26. OVERARCHING AUSTRALIAN PRIVACY PRINCIPLES

Policy Statement

Alternate Care has a commitment to safeguard the confidentiality of any personal or health information collected with respect to service users, staff, Providers who deliver services to Alternate Care and approved Foster or Kinship Carers for Alternate Care.  Alternate Care has developed Procedures that protect privacy with regard to the collection, storage and disclosure of personal information and the rights of individuals to control how their personal information is collected and used.

 

Principles

Alternate Care is bound by the Information Privacy Act 2009 and the Australian Privacy Principles (APPs).  The Principles set out minimum standards in relation to the collection, use, storage and disclosure of all personal information that is collected.  Alternate Care will take all reasonable steps to protect the privacy of the personal information that it collects or uses or discloses and will ensure that children/young people’s records will not be transferred or stored overseas, including storing on overseas servers or cloud storage overseas.  The General Manager, after consultation with the CEO and Managing Director, will notify CYJMA as a matter of priority if Alternate Care knows or suspects that confidential information has been disclosed without CYJMA’s authorisation.

 

Authority

 

Policy Contents

27.1       Privacy Act Definitions

27.2       Collecting Personal and Health Information

27.3       Use and Disclosure of Health Information

27.4       Data Quality

27.5       Data Security

27.6       Openness

27.7       Access and Correction

27.8       Complaint Resolution

 

27.1       Privacy Act Definitions

27.1.1          Personal Information - means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

 

27.1.2    Health Information - information or an opinion about:

 

27.1.3          Health Service - means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

 

27.1.4          Sensitive Information - means information or an opinion about an individual's:

 

27.1.5          Notifiable Data Breaches:

•                  An eligible data breach happens if:

(a)       There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by Alternate Care;

(b)       The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and

(c)       The General Manager, or the CEO or Managing Director in the General Manager’s absence, must ensure CYJMA is advised as a matter of priority of any and all Notifiable Data Breaches.

•                  Alternate Care must give a notification if:

(a)            It has reasonable grounds to believe that an eligible data breach has happened; or

(b)       It is directed to do so by the Commissioner.

 

27.2       Collecting Personal and Health Information

Personal and health information about individuals is collected by Alternate Care as part of service delivery.  Specifically, such information may be collected and stored about:

 

Alternate Care will maintain the following approach to the collection of personal or health information:

 

The following will be met in the collection of personal or health information:

 

27.3       Use and Disclosure of Health Information

Alternate Care will apply the following:

 

This will include the following:

 

27.4       Data Quality

Alternate Care will take all reasonable steps to ensure that the personal or health information collected, used or disclosed is accurate, complete and up to date.

 

27.5       Data Security

Alternate Care will take all reasonable steps to protect the personal information held from misuse and loss, as well as from unauthorised access, modification or disclosure and destroy or permanently de-identify information that is no longer needed.  Alternate Care undertakes the following steps to safeguard data:

 

27.5.1          Physical Security:

 

27.5.2          Computer & Network Security:

 

27.5.3          Communications Security:

 

27.5.4          Destruction of Personal Information:

Alternate Care will ensure that any personal information no longer required is destroyed by secure means.  All paper-based records will be either shredded or removed by a security disposal company.  Electronic records will be deleted by the appropriate method.

 

27.5.5          Notifiable Data Breaches:

If Alternate Care is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of Alternate Care and is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the Alternate Care, the General Manager, after advising the CEO or Managing Director as a matter of priority, must:

(a)               Carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of Alternate Care; and

(b)               Take all reasonable steps to ensure that the assessment is completed within 30 days after Alternate Care becomes aware as mentioned in paragraph (1)(a).

 

If Alternate Care is aware that there are reasonable grounds to believe that there has been an eligible data breach of Alternate Care, the General Manager, in consultation with the CEO or Managing Director is to prepare a statement that:

(i)                            Complies with subsection 26WK(3) of the Privacy Amendment (Notifiable Data Breaches) Act 2017; and

(ii)                          Relates to the eligible data breach that Alternate Care has reasonable grounds to believe has happened.

 

The General Manager must then:

(a)               If it is practicable, to notify the contents of the statement to each of the individuals to whom the relevant information relates—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or

(b)               If it is practicable, to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or

(c)                If neither paragraph (a) nor (b) applies:

(i)        Publish a copy of the statement on the Alternate Care’s website; and

(ii)       Take reasonable steps to publicise the contents of the statement.

 

The General Manager must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.

 

If Alternate Care normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method.  This subsection does not limit paragraph (2)(a) or (b).

 

27.6       Openness

Alternate Care will take reasonable steps to advise individuals what sort of personal information is held, for what purposes and how the information is collected, used and disclosed.

 

27.7       Access and Correction

27.7.1     It is important that personal information that Alternate Care holds is accurate, up-to-date and complete.  Alternate Care will ensure the following:

 

27.7.2     Access to personal information may be denied in some circumstances.  The General Manager will consult with the CEO and Managing Director who will seek legal advice where it is considered necessary and advise the General Manager where access is denied and communication in relation to this to the individual seeking access.  Where access to information is denied, the individual will be advised by the General Manager in writing of the reasons.

 

27.7.3     Access to information may be withheld in the following situations:

 

27.7.4     Staff can amend their personal information in accordance with the Alternate Care Human Resources Manual: Personal Information Management Policy.

 

27.7.5     Providers and Foster or Kinship Carers can amend the information held by Alternate Care in accordance with the Alternate Care Engagement of Providers & Foster Carers Manual: Personal Information Management Policy.

 

27.7.6     Alternate Care will take all reasonable steps to amend personal information that is not up-to-date, accurate or complete.  Amendments will be made in the form of an addition to the record rather than permanently erasing incorrect details.

 

27.8       Complaint Resolution

Where an individual has a complaint with regard to Alternate Care's handling of personal or health information, this complaint should be forwarded in writing to the General Manager by email to email/info)(alternatecare.com.au or by mail to PO Box 4654 Cairns, QLD 4870.  In consultation with the CEO or Managing Director, the General Manager, or their delegate shall investigate the basis of any complaint with reference to the Australian Privacy Principles and Alternate Care Policies and Procedures.  The General Manager, or their delegate, once approved by the CEO or Managing Director, shall respond to the individual within ten days regarding the outcome of the investigation and any actions being taken as a result.  The General Manager will ensure the complaint is recorded and filed on the Complaints Register.

 

For more information about privacy in general, you can visit the Office of the Australian Information Commissioner website at www.oaic.gov.au