Privacy Policy

26. OVERARCHING AUSTRALIAN PRIVACY PRINCIPLES

Policy Statement

Alternate Care has a commitment to safeguard the confidentiality of any personal or health information collected with respect to service users, staff, Providers who deliver services to Alternate Care and approved Foster or Kinship Carers for Alternate Care. Alternate Care has developed Procedures that protect privacy with regard to the collection, storage and disclosure of personal information and the rights of individuals to control how their personal information is collected and used.

Principles

Alternate Care is bound by the Information Privacy Act 2009 and the Australian Privacy Principles (APPs). The Principles set out minimum standards in relation to the collection, use, storage and disclosure of all personal information that is collected. Alternate Care will take all reasonable steps to protect the privacy of the personal information that it collects or uses or discloses and will ensure that children/young people’s records will not be transferred or stored overseas, including storing on overseas servers or cloud storage overseas. The General Manager, after consultation with the CEO and Managing Director, will notify CYJMA as a matter of priority if Alternate Care knows or suspects that confidential information has been disclosed without CYJMA’s authorisation.

Authority

Child Protection Act 1999
Child Protection Regulation 2011
Freedom of Information Act
Information Privacy Act 2009
Privacy Amendment (Enhancing Privacy Protection) Act 2012
Privacy Amendment (Notifiable Data Breaches) Act 2017

Policy Contents

27.1 Privacy Act Definitions

27.2 Collecting Personal and Health Information

27.3 Use and Disclosure of Health Information

27.4 Data Quality

27.5 Data Security

27.6 Openness

27.7 Access and Correction

27.8 Complaint Resolution

27.1 Privacy Act Definitions

27.1.1 Personal Information - means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

27.1.2 Health Information - information or an opinion about:

The health or a disability (at any time) of an individual; or
An individual's expressed wishes about future provision of their health services; or
- A health service provided, or to be provided to an individual; or
- Other personal information collected to provide, or in providing, a health service; or
- Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

27.1.3 Health Service - means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

To assess, record, maintain or improve the individual's health; or
To diagnose the individual's illness or disability; or
To treat the individual's illness or disability or suspected illness or disability; or
The dispensing on prescription of a drug or medicinal preparation by a pharmacist.

27.1.4 Sensitive Information - means information or an opinion about an individual's:

Racial or ethnic origin; or
Political opinions, membership of a political association; or
Religious beliefs or affiliations; or
Philosophical beliefs; or
Membership of a professional or trade association or trade union; or
Sexual preferences or practices; or
Criminal record; or
That is also personal information; or
Health information about an individual.

27.1.5 Notifiable Data Breaches:

• An eligible data breach happens if:

(a) There is unauthorised access to, unauthorised disclosure of, or loss of personal information held by Alternate Care;

(b) The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and

(c) The General Manager, or the CEO or Managing Director in the General Manager’s absence, must ensure CYJMA is advised as a matter of priority of any and all Notifiable Data Breaches.

• Alternate Care must give a notification if:

(a) It has reasonable grounds to believe that an eligible data breach has happened; or

(b) It is directed to do so by the Commissioner.

27.2 Collecting Personal and Health Information

Personal and health information about individuals is collected by Alternate Care as part of service delivery. Specifically, such information may be collected and stored about:

Children/young people for whom Alternate Care receives funding to provide services; and
People engaged and seeking to be engaged by Alternate Care.

Alternate Care will maintain the following approach to the collection of personal or health information:

Alternate Care will only collect personal or health information with consent, except in specified circumstances including, but not limited to, emergencies, as required by law, or in circumstances relating to legal or equitable claims. Alternate Care may also collect personal information without consent, under special conditions, when providing a health service or when undertaking certain research or management activities;
Alternate Care will take reasonable steps to ensure that individuals are aware of certain matters, including, but not limited to, who is collecting the information, the fact that the individual is able to gain access to the information and the purposes for which the information is collected;
Alternate Care will only collect information necessary for the performance of the service's functions or activities; and
Alternate Care will collect information directly from the individual where this is reasonable and practical.

The following will be met in the collection of personal or health information:

Alternate Care will only collect necessary information such as required in service delivery;
Information will be collected with an individual’s expressed or implied consent;
In limited situations, information may be collected without the consent of the individual including but not limited to, where there is a serious or imminent threat to life or health or where information is required for management, research or statistical purposes and it is impractical to seek consent;
Where practical, individuals will be advised at the time of collection and how information will be handled;
Information will be collected lawfully, fairly and non-intrusively; and
Information will be collected about an individual from the individual where reasonably practical to do so.

27.3 Use and Disclosure of Health Information

Alternate Care will apply the following:

Alternate Care will only use or disclose personal information for the primary purpose for which it was collected, or for directly related secondary purposes if these fall within the reasonable expectations of the individual, unless another exception under this principle applies; and
Alternate Care will only use or disclose personal information in other ways if the individual gives consent (whether expressed or implied), or if one of the exceptions to this principle applies. The exceptions include, but are not limited to, uses or disclosures required or authorised by law, those necessary to prevent or lessen a serious or imminent threat to someone's life, health or safety, or for research, provided certain conditions are met.

This will include the following:

Personal information is used for the primary purpose disclosed to the individual or directly related secondary purposes;
Sensitive information used for learning, development and education purposes requires consent;
Personal information will not be disclosed to the media without consent;
Personal information may be transferred to another service provider upon request;
Personal information may be disclosed for the purposes of investigating suspected unlawful activity;
Information may be used or disclosed as required or authorised by law; and
Where an individual is incapable of giving or communicating consent, information can be disclosed to a person responsible – e.g., partner, family member or approved Foster or Kinship Carer.

27.4 Data Quality

Alternate Care will take all reasonable steps to ensure that the personal or health information collected, used or disclosed is accurate, complete and up to date.

27.5 Data Security

Alternate Care will take all reasonable steps to protect the personal information held from misuse and loss, as well as from unauthorised access, modification or disclosure and destroy or permanently de-identify information that is no longer needed. Alternate Care undertakes the following steps to safeguard data:

27.5.1 Physical Security:

Paper records containing personal information are filed in lockable filing cabinets accessible only to authorised individuals;
Offices are required to adopt a "clear desk" approach to ensure personal, health and sensitive information is never left unattended on desks or computer screens; and
Procedural measures exist with regard to filing and building security.

27.5.2 Computer & Network Security:

Access control for authorised users including passwords and limiting access to shared network drives to authorised individuals;
Virus checking;
Backup Procedures; and
Network security - firewalls, routers, network intrusion detection systems, host detection systems.

27.5.3 Communications Security:

Internet and electronic banking security Procedures exist.

27.5.4 Destruction of Personal Information:

Alternate Care will ensure that any personal information no longer required is destroyed by secure means. All paper-based records will be either shredded or removed by a security disposal company. Electronic records will be deleted by the appropriate method.

27.5.5 Notifiable Data Breaches:

If Alternate Care is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of Alternate Care and is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the Alternate Care, the General Manager, after advising the CEO or Managing Director as a matter of priority, must:

(a) Carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of Alternate Care; and

(b) Take all reasonable steps to ensure that the assessment is completed within 30 days after Alternate Care becomes aware as mentioned in paragraph (1)(a).

If Alternate Care is aware that there are reasonable grounds to believe that there has been an eligible data breach of Alternate Care, the General Manager, in consultation with the CEO or Managing Director is to prepare a statement that:

(i) Complies with subsection 26WK(3) of the Privacy Amendment (Notifiable Data Breaches) Act 2017; and

(ii) Relates to the eligible data breach that Alternate Care has reasonable grounds to believe has happened.

The General Manager must then:

(a) If it is practicable, to notify the contents of the statement to each of the individuals to whom the relevant information relates—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or

(b) If it is practicable, to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or

(i) Publish a copy of the statement on the Alternate Care’s website; and

(ii) Take reasonable steps to publicise the contents of the statement.

The General Manager must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.

If Alternate Care normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).

27.6 Openness

Alternate Care will take reasonable steps to advise individuals what sort of personal information is held, for what purposes and how the information is collected, used and disclosed.

27.7 Access and Correction

27.7.1 It is important that personal information that Alternate Care holds is accurate, up-to-date and complete. Alternate Care will ensure the following:

Children/young people can have access to their personal information in accordance with the Alternate Care Standard Operating Procedures Manual: Personal Information Management Policy;
Staff, Providers and approved Foster or Kinship Carers can request to access the personal information that Alternate Care holds. All such requests must be referred to the General Manager who will immediately consult with the CEO and Managing Director. Alternate Care reserves the right to recover any costs associated with a request to access information. Such costs may include:
Costs involved by individuals in locating and collating information;
Reproduction costs; and
Costs involved in having someone explain information to an individual.

27.7.2 Access to personal information may be denied in some circumstances. The General Manager will consult with the CEO and Managing Director who will seek legal advice where it is considered necessary and advise the General Manager where access is denied and communication in relation to this to the individual seeking access. Where access to information is denied, the individual will be advised by the General Manager in writing of the reasons.

27.7.3 Access to information may be withheld in the following situations:

Where access would pose a serious threat to the life or health of an individual;
Where the privacy of others may be affected;
Where it is deemed that the request is frivolous or vexatious;
Where access to information would prejudice any negotiations;
Where access is unlawful;
As required or authorised by or under law;
Where access is a matter of law enforcement or national security; and
Where information is commercially sensitive.

27.7.4 Staff can amend their personal information in accordance with the Alternate Care Human Resources Manual: Personal Information Management Policy.

27.7.5 Providers and Foster or Kinship Carers can amend the information held by Alternate Care in accordance with the Alternate Care Engagement of Providers & Foster Carers Manual: Personal Information Management Policy.

27.7.6 Alternate Care will take all reasonable steps to amend personal information that is not up-to-date, accurate or complete. Amendments will be made in the form of an addition to the record rather than permanently erasing incorrect details.

27.8 Complaint Resolution

Where an individual has a complaint with regard to Alternate Care's handling of personal or health information, this complaint should be forwarded in writing to the General Manager by email to email/info)(alternatecare.com.au or by mail to PO Box 4654 Cairns, QLD 4870. In consultation with the CEO or Managing Director, the General Manager, or their delegate shall investigate the basis of any complaint with reference to the Australian Privacy Principles and Alternate Care Policies and Procedures. The General Manager, or their delegate, once approved by the CEO or Managing Director, shall respond to the individual within ten days regarding the outcome of the investigation and any actions being taken as a result. The General Manager will ensure the complaint is recorded and filed on the Complaints Register.

For more information about privacy in general, you can visit the Office of the Australian Information Commissioner website at www.oaic.gov.au