Wimmera UnitingCare acknowledges and respects the privacy of individuals and is committed to protecting the privacy of all personal information. The agency supports and endorses the Australian Privacy Principles (APP) and the Privacy Amendment (Private Sector) Act 2000 and will comply with these principles whenever personal information as defined by the Act is collected.
Wimmera UnitingCare will provide access to its records on the basis of the Freedom of Information Act 1982 even though the agency is not formally subject to that Act.
Personal information - is recorded information about an individual which directly or indirectly identifies an individual. Program areas and human resources frequently manage personal information.
Health information - relates to the management of information relating to physical, mental health or disabilities related to service users and employees.
Sensitive information - relates to political views, religious beliefs, sexual preferences, membership of groups, racial or ethnic origin and criminal records.
Child’s best interests - relates to children having a right to protection from harm, the protection of children’s rights and the promotion of child development. Best interests must be seen through a prism of a child’s age, culture and gender.
Information collected is to be used for program function and is undertaken in a lawful, fair and an unobtrusive manner. Collection of information is guided and informed by the legislation and is compliant with any service provision requirements.
Collection of sensitive information will only occur:
- With a person’s consent.
- After reasons for collection and permissible disclosures are given.
- If required by law.
- To prevent a serious threat to life or health.
- If necessary for research or the compilation or analysis of statistics or relevant to government funded targeted welfare or education services.
- Is necessary for the establishment, exercise or defence of a legal or equitable claim.
- Relates solely to organisation members and the organisation confirms at or before collection that the information will not be disclosed without the individual’s consent.
At the point of collection or as soon as practicable employees will provide the individual with the following information:
a) The name of the employee collecting the information, the program and contact details.
b) What the information will be used for.
c) How the person can get access to their information.
d) Who else will have access to the information.
e) The consequences if the information is not provided.
f) The limits of confidentiality (refer to section titled Use and disclosure).
The Department of Human Services forbids the use of children and young people in Out of Home Care to be used in any advertising or promotional events. This requirement may be altered if it is considered that such activity is in the child’s best interests. If in the course of their educational, recreational or social activities a child has been asked to participate in advertising or promotional activity, permission to waive the requirement may be sought from the Department of Human Services.
Individuals have the right to not identify themselves when entering transactions with organisations if that is lawful and feasible. (Refer to section titled Anonymity and pseudonymity)
Managers and supervisors are responsible for ensuring that records are kept in accordance with Wimmera UnitingCare standards and Australian Privacy Principles (APP).
Dealing with unsolicited personal information
Australian Privacy Principles 3, 4 and 5 address the receiving of and dealing with information gained from other agencies or entities.
Unsolicited information is data not gained directly from the individual or entity. Prior to dealing with this information consideration is required in the following regards:
- Did the individual consent to the forwarding of the received information?
- Was the received information initially provided under Australian Privacy Principles (APP) provisions?
- Could the Wimmera UnitingCare program have obtained the information in accordance with Australian Privacy Principles (APP) provisions and collected the information due to its relevance required for effective service delivery?
If there is doubt about the above considerations the following is required to be implemented:
- Notify the individual or entity of the received unsolicited information.
- Destroy the information if it is not relevant to use or
- De-identify the information depending on the circumstances and service provision considerations.
Anonymity and pseudonymity
According to Australian Privacy Principle 2 individuals have the option of not identifying themselves or of using a pseudonym (government identifiers must not be used unless authorised or required by law as per Australian Privacy Principle 9). This being the case the service recipient will be informed that services may be delayed or streamlined service delivery could be affected.
Use and disclosure
Information will be used and disclosed for the primary purpose for which it was collected or a related purpose that the person would reasonably expect.
The 'Your Information - It’s Private' handout must be provided to clients and individuals to emphasise the agency information gathering and privacy provisions.
In order to perform program functions, effective service delivery and ensuring a child’s best interests it is often necessary to share information with other professionals, community and family members. Information sharing will be done with care and consideration. It is necessary to ensure the right information is available to the right people, at the right time to enable necessary services, decision making and best care and to protect the best interests of children.
It is best practice to obtain consent, preferably written consent where possible prior to sharing information with other professionals, family and community members. Employees will use the program appropriate consent form (SCTT agency consent form) to obtain consent prior to information disclosure. The exception to this is noted below.
During the course of program functions information may be disclosed to Wimmera UnitingCare employees from other professionals and family members other than the service user.
Information may be disclosed without consent and a notation made in the file records if it is necessary:
a) To prevent a serious and imminent threat to an individual’s life, health, safety or welfare.
b) To prevent a serious threat to public health, public safety or public welfare.
c) In relation to unlawful activity.
d) By law. This includes sharing of information under the Child Youth and Families Act 2005 which ensures good care and decision making in Out of Home Care, making a report to Child Protection, undertaking specific functions at Child FIRST and consulting with a Community Based Child Protection Worker.
Information must be de-identified if it is released for purposes other than what it was collected for. In these instances a note should be made with regard to why the information was released.
Wimmera UnitingCare will ensure that data quality is maintained by data being accurate, complete and up-to-date and written case notes signed and dated. If this is not the case the necessary amendments must be made to the documentation and other relevant individuals or entities duly informed.
Restrictions to direct marketing
If direct marketing is undertaken the following is required to be observed to be compliant with Australian Privacy Principle 7:
- Direct marketing is not to be undertaken without consent from those being approached.
- Direct marketing may only be undertaken if it is considered ‘reasonable within the normal course of business’.
- Information collected cannot be used for direct marketing purposes unless the information has been collected specifically for direct marketing.
Cross border disclosure
Personal information may only be transferred outside of Victoria including offshore recipients if the recipient protects privacy and is deemed a compliant entity under the Australian Privacy Principles (APP).
Unless information is sought for law enforcement activities the sending of personal information outside of the state must have the relevant person’s consent.
Right to access information
Service users and employees have a right to access information held by Wimmera UnitingCare subject to some exceptions allowed by law and to request correction if necessary. Information will be released subject to related privacy acts at the time records were created and used.
Requests for access to records must be made in writing to the Chief Executive Officer. A ‘reasonable and practical request’ for access to information will be met within 30 days. If there is a longer delay the individual will be provided with the reason for the delay however meeting the request is expected to be in a reasonable timeframe.
Individuals requesting information will be required to provide identifying documentation to validate their identity. A request for information is initiated with the use of the agency freedom of information request form.
If Wimmera UnitingCare workers receive subpoenas compelling the provision of information for legal purposes or requests from Victoria Police the worker will notify their supervisor and Executive Manager as soon as possible.
The relevant Executive Manager will review records prior to release to ensure that information released is not in breach of the Australian Privacy Principles (APP) and that de-identification of records where necessary has taken place correctly. A copy of the information will be made and where possible the original records will be retained at Wimmera UnitingCare and the duplicate released. Any information regarding other people not related specifically to the person will be blacked out prior to release.
Correction of information
Correction of information can be undertaken if:
- Proof for the need to correct information is evident.
- Written advice is provided requesting a correction.
Notation in regards to the correction or seeking to correct information should be included in the file or documentation.
Conversely declining to correct information is required to be noted and the relevant entity informed of the decision not to correct information. In this case the agency has a responsibility to advise of the complaints procedure.
Informing other relevant persons or entities of the updated information should be considered within the parameters of privacy and confidentiality restrictions.
Release of information declined
In all cases when information is requested by a person other than the supported person the consent of the supported person is required prior to the release of information.
When a request for information is declined by Wimmera UnitingCare for the reasons listed below the applicant can use the appeal for release of information through the Privacy Commission, Health Services Commission or VCAT. Wimmera UnitingCare will abide by the decisions of the ruling authority.
Information will not be released if it:
a) Would pose a serious or imminent threat to the life or health of any individual.
b) Would unreasonably impact upon the privacy of other individuals.
c) May be deemed as frivolous or vexatious.
d) Relates to existing or anticipated legal proceedings with the individual which would not otherwise be disclosed as part of those proceedings.
e) Would reveal organisation intentions and prejudice negotiations with the individual.
f) Would be unlawful to provide.
g) Is denied by authorised law.
h) May prejudice an investigation of possible unlawful activity or the activities of a law enforcement agency.
i) Was collected before 21 December 2001 and would place an unreasonable expensive or administrative burden on the organisation.
j) Would reveal evaluative information that relates to a commercially sensitive decision.
If access to information is denied then:
- An explanation why refusing access to information is offered.
- The individual or entity must be informed of the agency complaints procedure.
- Consider what information can be available to the satisfaction of both parties.
- Consider the use of a mutually agreed intermediary for access to information.
Storage and disposal
Reasonable steps must be taken to protect information from misuse, loss, unauthorised access, modification or disclosure through the following measures:
a. Information about individuals will be kept in locked filing cabinets or drawers when it is not being used. Residential House client files are to be kept in a locked filing cabinet in the office. Children are not to have access to the office unless under supervision. The door to the office will be kept locked when not in use.
b. Individual’s names will not be displayed on white boards.
c. If information stored as hard data on electronic or technological devices or as images is taken out of the office it will be in a secure satchel, bag or closed container.
d. If information is taken out of the office it will be kept locked in a car boot.
e. If information is out of the office overnight the information will be kept secure in a worker’s home.
f. Laptops containing individual information will be password protected.
g. If it is necessary to email identified information employees will request receipts to confirm data is received by the intended person and no client names will be used in the subject field.
h. Employees will be careful about where information is discussed in the office or external environment.
i. Employees will store electronic information correctly on drives considering the category of information, whether back up is required and the level of access provided to particular drives.
j. Written file notes will be signed and dated.
The use of government department identifiers such as tax file numbers, CRNs etc. is expressly forbidden to code agency client files unless authorised or required to do so by law.
Rough notes, drafts etc. which are not included in the file as they are not relevant or required by the program activities or have been replaced by electronic entries will be shredded or otherwise permanently destroyed.
At the conclusion of service the worker will follow program standards for longer term storage or disposal of electronic and hard information.
Breaches in privacy
Clients, employees, volunteers or entities that feel there has been a breach in privacy have the right to complain using the agency complaints procedure.
Further information in addressing breaches in privacy may be obtained from the Office of the Victorian Privacy Commissioner.
Recourse to the agency performance management and disciplinary procedure is applicable to agency employees who are found to breach privacy requirements.