26. OVERARCHING AUSTRALIAN PRIVACY PRINCIPLES

Policy Statement

Alternate Care has a commitment to safeguard the confidentiality of any personal or health information collected with respect to service users, staff, Providers who deliver services to Alternate Care and approved Foster or Kinship Carers for Alternate Care. Alternate Care has developed Procedures that protect privacy with regard to the collection, storage and disclosure of personal information and the rights of individuals to control how their personal information is collected and used.

Principles

Alternate Care is bound by the Information Privacy Act 2009 and the Australian Privacy Principles (APPs). The Principles set out minimum standards in relation to the collection, use, storage and disclosure of all personal information that is collected. Alternate Care will take all reasonable steps to protect the privacy of the personal information that it collects or uses or discloses and will ensure that children/young people’s records will not be transferred or stored overseas, including storing on overseas servers or cloud storage overseas. The COO, after consultation with the CEO and Managing Director, will notify the Department of Children, Youth Justice and Multicultural Affairs (CYJMA) immediately if Alternate Care knows or suspects that confidential information has been disclosed without CYJMA’s authorisation

Authority

• Child Protection Act 1999
• Child Protection Regulation 2011
• Freedom of Information Act
• Information Privacy Act 2009
• Privacy Amendment (Enhancing Privacy Protection) Act 2012
• Privacy Amendment (Notifiable Data Breaches) Act 2017

Policy Contents

• 26.1 Privacy Act Definitions
• 26.2 Collecting Personal and Health Information
• 26.3 Use and Disclosure of Health Information
• 26.4 Data Quality
• 26.5 Data Security
• 26.6 Openness
• 26.7 Access and Correction
• 26.8 Complaint Resolution

26.1 Privacy Act Definitions

• 26.1.1Personal Information - means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
• 26.1.2Health Information - information or an opinion about:
• The health or a disability (at any time) of an individual; or
• An individual's expressed wishes about future provision of their health services; or
• A health service provided, or to be provided to an individual; or
• Other personal information collected to provide, or in providing, a health service; or
• Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

• 26.1.3Health Service - means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
• To assess, record, maintain or improve the individual's health; or
• To diagnose the individual's illness or disability; or
• To treat the individual's illness or disability or suspected illness or disability; or
• The dispensing on prescription of a drug or medicinal preparation by a pharmacist.

• 26.1.4Sensitive Information - means information or an opinion about an individual's;
• Racial or ethnic origin; or
• Political opinions, membership of a political association; or
• Religious beliefs or affiliations; or
• Philosophical beliefs; or
• Membership of a professional or trade association or trade union; or
• Sexual preferences or practices; or
• Criminal record; or
• That is also personal information; or
• Health information about an individual.

• 26.1.5Notifiable Data Breaches:
• An eligible data breach happens if:
  1. there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by Alternate Care; and
  2. the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
• Alternate Care must give a notification if:
  1. it has reasonable grounds to believe that an eligible data breach has happened; or
  2. it is directed to do so by the Commissioner.

26.2Collecting Personal and Health Information

Personal and health information about individuals is collected by Alternate Care as part of service delivery. Specifically, such information may be collected and stored about:

• Children/young people for whom Alternate Care receives funding to provide services; and
• People engaged and seeking to be engaged by Alternate Care.

Alternate Care will maintain the following approach to the collection of personal or health information:

• Alternate Care will only collect personal or health information with consent, except in specified circumstances including, but not limited to, emergencies, as required by law, or in circumstances relating to legal or equitable claims. Alternate Care may also collect personal information without consent, under special conditions, when providing a health service or when undertaking certain research or management activities;
• Alternate Care will take reasonable steps to ensure that individuals are aware of certain matters, including, but not limited to, who is collecting the information, the fact that the individual is able to gain access to the information and the purposes for which the information is collected;
• Alternate Care will only collect information necessary for the performance of the service's functions or activities; and
• Alternate Care will collect information directly from the individual where this is reasonable and practical.

The following will be met in the collection of personal or health information:

• Alternate Care will only collect necessary information such as required in service delivery;
• Information will be collected with an individuals expressed or implied consent;
• In limited situations, information may be collected without the consent of the individual including but not limited to, where there is a serious or imminent threat to life or health or where information is required for management, research or statistical purposes and it is impractical to seek consent;
• Where practical, individuals will be advised at the time of collection and how information will be handled;
• Information will be collected lawfully, fairly and non-intrusively; and
• Information will be collected about an individual from the individual where reasonably practical to do so.

26.3Use and Disclosure of Health Information

Alternate Care will apply the following:

• Alternate Care will only use or disclose personal information for the primary purpose for which it was collected, or for directly related secondary purposes if these fall within the reasonable expectations of the individual, unless another exception under this principle applies; and
• Alternate Care will only use or disclose personal information in other ways if the individual gives consent (whether expressed or implied), or if one of the exceptions to this principle applies. The exceptions include, but are not limited to, uses or disclosures required or authorised by law, those necessary to prevent or lessen a serious or imminent threat to someone's life, health or safety, or for research, provided certain conditions are met.

This will include the following:

• Personal information is used for the primary purpose disclosed to the individual or directly related secondary purposes;
• Sensitive information used for learning, development and education purposes requires consent;
• Personal information will not be disclosed to the media without consent;
• Personal information may be transferred to another service provider upon request;
• Personal information may be disclosed for the purposes of investigating suspected unlawful activity;
• Information may be used or disclosed as required or authorised by law; and
• Where an individual is incapable of giving or communicating consent, information can be disclosed to a person responsible – e.g. partner, family member or approved Foster or Kinship Carer.

26.4Data Quality

Alternate Care will take all reasonable steps to ensure that the personal or health information collected, used or disclosed is accurate, complete and up-to-date.

26.5Data Security

Alternate Care will take all reasonable steps to protect the personal information held from misuse and loss, as well as from unauthorised access, modification or disclosure and destroy or permanently de-identify information that is no longer needed.

Alternate Care undertakes the following steps to safeguard data:

• 26.5.1Physical Security:
• Paper records containing personal information are filed in lockable filing cabinets accessible only to authorised individuals;
• Offices are required to adopt a "clear desk" approach to ensure personal, health and sensitive information is never left unattended on desks or computer screens; and
• Procedural measures exist with regard to filing and building security.

• 26.5.2Computer & Network Security:
• Access control for authorised users including passwords and limiting access to shared network drives to authorised individuals;
• Virus checking;
• Backup Procedures; and
• Network security - firewalls, routers, network intrusion detection systems, host detection systems.

• 26.5.3Communications Security:
• Internet and electronic banking security Procedures exist.

• 26.5.4Destruction of Personal Information:
• Alternate Care will ensure that any personal information no longer required is destroyed by secure means. All paper-based records will be either shredded or removed by a security disposal company. Electronic records will be deleted by the appropriate method.

• 26.5.5Notifiable Data Breaches:
• If Alternate Care is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of Alternate Care and is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the Alternate Care, the COO, after immediately advising the CEO or Managing Director, must:
  1. carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of Alternate Care; and
  2. take all reasonable steps to ensure that the assessment is completed within 30 days after Alternate Care becomes aware as mentioned in paragraph (1)(a).
• If Alternate Care is aware that there are reasonable grounds to believe that there has been an eligible data breach of Alternate Care, the COO, in consultation with the CEO or Managing Director is to prepare a statement that:
  1. complies with subsection 26WK(3) of the Privacy Amendment (Notifiable Data Breaches) Act 2017; and
  2. relates to the eligible data breach that Alternate Care has reasonable grounds to believe has happened.
• The COO must then:
  1. if it is practicable, to notify the contents of the statement to each of the individuals to whom the relevant information relates—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or
  2. if it is practicable, to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or
  3. if neither paragraph (a) nor (b) applies:
     1. publish a copy of the statement on the Alternate Care’s website; and
     2. take reasonable steps to publicise the contents of the statement.
• The COO must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.
• If Alternate Care normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).

26.6Openness

Alternate Care will take reasonable steps to advise individuals what sort of personal information is held, for what purposes and how the information is collected, used and disclosed.

26.7Access and Correction

Alternate Care will ensure the following:

• Alternate Care will give an individual access to their personal information if they complete and submit to Alternate Care a Request to Access Details form, unless particular circumstances apply that allow Alternate Care to deny access or to limit the extent to which access is given - these circumstances include where there is a serious threat to life or health, specific business imperatives and occasions relating to law enforcement or other public interest matters;
• Alternate Care will withhold access as required by law; and
• Alternate Care will reasonably correct personal information at the request of the individual.

There are a number of ways Alternate Care may give access to personal information, these include:

• Allowing the individual to inspect the information held;
• Providing a photocopy of information requested;
• Allowing the individual to take notes on the content of the record;
• Providing a printout of electronic information;
• Faxing the requested information; and
• Providing an accurate summary of the information.

When processing a Request to Access Details form, the identity of the person making the request must be verified by Alternate Care.

Alternate Care reserves the right to recover any costs associated with a Request to Access information. Such costs may include:

• Costs involved by individuals in locating and collating information;
• Reproduction costs; and
• Costs involved in having someone explain information to an individual.

Access to information may be withheld in the following situations:

• Where access would pose a serious threat to the life or health of an individual;
• Where the privacy of others may be affected;
• Where it is deemed that the request is frivolous or vexatious;
• Where access to information would prejudice any negotiations;
• Where access is unlawful;
• As required or authorised by or under law;
• Where access is a matter of law enforcement or national security; and
• Where information is commercially sensitive.

Where access to information is denied, the individual will be advised in writing of the reasons.

Alternate Care will take all reasonable steps to amend personal information that is not up-to-date, accurate or complete.  Amendments will be made in the form of an addition to the record rather than permanently erasing incorrect details.

26.8Complaint Resolution

Where an individual has a complaint with regard to Alternate Care's handling of personal or health information, this complaint should be forwarded in writing to the COO by email to email/info)(alternatecare.com.au or by mail to PO Box 4654 Cairns, QLD 4870. In consultation with the CEO or Managing Director, the COO, or their delegate shall investigate the basis of any complaint with reference to the Australian Privacy Principles and Alternate Care Policies and Procedures. The COO, or their delegate, once approved by the CEO or Managing Director, shall respond to the individual within ten days regarding the outcome of the investigation and any actions being taken as a result. The COO will ensure the complaint is recorded and filed on the Complaints Register.

For more information about privacy in general, you can visit the Office of the Australian Information Commissioner website at www.oaic.gov.au