALITY

If staff are dissatisfied with the conduct of a colleague with regards to privacy and confidentiality of information, the matter should be raised with the staff member’s direct supervisor. Staff members who are deemed to have breached privacy and confidentiality standards set out in this policy may be subject to disciplinary action.

If a client or stakeholder is dissatisfied with the conduct of a Best Practice Community Service staff or Board member, a complaint should be raised. Information on making a complaint will be made available to clients, stakeholders and will be found on the Best Practice Community Service website. Additionally, a complaint can be taken over the phone by any staff member.