Introduction

Decent Care is committed to safeguarding the confidentiality of personal or sensitive information collected about the people they support. Decent Care respect and protect participant's and team member’s dignity and right to privacy. Each person is advised of the confidentiality policies using the language, mode of communication, and terms they are most likely to understand. Decent Care has developed specific procedures to effectively manage personal information, including sensitive information, in the context of the services provided.

Scope

All management, team members, contractors, students, and volunteers of Decent Care have a responsibility to ensure that personal information is handled according to this policy and that they are bound by their commitment to confidentiality.

Principles

Decent Care is respectful of participants' information and participants' right to privacy. Decent Care strives to achieve the safest and most highly protected methods of securing information to protect the privacy of participants and team members (see also Information Management Policy and Procedure).

Legislative context
Decent Care abides by its record-keeping obligations. Legislation that relates to privacy is:

• Privacy Act 1988
• Public Records Act 1973
• National Security Legislation Amendment Act (no.1) 2014
• Privacy Amendment (Private Sector) Act 2000
• National Privacy Principles (2001)
• NDIS (Protection and Disclosure of Information) Rules 2013

Policy

This policy sets out how Decent Care complies with obligations under the Privacy Act 1988, including the Australian Privacy Principles, to ensure legal and ethical obligations are met to respect the rights and privacy of participants and team members. This policy regulates how Decent Care collects, uses, and discloses personal information. It also details how individuals may access that information as required.

Collecting and holding personal information
Decent Care will take all reasonable steps to ensure that the personal and/or sensitive information it collects, uses or discloses is accurate, complete and up to date. Personal or sensitive information about participants will only be collected when it is directly relevant and needed to provide support services to that person or where Decent Care is required to collect that information.

Procedure

Decent Care has procedures to allow participants and team members to access information stored about them, update and or amend their information on file.

Information generally collected about a person includes:
Personal information collected and held may include, but is not limited to name, date of birth, gender, address, residency status, contact number, email address, emergency contact details, NDIS plan, audio/visual information and cultural background. Information may also include specific behaviour support needs or medication requirements. Decent Care also hold progress notes that outline each participants activities and observations during support.

Health information collected may include:

• Medical information, when this is collected or used in connection with delivering services to participants, or to understand any impacts it may have on the individual
• Information generated by a health service provider, such as management plans, medication and any professional advice about a participant and their health.

Decent Care may collect personal information:

• Directly from the participant – verbally or in writing and is recorded
• From third parties, such as medical practitioners, government agencies, a participant's representatives, carer, and other health service providers
• From participant referrals

Decent Care will:

• Explain what information will be collected and why including recorded material in audio/and or visual format
• Obtain consent from the participant during the intake process to collect information as required
• Collect information necessary to support a role, functions or activities within Decent Care services
• Collect sensitive information directly from the person if it is reasonable and practicable to do so
• Use fair and lawful ways to collect sensitive information, and not in an intrusive manner

Who collects this information?
Decent Care team members collect personal and sensitive information within their normal duties and for the organisation's use. Decent Care generally collects personal and sensitive information directly from the relevant person through standard forms, over the internet, via email, face-to-face meetings, or telephone conversations. With the person's consent, Decent Care may collect personal and sensitive information from third-party contractors or agents and government instrumentalities involved in providing services.

Collection of personal information – Decent Care team members
All information supplied by team members will be placed on their personnel file, which may be held in both electronic and hard copy format. Both formats are securely held, with access only available to the Managing Directors or third-party assessors for audit purposes.

Why is personal information collected?
Participant's personal information is used to:

• Assess and provide the services that are required
• Administer and manage those services
• Evaluate and improve the services offered
• Contact family, carers, or other third parties as and if required
• Meet obligations required for compliance
• Analyse services and participant needs with a view to developing new or improved services.

Team members or potential team member's information is used to:

• Assess employment applications
• Obtain and monitor screening requirements
• Process payment of salaries and meet legislative obligations such as the payment of superannuation and taxation
• Provide duty of care in employment
• Contact family, carers, or other third parties as and if required
• Ensure personnel hold a current driver's licence and private motor vehicle registration as required to perform roles.

If Decent Care is not able to obtain personal information, it may limit their ability to provide a quality service or meet duty of care and legislative responsibilities as an employer and service provider.

Disclosing personal information
Decent Care will uphold a participants' right to privacy and confidentiality to the extent that it does not impose a serious risk to the participant or others. As above, Decent Care may disclose participants' personal information to other people or organisations with the participant's consent.
This may include disclosure to:

• Medical and allied health service providers
• A 'person responsible' if the participant is unable to give or communicate consent. In some instances, verbal consent from a Person Responsible may be necessary and will be documented
• The participant's authorised representative/s e.g. legal adviser
• Decent Care professional advisers (e.g. lawyers, accountants, auditors).

Consent is not required for release of information to:

• Government and regulatory authorities where harm is present
• When required or authorised by law or related to a criminal issue.

Where there is uncertainty as to the direct benefit of the release of information which does not remove the names of individuals and or other identifying characteristics such as a home address, or there is doubt that individuals would not consent to the release of information Decent Care will seek approval from the concerned people or the designated person responsible before the release of the information.

Accessing personal information
Team members and participants can request and be granted access to their personal information, subject to exceptions allowed by law. Any requests for access to personal information must state what information is to be accessed and how they wish to access the information. A request to access personal information should be forwarded to the Program Manager of the program in which the participant is accessing, the request should be made in writing where possible. Should the Program Manager or Managing Directors decide that access to personal information will not be provided, they must put the reasons for the refusal and the mechanisms available to complain in writing to the team member or participant within 30 days of receipt of the request. Should access be granted, the Program Manager must contact either the team member or participant and arrange for access to their personal information, based on the method of access requested within 30 days of receipt of the request. Should Decent Care not be able to provide the data in the method requested, the Program Manager is to discuss with the team member or participant, alternative methods available to access their personal information.

Photographs and videos
Photographs and videos are classified as personal information under privacy legislation. Upon commencement, team members will be asked to complete a consent form regarding the use of photos, videos and social media which may involve them. Consent will also be sought from participants on each individual occasion where any media is likely to be shared, ensuring that the participant understands and agrees to what will be shared in what kind of format.

Breach of privacyWhere Decent Care become aware of a breach of privacy, the relevant Program Manager will immediately assess the incident to determine if it is likely to result in serious harm to the individual. Where it is likely, Decent Care will immediately notify the Office of the Australian Information Commissioner Notifiable data breaches — OAIC where:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
• this is likely to result in serious harm to one or more individuals, and
• Decent Care has not been able to prevent the likely risk of serious harm with remedial action

Training
All team members are trained in Privacy and Confidentiality procedures during their induction. On completion of training, a Code of Conduct is signed as a commitment to maintaining confidentiality when undertaking a role for Decent Care.

Responsibilities

The Managing Directors are responsible for:

• Maintaining this policy its related procedures and associated documents.
• Ensuring the policy is effectively implemented across the service
• Providing access to participant or team information where the person has requested it.

Program Managers are responsible for

• Monitor team members compliance with the requirements of the policy
• Ensure training and information is provided to team members to ensure participants are advised of their right to privacy and information is managed in line with the Information Management Policy
• Ensuring that all participants are explained their right to privacy and sign a consent form
• Providing access to participant or team information where the person has requested it.

Team members and students are responsible for:

• Ensuring ongoing security of participant information when accessing, storing, retrieving or disposing of participant information.
• Reminding participants of their right to privacy
• Not discussing participant information outside of their role requirements
• Documenting and notifying their Program Manager of any suspected instances where a breach of confidentiality has occurred.

Related Policies and Documents

• Information Management Policy and Procedure
• Risk Management Policy and Procedure
• Consent Form
• Media Release Form
• Complaints and Feedback Policy and Procedure
• Human Resources Policy and Procedure
• Code of Conduct