Privacy and Information Management Policy and Procedure

POLICY STATEMENT

Sakura Allied Health is committed to protecting the privacy of our clients. We will comply with legislative requirements governing privacy of personal information. This includes having in place systems governing the appropriate collection, use, storage and disclosure of personal information, access to and correction and disposal of that information.

Sakura Allied Health is committed to complying with the privacy requirements of the Privacy Act 1988, the Australian Privacy Principles and the Privacy Amendment (Notifiable Data Breaches) Act 2017 as required by organisations providing disability services.

We are fully committed to complying with the consent requirements of the NDIS Quality and Safeguarding Framework and any relevant federal, state or territory requirements.

Our service will endeavour to ensure that all clients are satisfied that their personal information is kept private and only used for the intended purpose.

 

DEFINITIONS

'Personal information' means information (or an opinion) we hold (whether written or not) from which a person’s identity is either clear or can be reasonably determined.

‘Sensitive information’ is a particular type of personal information - such as health, race, sexual orientation or religious information.

 

PROCEDURE

Managing Privacy of Participant Information Storage

Participant information collected is kept in an individual participant record. Records are kept in electronic format. Where paper format exists, information needs to be transferred or scanned into the electronics record.

A participant record can include: personal information, clinical notes, investigations, correspondence from other healthcare providers, photographs, video footage.

A Firewall is used in the Sakura Allied Health computer system as a means of protecting information stored on the computer. Other security related procedures such as user access passwords also assist with the protection of information.

User access to all computers and mobile devices holding participant information is managed by passwords and automatic inactive logouts.

Any papers identifying a participant will be destroyed by shredding.

 

 

Sakura Allied Health are required to keep records for a minimum period of 7 years from the date of the last entry for people 18 years or more, and for individual less than 18 years of age, seven years from the date the person turns 18 i.e. aged 25.

Sakura Allied Health uses the cloud-based case management and reporting system, iinsight. iinsight uses a 2-step verification system to provide an additional layer of protection and their data bases are located in Australia. Please refer to their website for further information on data protection: https://www.iinsight.biz/

Sakura Allied Health uses Microsoft Office365 for Exchange, Sharepoint and Microsoft Teams. Sharepoint is used to store client information, including assessment and report forms. All data at rest is stored in Australia.

Zoom or Coviu is used for telehealth appointments where appropriate. Data in transit may be processed through international data centres.

 

Managing Privacy and Confidentiality Requirements of Participants

Sakura Allied Health refers to their Privacy Policy on the participant’s NDIS Service Agreement and on their website.

The Sakura Allied Health Consent Form includes the following consents:

·       Consent for sharing and obtaining Information

·       Consent for receiving services

·       Consent for photography

These consents are discussed with the participant and/or their decision maker in a way they can understand prior to the commencement of service.

Persons contacting Sakura Allied Health with an enquiry do not need to provide personal details. However, once a decision is made to progress utilising Sakura Allied Health, personal and sensitive information will need to be collected.

Sakura Allied Health may need to share pertinent participant information with other Allied Health Professionals to assist in determining support plans. Information is only shared to provide the best service possible and is only shared with those people whose Professional Codes of Ethics include privacy and confidentiality. Permission to share information is sought from the participant prior to the delivery of services and as required at other points of intervention as/if required.

Personal information is not disclosed to third parties outside of Sakura Allied Health, other than for a purpose made known to the participant and to which they have consented, or unless:

·       Is required or authorised by law, including under the NDIS Act.

·       Will prevent or lesson a serious or imminent threat to someone’s life or health or a threat to public safety.

·       We engage a contractor to provide some services and that contractor needs personal information of certain participants, providers, carers or other persons in order to perform that service for us.

Participants are informed there may be circumstances when the law requires Sakura Allied Health to share information without their consent. This information is included within the Service Agreement.

Sakura Allied Health will take reasonable steps to reduce the likelihood of a data breach occurring. Personal information will be securely stored and accessed only by relevant workers. If we know or suspect personal information has been accessed by unauthorised parties, we will take reasonable steps to reduce the chance of harm and advise involved participants and the Office of the Australian Information Commissioner of the breach.

 

Keeping Accurate Participant Information

Participants are informed of the need to provide us with up to date, accurate and complete information.

Sakura Allied Health staff update information on the participant record at the time of reviews or when they become aware of change in information.

Staff at Sakura Allied Health update the participant record as soon as practical after the delivery of services to ensure information is accurate and correct.

 

Using Participant Information for Other Purposes

Under no circumstances will Sakura Allied Health use personal details for purposes other than stated above, unless specific written consent is given by the participant or their representative.

 

Participant Access to Their Information

Participants have the right to access the personal information Sakura Allied Health holds about them. To do this, participants must contact the Director/s of Sakura Allied Health in writing via:

Email: admin@sakuraalliedhealth.com.au

Post: PO Box 11, New Lambton 2305

 

Management of a Privacy Complaint

If a person has a complaint regarding the way in which their personal information is being handled by Sakura Allied Health, in the first instance they are to contact the Director/s. The complaint will be dealt with as per the Feedback and Complaints Management Policy and Procedure. If the parties are unable to reach a satisfactory solution through negotiation, an independent mediator should be used (parties will bear their own costs). If mediation is unsuccessful the person may request an independent person such as the Office of the Australian Privacy Commissioner or the NDIS Quality and Safeguards Commission to investigate the complaint. Sakura Allied Health will provide every cooperation with this process.

 


 

RESPONSIBILITIES FOR IMPLEMENTATION OF THIS POLICY AND PROCEDURE

Management

To develop, maintain and review the Privacy Policy and ensure they understand their responsibility to protect the privacy of individuals’ personal information

To ensure that all Sakura Allied Health staff members are trained in privacy and confidentiality requirements

 

Staff

All Staff will undergo training related to Privacy and Confidentiality Requirements at the time of induction and then annually.

 

RELEVANT LEGISLATION

·      Privacy Act 1988

·      Privacy Amendment Act 2012

·      Australian Privacy Principles

·      NSW Quality Framework for Disability Services

·      Privacy Amendment (Notifiable Data Breaches) Act 2017

·      The Health Records and information Privacy Act 2002

·      National Disability Insurance Scheme Act 2013

 

LINKS TO OTHER BUSINESS SYSTEMS

·       Sakura Allied Health Feedback and Complaints Management Policy and Procedure

·       Sakura Allied Health Human Resources Policy and Procedure

 

DOCUMENTS

●      Sakura Allied Health Complaints Reporting Form

●      Sakura Allied Health Complaints Handout

●      Sakura Allied Health Induction Checklist

●      Sakura Allied Health Annual Education and Training Plan

 

 

 


 

APPENDIX 1: Summary of the 13 Australian Privacy Principles (APP)

 

APP 1 — Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

APP 2 — Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 — Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

APP 4 — Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

APP 5 — Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 6 — Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 — Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 — Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

APP 9 — Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

APP 13 — Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.