Privacy and Information Policy and Procedures
1. Policy
ACE OT will comply with the Privacy Act 1988 and the Privacy Amendment Act 2012 to protect the privacy of individuals' personal information and the Victorian Health Records Act 2001.This includes having in place systems governing the appropriate collection, use, storage and disclosure of personal information, access to and correction and disposal of that information.
a. Outcome
Compliance with legislative requirements governing privacy of personal information. All ACE OT participants are satisfied that their personal information is kept private and only used for the intended purpose.
b. Background
The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the handling of personal information about individuals by private sector organisations. Amendments were made to this legislation in 2012 (the Privacy Amendment Act 2012) which updates the Australian Privacy Principles (APP) and came into effect in March 2014. The amendment requires an organisation to explicitly state how they will adhere to the APP and inform their participants on how their privacy will be protected. The APP cover the collection, use, storage and disclosure of personal information, and access to and correction of that information. The APP are summarised in Appendix 1 of this document.
The Health Records Act 2001 (Victorian) creates a framework to protect the privacy of individuals’ health information. It regulates the collection and handling of health information in both public and private sector organisations in Victoria. The objectives of the Act are to; ensure responsible handling of health information; balance the public interest in protecting privacy with the public interest in the legitimate use of information; enhance the ability of individuals to be informed about their health care; and promote the provision of quality health services. The Victorian Health Privacy Principles (HPP) are summarised in Appendix 2 of this document.
c. Definitions
'Personal information' means information (or an opinion) we hold (whether written or not) from which a person’s identity is either clear or can be reasonably determined. ‘Sensitive information’ is a particular type of personal information - such as health, race, sexual orientation or religious information.
2. Procedure
This policy and procedure will be reviewed annually. Further review and updating, if required, of procedures to occur if an incident occurs (refer to Incident and Complaint Management Policies).
a. Ensuring all ACE OT Staff Understand Privacy and Confidentiality Requirements
§ The manager of ACE OT will review their Privacy Policy annually and ensure they understand their responsibility to protect the privacy of individuals' personal information.
§ Staff will undergo training related to Privacy and Confidentiality Requirements at the time of induction and then annually.
§ Annual training will include the General Code of Conduct, Health Records Act 2001, and Privacy in Practice. For full details review ACE OT Annual Training Plan.
b. Managing Privacy of Participant Information Storage
§ Participant information collected is kept in an individual participant record.
§ Each participant record has a unique identification number
§ A participant record includes: personal information • clinical notes • investigations • correspondence from other healthcare providers • photographs • video footage, reports
§ A Firewall is used in the ACE OT computer system as a means of protecting information stored on the computer. ACE OT will complete schedule updates on their computer system to ensure up to date viral protection. Other security related procedures such as user access passwords, multi-factorial authentication also assist with the protection of information.
§ Paper records are kept in locked filing cabinet.
§ Participant information is stored for seven years post the date of last discharge. In the case of participants aged under 18 years, information is kept until their 25th birthday and 7 years post discharge.
§ Participant related information, or any papers identifying a participant are destroyed by shredding and deleting from the computer and all databases.
§ User access to all computers and mobile devices holding participant information is managed by passwords and automatic inactive logouts.
c. Managing Privacy and Confidentiality Requirements of Participants
§ ACE OT refers to their Privacy Policy on the participant’s NDIS Service Agreement.
§ Persons contacting ACE OT with an enquiry do not need to provide personal details. However, once a decision is made to progress to utilising ACE OT services, personal and sensitive information will need to be collected.
§ ACE OT may need to share pertinent participant information with other professional Allied Health Professional at the time of case conferencing or when determining support plans. Information is only shared in order to provide the best service possible and is only shared with those people whose Professional Codes of Ethics include privacy and confidentiality. Permission to share information is sought from the participant prior to the delivery of services and as required at other points of intervention as / if required.
§ Personal information is not disclosed to third parties outside of ACE OT, other than for a purpose made known to the participant and to which they have consented, or unless required by law.
§ Participants are informed there may be circumstances when the law requires ACE OT to share information without their consent.
§ The NDIS Service Agreement includes 5 Consents plus other pertinent consents to your organisation:
I. Consent for sharing and obtaining Information,
II. Consent for receiving services,
III. Consent for photography,
IV. Consent to participate in Participant Satisfaction Surveys,
V. Consent to participate in Quality Management Activities
These consents are discussed with the participant and /or their decision maker in a way they can understand prior to the commencement of service.
d. Keeping Accurate Participant Information
Participants are informed of the need to provide us with up to date, accurate and complete information. ACE OT staff update information on the participant record at the time of reviews or when they become aware of change in information. OT staff at ACE OT update the participant record as soon as practical after the delivery of services to ensure information is accurate and correct.
e. Using Participant Information for Other Purposes
Under no circumstances will ACE OT use personal details for purposes other than stated above, unless specific written consent is given by the participant or their representative.
f. Participant Access to Their Information
Participants have the right to access the personal information ACE OT holds about them. To do this, participants must contact the Manager of ACE OT.
g. Management of a Privacy Complaint
If a person has a complaint regarding the way in which their personal information is being handled by ACE OT, in the first instance they are to contact ACE OT. The complaint will be dealt with as per the Complaints Management Policy. If the parties are unable to reach a satisfactory solution through negotiation, the person may request an independent person (such as the Office of the Australian Privacy Commissioner), the NDIS Quality and Safeguards Commission or the Health Complaints Commissioner to investigate the complaint. ACE OT will provide every cooperation with this process.
Reference
· Rights and Privacy Principles
Appendix 1: Summary of the 13 Australian Privacy Principles
APP 1 — Open and transparent management of personal information
Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
APP 2 — Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3 — Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
APP 5 — Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.
APP 6 — Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7 — Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 — Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
APP 9 — Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10 — Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 — Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 — Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 — Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
Appendix 2: Summary of the 11 Victorian Health Privacy Principles
HPP 1 – Collection
Collect only personal information that is necessary for performance of functions. Advise individuals that they can gain access to their personal information.
HPP 2 – Use and Disclosure
Only use or disclose health information for the primary purpose for which it was collected or a directly related secondary purpose the person would reasonably expect.
HPP 3 – Data Quality
Make sure personal information is accurate, complete and up to date.
HPP 4 – Data Security and Retention
Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.
HPP 5 – Openness
Document clearly expressed policies on management of personal information and provide the policies to anyone who asks.
HPP 6 – Access and Correction
Individuals have a right to access their personal information and make corrections. Access and correction will be handled mostly under the Victorian Freedom of Information Act.
HPP 7 – Identifiers
Only assign a number to identify a person if this is reasonably necessary to carry out your functions efficiently. Sharing of unique identifiers must be limited, as they can facilitate data matching and diminish privacy.
HPP 8 – Anonymity
Give individuals the option of not identifying themselves when entering transactions with organisations if it is lawful and feasible.
HPP 9 – Transborder data flows
Only transfer health information outside Victoria if the organisation receiving it is subject to laws substantially similar to Victoria’s. If a person’s personal information travels, their privacy protection should travel with it.
HPP 10 – Transfer/closure of a health service
If you are a health service provider, and your business or practice is being sold, transferred or closed down, without you continuing to provide services, you must give notice of the transfer or closure to past service users
HPP 11 – Making information available to another health service provider
If you are a health service provider you must make health information relating to an individual available to another health service provider if requested by the individual.