Riverlink Disability Services Ltd. (Riverlink) recognises the importance of protecting the privacy of consumers. Consumer’s personal details must be kept confidential and only disclosed, with the consumer’s permission, for the purposes of ensuring that they are receiving the services they need.
Riverlink will only disclose sensitive or personal information with the permission of the participant or carer.
Riverlink is guided by the 13 Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (C’wealth) (the Privacy Act) which govern the way Personal Information is collected, used, disclosed, stored, secured and disposed of. Riverlink will also follow the requirements established by the Privacy Amendment (Notifiable Data Breaches) Act 2017 in the case of a data breach which is likely to result in serious harm to any individuals whose personal information is involved in the breach.
A copy of the Australian Privacy Principles may be obtained from the website of The Office of the Australian Information Commissioner at https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/.
Consumers have the right to access any personal information kept about them by Riverlink. Requests from consumers to access files can be made verbally or in writing through the Executive Officer.
Written permission is required for the use of any photo or visual image of carers or participants if they are over 18 and capable to do so.
Riverlink’s training and orientation procedures will ensure that all staff and volunteers are aware of and understand Riverlink’s policies and procedures relating to privacy, dignity and confidentiality. Please also see the Staff Training policy (Ref: 3.12).
Eligible Data Breaches
An ‘eligible data breach’ occurs when:
- There is unauthorised access to, or unauthorised disclosure, of personal information or a loss of personal information
- The breach is likely to result in serious harm to one or more of the affected individuals; and
- Prevention of the risk of serious harm through remedial action has not been successful
Personal Information is information or an opinion that identifies an individual. Examples of Personal Information collected include: names, addresses, email addresses, phone and facsimile numbers.
Sensitive information is defined in the Privacy Act to include information or opinion about such things as an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information.
Sensitive and personal information is obtained in many ways including interviews, correspondence, by telephone and facsimile, by email, via our website www.riverlink.org.au and from third parties.
Sensitive and personal information is used primarily for the providing of our services to participants and carers, and providing information to our staff. For example sensitive and personal information may be given to support workers in the form of a participant profile and they will report back on the participant’s well being to the office and the carer.
Riverlink may also use sensitive and personal information to support the service provision, such as data collection or analyses. The guidelines for this are outlined below.
Riverlink may also provide sensitive and personal information to third parties if it is requirement of providing service. For example sensitive or personal information may be provided to an external agency if it is made clear to the participant/carer that the support worker is being brokered on Riverlink’s behalf to preform a shift.
To release information to a third party Riverlink will gain consent. Where the participant can give informed consent to the disclosure of confidential information, consent shall be in writing wherever possible and this is the preferred method of consent. However verbal consent will be considered valued as along as it documented by a staff member, usually in the form of a progress note with the date, time and the staff member name who witnessed the consent.
Where participants are unable to give informed consent carers will be required to give consent on behalf of their participant.
When sensitive and personal information is collected, Riverlink will, where appropriate and where possible, explain why it is being collected and how it is to be used.
Sensitive and personal information may be disclosed in a number of circumstances including the following:
- to third parties where the participant/carer consents to the use or disclosure; and
- where required or authorised by law.
Sensitive information will be used by Riverlink only:
- for the provision of service for which it was obtained;
- for reasons that support the provision of service; and
- with participant/carer consent; or where required or authorised by law.
Where reasonable and practicable to do so, sensitive and personal information will be collected only from participants/carers directly. However, in some circumstances information may be provided by third parties. In such cases all reasonable steps will be taken to ensure that participants/carers are made aware of the information provided by such a third party.
Riverlink ensures the anonymity of participants when providing statistics about its operation.
Participant/carer information requested by relevant Commonwealth and State Departments for the purposes of data collection will only be supplied with the participant’s/carer’s permission.
Privacy and Confidentiality in the Intake Process
As part of the intake process service coordinators will provide and verbally explain the Riverlink Consumer’s Handbook to participants/carers. The Handbook includes written information about a participant’s/carer’s right to privacy, dignity and confidentiality. Service coordinators will also inform participant/carer about:
- the nature of the personal records kept by Riverlink
- the possible use of information in the records, including who may access them
- how to request access to personal records
- the process for consent to release information in the records to services nominated under any agreed referral action
- the process for participant/carer nomination of an individual or individuals who may request access to documented consumer information or attendance at an assessment/review
- where Riverlink feels that it may be necessary to involve another party in the intake process, for example an interpreter service, the intake service coordinator will gain the participant’s/carer’s consent before arranging for another party to be involved
- at intake the service coordinator will note any particular privacy/dignity requirements of the participant and carer. For example, preference for female or male support workers/volunteers.
- Participants/carers have the right to withhold information. However, if they choose to withhold any or all information requested by the Service Coordinator it may affect Riverlink’s capacity to provide the services they are requesting. This will be explained during the initial intake.
Security of Participant Records
Sensitive and personal information is stored in a manner that reasonably protects it from misuse and loss and from unauthorised access, modification or disclosure.
Participant/carer files will be stored in a locked filing cabinet when not in use. Electronic copies of participant files are password protected.
Service coordinators will create a soft copy file for each participant following intake. Files may contain but is not limited to:
- Initial intake documents and outcome
- Support plan
- Subsequent reviews of support plan and outcome
- Service Agreement documents
- Any change of staff working with the participant
- Reports/information from other agencies
- Requests and correspondence from the participant/carer
Please also see the Intake & Review policy (Ref: 2.07) for more information.
Progress notes will include the date and the name of the worker making the note.
When sensitive or personal information is no longer needed for the purpose for which it was obtained, Riverlink will take reasonable steps to destroy or permanently de-identify participant’s personal information. Personal information will be kept, in line with the Records Management Policy (Ref: 1.19)
Photo consent is completed at the time of initial intake or when photo consent is required for staff. Written permission is to be obtained for any display, publication or release of any photograph or visual image. Permission will also be obtained for the use of images that are used for advertising or commercial purpose.
Maintaining the Quality of Participant Personal Information
It is an important part of providing appropriate services that participant sensitive and personal information is up to date. NPP 3 provides that Riverlink take reasonable steps to make sure that Participant Personal Information is accurate, complete and up-to-date.
It is important that participants and carers advise Riverlink at the earliest opportunity of any changes to their sensitive and personal information so that records can be updated.
Access to Personal Information
APP 12 provides participants and carers with the right to access the personal information held by Riverlink and to update and/or correct it, subject to certain exceptions. If participants or carers wish to access their sensitive or personal information, requests to do so are to be made in writing or over the phone.
Riverlink will not charge any fee for your access request, but may charge an administrative fee for providing a copy of your sensitive or personal information.
In order to protect sensitive personal information Riverlink may require identification from participant/carers before releasing such information.
Length of Time Records are Held
If a service to a participant has ceased, but may be resumed at a future date, the hardcopy of the participant’s file will be kept for a period of two years before being destroyed. The electronic participant file is archived as soon as service ceases. The destruction of records is outlined in the Records Management policy (Ref: 1.19).
Disclosure of Information without seeking Consent
Riverlink discloses information only if:
- legislation requires information to be released e.g. mandatory reporting of abuse. Please see also the Management of Abuse, Injury & Neglect policy (Ref: 2.21).
- a person or the agency is subpoenaed to provide information for court proceedings
Staff employed directly by Riverlink must sign an agreement of employment that binds them to the Code of Ethics and Conduct that has an explicit statement regarding privacy and confidentiality.
Staff and volunteers are encouraged to seek advice from their supervisors at any time to clarify any practice or situation concerning consumer privacy, dignity and confidentiality.
Individuals providing contract work to Riverlink, where access to any confidential information may be involved, are asked to sign a specific privacy and confidentiality agreement on commencement.
All the computers at Riverlink are password protected. Only Riverlink office staff and contracted IT support personnel who have signed confidentiality agreements will have access to passwords.
Any individual who may require a key to access the Riverlink office will only be given a key at the Executive Officer’s approval. Individuals must sign and date the Key Register when the key enters and leaves their possession.
This policy may change from time to time. The Riverlink Privacy, Dignity and Confidentiality policy is available at our office or on the Riverlink website to anyone who requests it.
Complaints about any breach of Riverlink’s Privacy, Dignity and Confidentiality policy and privacy obligations can be lodged by contacting the Riverlink office in line with the Customer Complaints policy (Ref: 2.20).
Breach of Privacy and Confidentiality
Staff who become aware of any breach or possible breach of privacy and confidentiality are to complete a participant Incident/Worker Accident Report in line with the Incident, Accident & Emergency Management policy (Ref: 1.12). Minor breaches of privacy and confidentiality will be dealt with internally through the Discipline of Staff policy (Ref: 3.22) if required, and participants and carers will be informed of the breach and the impact that it may have on them.
For major breaches of privacy and confidentiality (such as a software failure to protect multiple participant’s privacy and confidentiality) Riverlink will notify ADHC immediately with;
- Full details of the breach;
- The impact of the privacy breach on any Persons; and
- The steps taken by management to rectify the breach and prevent its reoccurrence
It is not deemed a breach of privacy for Riverlink to validly provide sensitive or personal information to any government agency in accordance with any obligation of Law. Including in respect of;
- any statutory obligation related to the transition to, or operation of, the National Disability Insurance Scheme; and
- any privacy direction issued by the NSW Privacy Commissioner
Notifiable Data Breaches scheme
There is a formal legal requirement to provide notice of any serious breach to affected individuals and the Privacy Commissioner and a process to be implemented to investigate and deal with such breaches.
For personal information of any kind there are strict obligations under the Privacy Act not to disclosure that information to third parties otherwise than in accordance with the Act. If there is a breach by employee error, system glitch, third party theft or cyber-attack it may need to be reported.
Not all data breaches will require notifications. In order to trigger the notification requirement a reasonable person would need to conclude that there has been unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the entity, and this would likely result in serious harm being caused to any of the individuals to whom the information relates.
Serious harm, in this context, could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
In deciding whether a breach ‘will likely result in serious harm’, entities are required to have regard to a list of relevant matters outlined in section 26WA:
An eligible data breach happens if:
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Such matters include the kind of information leaked, the sensitivity of the information, the kind of persons who may have obtained the information and whether the information has been otherwise protected.
Without limiting the effect of the Act, things like credit card or account details and medical information are likely to give rise to the risk of harm.
If you believe there are reasonable grounds to suspect there may have been an eligible data breach, then you must carry out an expeditious and reasonable assessment within 30 days. If such a breach is found to have occurred then, unless an exception applies, you must as soon as reasonably practicable prepare a statement to give to the Commissioner, and must take all reasonable steps to notify each of the individuals whose information has been breached.
How does notification occur?
Step 1: Prepare a statement setting out the prescribed details
The organisation must prepare a statement that sets out:
- The organisation’s identity and contact details. If the eligible data breach relates to more than one entity, the statement may set out the identity and contact details of those other entities
- A description of the eligible data breach
- The kind or kinds of information affected by the eligible data breach; and
- Recommendations about the steps that individuals who are or may be affected by the eligible data breach should take
If a statement is prepared at the direction of the Information Commissioner, the statement must also include any information specified in that direction.
Step 2. Provide a copy of the prepared statement to the Information Commissioner
The notification to the Commissioner can be made using the OAIC’s Notifiable Data Breach form.
Step 3. Notify individuals whose information is affected by the eligible data breach about the contents of the statement
Where practicable, reasonable steps must be taken to notify affected individuals about the contents of the statement. This may be done by using the channels that an organisation ordinarily uses to communicate with those individuals (i.e. email, text message, mail) but that does not limit the obligation to take reasonable steps or the methods of communication that the entity can use.
If it is not practicable for the organisation to notify individuals, it must publish a copy of the statement on its website (if any) and take reasonable steps to publicise the contents of the statement.
NSW Disability Service Standards:
Standard 1; Rights
National Standards for Disability Services:
Standard 4; Privacy, Dignity and Confidentiality
Draft National Standards for Disability Services 2012:
Standard 1; Rights
Community Care Common Standards
Standard 3.2; Privacy and Confidentiality
National Disability Advocacy Standards
Standard 4; Privacy, Dignity and Confidentiality
Privacy Act 1988 (C’wealth)
Privacy Amendment (Notifiable Data Breaches) Act 2017
The Privacy and Personal Information Protection Act 1998 (PPIP Act)
The Health Records and Information Privacy Act 2002 (HRIP Act)
Disability Services Act (NSW) 1993
Trade Practices Act 1974 (C’wealth)