Privacy & Confidentiality Policy
1.0 INTRODUCTION
CORE is committed to protecting and maintaining the privacy, accuracy and security of clients,
staff and volunteers’ personal information. We will use all reasonable efforts to protect the
privacy of individuals’ personal information and to comply with the obligations imposed by the
Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APP), the Aged Care Act and
the Aged Care Principles.
2.0 PURPOSE
2.1 Scope
This policy assists all people having access to information held by CORE to understand the
requirements for keeping information private and confidential, and to assist CORE to
meet Commonwealth and State legislative requirements. It will also assist to meet ethical
and industry standards in the collection, use, exchange, storage and disposal of
information. This policy applies to all staff (paid staff, contracted agency staff and
volunteers) as well as Board members.
The purpose of this policy and procedure is to:
2.1.1 ensure personal information is managed in an open and transparent way
2.1.2 protect the privacy of personal information, including Health Information (see 15.
Definitions : Health Information) of clients and staff
2.1.3 provide for the fair collection and handling of personal information
2.1.4 ensure that personal information we collect is used and disclosed for relevant
purposes only
2.1.5 regulate the access to and correction of personal information
2.1.6 ensure the confidentiality of personal information through appropriate storage
and security
2.2 Responsibilities
2.2.1 The Board of CORE is responsible for the establishment of this policy
2.2.2 The CEO and Management Team are responsible for implementing this policy
2.2.3 Board members, Paid staff, Volunteers, Contractors are to ensure they adhere to
this policy
3.0 GENERAL POLICY STATEMENTS
3.1 If it is reasonable and practicable to do so, CORE will collect personal information about
an individual only from that individual
3.2 In meeting obligations with respect to the privacy of clients, CORE will acknowledge that
people with additional needs including vision or hearing impairments, and those of
culturally and linguistically diverse backgrounds may require special consideration
3.3 CORE will display the Privacy Collection Statement and provide it to any individual client
that request it
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 2 of 15
4.0 COLLECTION OF INFORMATION
4.1 Purpose of collection of Personal Information
CORE will only collect Personal Information (see 15. Definitions : Personal Information)
about an individual by fair and lawful means and only if the information is necessary for
one or more of our functions as a services provider, and collection of the Personal
Information is necessary to:
4.1.1 comply with the provisions of state or commonwealth law
4.1.2 provide data to government agencies to comply with state, commonwealth law
4.1.3 determine eligibility to entitlements provided under state or commonwealth laws
4.1.4 provide appropriate services and care
4.1.5 enable contact with a nominated person regarding a client’s health status
4.1.6 lawfully liaise with a nominated representative and to contact family if requested
or needed
4.2 Not providing information
Some individuals may choose not to provide information to CORE. The information
requested is relevant to providing them with the care and services they need. If the
individual chooses not to provide CORE with some or all of the requested information,
CORE may not be able to provide them with the care and services they require
4.3 Anonymity
CORE accepts the right of individuals to deal with us anonymously if it is lawful and
practicable to do so
4.4 Collection of Sensitive Information
CORE will not collect Sensitive Information, including Health Information, (see 15.
Definitions : Sensitive Information; Health Information) unless the collection of the
information is necessary for, or directly related to, one or more of our functions and:
4.4.1 An individual has consented to the collection of this information; or
4.4.2 the collection of the information is required or authorised by or under an
Australian law or a court/tribunal order; or
4.4.3 a permitted general situation exists to the collection of the information (see 15.
Definitions : General situation); or
4.4.4 a permitted health situation exists in relation to the collection of the information
(see 15. Definitions : Health situation); or
4.4.5 we are a non-profit organisation and:
• the information relates to our activities; and
• the information relates only to the members of the organisation, or to
individuals who have regular contact with us and our activities.
5.0 METHODS OF COLLECTION
5.1 Personal and Sensitive Information
Personal Information and Sensitive Information (including Health Information), (see 15.
Definitions : Personal Information; Sensitive Information; Health Information) may be
collected:
5.1.1 from a client;
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 3 of 15
5.1.2 from any person or organisation that assesses health status or care requirements,
for example the Aged Care Assessment Team;
5.1.3 from the health practitioner of a client;
5.1.4 from other health providers or facilities;
5.1.5 from family members or significant persons of a client; and
5.1.6 from a legal advisor of a client.
5.2 CORE will collect Personal Information (see 15. Definitions : Personal Information) directly
from the client, unless:
5.2.1 we have the consent of the client to collect the information from someone else;
or
5.2.2 we are required or authorised by law to collect the information from someone
else; or
5.2.3 it is unreasonable or impractical to do so (see 15. Definitions : reasonable).
5.3 At first assessment by CORE, a client should identify any parties from whom they do not
wish Personal Information accessed or to whom they do not wish Personal Information
provided. This should be recorded in the file of the client and complied with to the extent
permitted by law
5.4 Unsolicited Information
If CORE receives Personal Information (see 15. Definitions : Personal Information) from an
individual that has not been solicited, and the information could not have been obtained
by lawful means, CORE will destroy or de-identify the information as soon as practicable
and in accordance with the law
5.5 Staff records
CORE will keep a record in respect of staff members about:
5.5.1 basic employment details such as the name of the staff member and the nature
of their employment (eg part-time, full-time, permanent, temporary or casual), as
per the Employment Contract
5.5.2 pay
5.5.3 overtime hours
5.5.4 averaging arrangements
5.5.5 leave entitlements
5.5.6 superannuation contributions
5.5.7 termination of employment (where applicable)
5.5.8 individual flexibility arrangements and guarantees of annual earnings
5.6 CORE will also collect Personal Information about a staff member relating to their
employment being Employee Records (see section 15. Definitions : Employee Records
below)
5.7 Notification of Collection of Information
We will, at or before the time, or as soon as practicable after CORE collects Personal
Information (see 15. Definitions : Personal Information) from an individual, take all
reasonable steps to ensure that the individual is notified or made aware of:
5.7.1 CORE identity and contact details (who is collecting the information);
5.7.2 the purpose for which CORE is collecting Personal Information (how it will be
used);
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 4 of 15
5.7.3 the identity of other entities or persons to whom CORE usually discloses Personal
Information to (who will have access to the information);
5.7.4 that the individual has the right to access the information and correct it at any
time
5.7.5 that information will only be retained according to legislative requirements
5.7.6 that this Privacy Policy contains information about how an individual may
complain about a breach of Privacy, and how a complaint will be dealt with;
5.7.7 whether CORE is likely to disclose Personal Information to overseas recipients and
if so, the countries in which such recipients are likely to be located
6.0 USE AND DISCLOSURE OF INFORMATION
6.1 Permitted Disclosure
CORE may not use or disclose Personal Information (see 15. Definitions : Personal
Information) for a purpose other than the primary purpose of collection, unless:
6.1.1 the secondary purpose is related to the primary purpose (and if Sensitive
Information, see 15. Definitions : Sensitive Information is directly related) and the
individual would reasonably expect disclosure of the information for the
secondary purpose;
6.1.2 the individual has consented;
6.1.3 the information is Health Information (see 15. Definitions : Health Information)
and the collection, use or disclosure is necessary for research, the compilation or
analysis of statistics, relevant to public health or public safety, it is impractical to
obtain consent, the use or disclosure is conducted within the privacy principles
and guidelines and we reasonably believe that the recipient will not disclose the
Health Information;
6.1.4 we believe on reasonable grounds (see 15. Definitions : reasonable grounds) that
the disclosure is necessary to prevent or lessen a serious and imminent threat to
an individual’s life, health or safety or a serious threat to public health or public
safety;
6.1.5 we have reason to suspect unlawful activity and use or disclose the Personal
Information as part of our investigation of the matter or in reporting our concerns
to relevant persons or authorities;
6.1.6 we reasonably believe that the use or disclosure is reasonably necessary to allow
an enforcement body to enforce laws, protect the public revenue, prevent
seriously improper conduct or prepare or conduct legal proceedings; or
6.1.7 the use or disclosure is otherwise required or authorised by law.
6.2 Unsolicited Information
If we receive Personal Information (see 15. Definitions : Personal Information) from an
individual that we have not solicited, we will, if it is lawful and reasonable to do so,
destroy or de-identify the information as soon as practicable.
6.3 Cross border disclosure
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 5 of 15
CORE may disclose an individual’s Personal Information (see 15. Definitions : Personal
Information) to an overseas recipient. CORE will take steps to ensure that the overseas
recipient does not breach the Australian Privacy Principles:
6.3.1 the overseas recipient is subject to laws similar to the Australian Privacy
Principles and the individual has mechanisms to take action against the overseas
recipient;
6.3.2 CORE reasonably believes the disclosure is necessary or authorised by Australian
Law; or
6.3.3 the individual has provided express consent to the disclosure.
6.4 Disclosure of Health Information
CORE may disclose Health Information (see section 15. Definitions : Health Information)
about an individual to a person who is responsible (see section 15. Definitions :
Responsible Person) for the individual if:
6.4.1 the individual is incapable of giving consent (see section 15. Definitions : consent)
or communicating consent;
6.4.2 the disclosure is necessary to provide appropriate care or treatment, or is made
for compassionate reasons, or is necessary for the purposes of undertaking a
quality review of our services (and the disclosure is limited to the extent
reasonable and necessary for this purpose); and
6.4.3 the disclosure is not contrary to any wish previously expressed by the individual,
or of which the Service Manager could reasonably be expected to be aware, and
the disclosure is necessary for providing care or treatment
7.0 ACCESS TO INFORMATION
7.1 Providing Information
Any individual that has information held by CORE has a right to request that CORE
provides them access to the Personal Information (see 15. Definitions : Personal
Information) held about them, and CORE shall provide the information unless the
request:
7.1.1 is frivolous or vexatious
7.1.2 poses a serious threat to the life or health of any individual
7.1.3 unreasonably impacts upon the privacy of other individuals
7.1.4 jeopardises existing or anticipated legal proceedings
7.1.5 prejudices negotiations between the individual and CORE
7.1.6 is unlawful or would be likely to prejudice an investigation of possible unlawful
activity
7.1.7 federal/state government law enforcement body performing a lawful security
function asks us not to provide access to the information; or
7.1.8 giving access would reveal information CORE holds about a commercially
sensitive decision making process
7.2 Requesting access
Requests for access to information can be made orally or in writing and addressed to the
Service Manager of the relevant service. CORE will respond to each request, see 
Privacy & Confidentiality Procedure
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 6 of 15
7.3 Declining access
An individual’s identity should be established prior to allowing access to the requested
information. If unsatisfied with the individual’s identity, or access is requested from an
unauthorised party (see section 15. Definitions : unauthorised party), CORE can decline
access to the information.
7.4 CORE can also decline access to information if:
7.4.1 there is a serious threat to life or health of any individual;
7.4.2 the privacy of others may be affected;
7.4.3 the request is frivolous or vexatious;
7.4.4 the information relates to existing or anticipated legal proceedings involving
CORE and the requesting party, and CORE has obtained legal advice; or
7.4.5 the access would be unlawful.
7.5 CORE will provide in writing the reasons for declining access to the requested
information, see Privacy & Confidentiality Procedure
7.6 Granting access
On request (and after determining an individual’s right to access the information) CORE
will provide access to Personal Information (see 15. Definitions : Personal Information),
see Privacy & Confidentiality Procedure
7.7 Charges
CORE may charge for providing access to Personal Information
8.0 PERSONAL INFORMATION QUALITY
CORE aims to ensure that the Personal Information (see 15. Definitions : Personal Information)
held is accurate, complete and up-to-date and upon notification of an issue, will take steps to
correct the information held.
8.1 Correction of Information Held
If an individual establishes the Personal Information held about them is inaccurate,
incomplete, out-of-date, incomplete, irrelevant or misleading CORE must take reasonable
steps to correct the information
8.2 If CORE disagrees with an individual about whether information is accurate, complete and
up- to-date, and the individual asks CORE to associate with the information a statement
claiming that the information is inaccurate, incomplete, out-of-date, irrelevant or
misleading, CORE will take steps to do so
8.3 If CORE refuses to correct the Personal Information as requested by the individual, the
individual will be given written notice that sets out:
8.3.1 the reasons for the refusal;
8.3.2 the mechanisms available to complain about the refusal; and
8.3.3 any other matter prescribed by the regulations
9.0 DIRECT MARKETING
9.1 Personal Information
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 7 of 15
CORE will not use or disclose Personal Information (see 15. Definitions : Personal
Information) about an individual for the purposes of direct marketing, unless the
information is collected directly from the client and:
9.1.1 the individual would reasonably expect CORE to use or disclose Personal
Information for the purpose of direct marketing; and
9.1.2 CORE has provided the individual with a means to ‘opt-out’ and they have not
opted out
9.2 Sensitive Information
CORE will not use or disclose Sensitive Information (see 15. Definitions : Sensitive
Information) about an individual for the purposes of direct marketing, unless the
individual has consented to the information being used for direct marketing
9.3 An individual’s rights in relation to direct marketing activities
If CORE uses information for the purposes of direct marketing, the individual may ask
CORE:
9.3.1 not to provide direct marketing communications to them
9.3.2 not to disclose or use the information
9.3.3 to provide the source of the information
10.0 PERSONAL INFORMATION SECURITY
CORE are committed to keeping secure Personal Information (see 15. Definitions : Personal
Information) that has been provided. CORE will take all reasonable steps to ensure the Personal
Information held is protected from misuse, interference, loss, from unauthorised access,
modification or disclosure.
10.1 Securing Client Information
10.1.1 CORE will keep client records in a secure storage area as per the Records
Management Policy
10.1.2 If the records are being carried while providing care, only the staff member
carrying the records will have access to them
10.1.3 Records of previous clients and earlier unused volumes of current clients shall be
archived and stored in a locked service away from general use, see Records
Management Policy
10.1.4 Only health professionals attending to the care of a client will have access to
information of the client. All records shall only be used for the purpose it was
intended
10.1.5 A client, or their representatives, shall be provided access to records as requested
and after consultation with the Service Manager. At these times, a qualified staff
member is to remain with a client or representative to facilitate the answering of
any questions raised
10.1.6 Details of a client are not to be provided over the phone, unless the staff member
is sure of the person making the enquiry. If in doubt, consult the Service Manager
10.1.7 Staff members will not make any statements about the condition or treatment of
a client to any person not involved in the care, except to the immediate family or
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 8 of 15
representative of the client and then only after consultation with the Service
Manager
10.1.8 Staff must be discrete with their comments at all times, protecting and respecting
the privacy, dignity and confidentiality of all clients
10.1.9 Handovers shall be conducted in a private and confidential manner
10.2 Security Measures
Security measures include, but are not limited to:
10.2.1 training staff on their obligations with respect to Personal Information
10.2.2 use of passwords when accessing our data storage system; and
10.2.3 the use of firewalls and virus scanning tools to protect against unauthorised
interference and access. Staff (including contracted staff), are required to have
up-to-date virus protection software and firewalls installed on any device used to
access documents containing Personal Information
10.2.4 As soon as practicable and in accordance with the law, CORE will destroy or deidentify
any Personal Information that is no longer required for CORE’s functions
10.3 Contractors
Contractors working on behalf of CORE are required to:
10.3.1 comply with the Australian Privacy Principles
10.3.2 have up-to-date virus protection software and firewalls installed on any device
used to access documents containing Personal Information
10.3.3 notify CORE immediately of any actual or potential breaches of security
10.3.4 indemnify CORE in relation to any loss suffered by a breach
11.0 MEDIA
No member of staff shall make any statement to the press, radio or television station or to any
reporter for the media. If a staff member is approached to make a statement or comment they
must refer the person to their Service Manager. See Marketing, Advertising & the Media
Policy
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 9 of 15
12.0 COMPLAINTS
12.1 If an individual wishes to make a complaint about the way CORE has managed their
personal information, they may make that complaint verbally or in writing. See
Handling Client Complaints Policy for process in detail
12.2 Alternatively, complaints may also be referred to a number of services as set out below:
12.2.1 Australian Information Commissioner
The Australian Information Commissioner receives complaints under the act.
Complaints can be made:
• Online: http://www.oaic.gov.au/privacy/making-a-privacy-complaint
• By phone: on 1300 363 992
• By fax: on +61 2 9284 9666
• In writing:
Address your letter to the Australian Information Commissioner at the:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
OR
Office of the Australian Information Commissioner
GPO Box 2999
Canberra ACT 2601 NSW 2001
12.2.2 Aged Care Complaints Scheme
When appropriate, the Aged Care Complaints Scheme may also be utilised for
dealing with complaints. The scheme operates within the Department of Social
Services and receives complaints under the Act. Complaints can be made:
• Online: at http://www.agedcarecomplaints.govspace.gov.au/concern
• By phone: on 1800 550 552.
If you need an interpreter you can phone the Translating and
Interpretation Service on 131 450 and ask them to put you through to the
Aged Care Complaints Scheme on 1800 500 552.
For hearing or speech impaired TTY users phone 1800 555 677 then ask
for 1800 550 552.
For Speak and Listen users phone 1800 555 727 then ask for 1800 550
552.
For Internet relay users connect to
https://www.iprelay.com.au/call/index.aSPX and enter 1800 550 552.
• In writing: address your letter to the Aged Care Complaints Scheme at the:
Australian Department of Social Services
GPO Box 9848
Sydney NSW 2000
12.2.3 NSW Ombudsman
The NSW Ombudsman deals with complaints for Community and Disability
providers
• Online at www.ombo.nsw.gov.au
• By phone on : 1800 451 524
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 10 of
15
13.0 POLICY SIGNOFF
13.1 Staff, Volunteers & Board Members: Agreement to this Policy
13.1.1 I have read and had explained to me, this Policy and associated procedures
13.1.2 Breaches of this policy will not be tolerated, failure to comply with obligations
under this policy may lead to disciplinary action. Serious breaches of this policy
may result in termination of employment. SeeStaff Discipline Policy
13.1.3 I understand and agree to abide by this policy, procedure and the breach
processes in place
AGREEMENT WITNESS
NAME: NAME:
POSITION: POSITION:
SIGNED: SIGNED:
DATE: DATE:
14.0 PROCEDURES
14.1 See Privacy & Confidentiality Procedure
14.2 Mandatory reporting of cases where a worker has concerns about the safety, welfare or
wellbeing of a child or young person, see Mandatory Reporting Procedure
15.0 DEFINITIONS
Confidential
Information
Any documentation or information received or developed during the
course of employment, which is not publicly available, and relates to
clients of CORE, staff members, volunteers, executive committee, students
on placement or contractors OR the processes, equipment, techniques and
business information used by CORE in the course of operation including all
trade secrets, drawings, techniques, business, financial and marketing
plans and material, manuals of any kind, gross profit and cost information,
business connections including identity and requirements, concepts not
reduced to material form, designs, plans, models, methods of operation,
and the nature and content of contracts and documents
consent FROM THE PRIVACY PRINCIPLES
B.35 Consent means ‘express consent or implied consent’ (s 6(1)). The four
key elements of consent are:
-the individual is adequately informed before giving consent
-the individual gives consent voluntarily
-the consent is current and specific, and
-the individual has the capacity to understand and communicate their
consent.
B.56 The Privacy Act does not specify an age after which individuals can
make their own privacy decisions. An APP entity will need to determine on
a case-by-case basis whether an individual under the age of 18 has the
capacity to consent.
http://www.oaic.gov.au/privacy/applying-privacy-law/app-
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 11 of
15
guidelines/chapter-b-key-concepts
Employee Records A record of personal information relating to the employment of the staff
member. Examples of personal information relating to the employment of
the employee are Health Information (see 15. Definitions : Health
Information) about the employee and personal information about all or
any of the following:
• the engagement, training, disciplining or resignation of the employee
• the termination of the employment of the employee
• the terms and conditions of employment of the employee
• the employee’s personal and emergency contact details
• the employee’s performance or conduct
• the employee’s hours of employment
• the employee’s salary or wages
• the employee’s membership of a professional or trade association
• the employee’s trade union membership
• the employee’s recreation, long service, sick, personal, maternity,
paternity or other leave
• the employee’s taxation, banking or superannuation affairs
General Situation FROM AUSTRALIAN PRIVACY PRINCIPLES
There are seven permitted general situations listed in s 16A:
1. lessening or preventing a serious threat to the life, health or safety of
any individual, or to public health or safety (see APPs 3.4(b), 6.2(c), 8.2(d)
and 9.2(d))
2. taking appropriate action in relation to suspected unlawful activity or
serious misconduct (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d))
3. locating a person reported as missing (see APPs 3.4(c), 6.2(c) and 8.2(d))
4. asserting a legal or equitable claim (see APPs 3.4(c) and 6.2(c))
5. conducting an alternative dispute resolution process (see APPs 3.4(b)
and 6.2(c))
6. performing diplomatic or consular functions — this permitted general
situation only applies to agencies (see APP 3.4(b), 6.2(c) and 8.2(d))
7. conducting specified Defence Force activities — this permitted general
situation only applies to the Defence Force (see APP 3.4(b), 6.2(c) and
8.2(d))
http://www.oaic.gov.au/privacy/applying-privacy-law/appguidelines/chapter-c-permitted-general-situations
Health Information Information or an opinion about:
• the health or a disability (at any time) of an individual
• an individual’s expressed wishes about the future provision of health
services to him or her
• a health service provided, or to be provided, to an individual that is
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 12 of
15
also personal information
Other personal information collected to provide, or in providing, a health
service
Other personal information about an individual collected in connection
with the donation, or intended donation, by the individual of his or her
body parts, organs or body substances
Genetic information about an individual in a form that is, or could be,
predictive of the health of the individual or a genetic relative of the
individual
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 13 of
15
Health Situation FROM AUSTRALIAN PRIVACY PRINCIPLES
D.2 There are five permitted health situations listed in s 16B:
1. the collection of health information to provide a health service (s
16B(1)) (see APP 3.4(c))
2. the collection of health information for certain research and other
purposes (s 16B(2)) (see APP 3.4(c))
3. he use or disclosure of health information for certain research and
other purposes (s 16B(3)) (see APP 6.2(d))
4. the use or disclosure of genetic information (s 16B(4)) (see APP 6.2(d))
5. the disclosure of health information for a secondary purpose to a
responsible person for an individual (s 16B(5)) (see APP 6.2(d)).
http://www.oaic.gov.au/privacy/applying-privacy-law/appguidelines/chapter-d-permitted-health-situations

Mandatory Reporting The compulsory responsibility under the state/federal law to report risk of
significant harm to children to Community Services
Personal Information Information or an opinion, whether true or not, and whether recorded in a
material form or not, about an individual whose identity is apparent, or
can reasonably be ascertained, from the information or opinion
Reasonable /
reasonable grounds FROM THE AUSTRALIAN PRIVACY PRINCIPLES
B.105 ‘Reasonable’ and ‘reasonably’ are not defined in the Privacy Act. The
terms bear their ordinary meaning, as being based upon or according to
reason and capable of sound explanation. What is reasonable is a question
of fact in each individual case. It is an objective test that has regard to how
a reasonable person, who is properly informed, would be expected to act
in the circumstances. What is reasonable can be influenced by current
standards and practices.[33]. It is the responsibility of an APP entity {CORE}
to be able to justify that its conduct was reasonable.
In a related context, the High Court has observed that whether there are
‘reasonable grounds’ to support a course of action ‘requires the existence
of facts which are sufficient to[persuade]a reasonable person’;[34] it
‘involves an evaluation of the known facts, circumstances and
considerations which may bear rationally upon the issue in
question’.[35] As that indicates, there may be a conflicting range of
objective circumstances to be considered, and the factors in support of a
conclusion should outweigh those against.
http://www.oaic.gov.au/privacy/applying-privacy-law/appguidelines/chapter-b-key-concepts

Responsible Person A person responsible is the person highest on a designated list who
available and able to make decisions for a person who is unable to give
informed consent. This may be a parent, a child or sibling, a spouse, a
relative, a member of the individual’s household, a guardian, an enduring
power of attorney, a person who has an intimate personal relationship
with the individual, or a person nominated by the individual to be
contacted in case of emergency, provided they are at least 18 years of age
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 14 of
15
Sensitive Information Information or an opinion about an individual’s:
• racial or ethnic origins
• political opinions
• membership of a political organisation
• religious beliefs or affiliations
• philosophical beliefs
• membership of a professional or trade association
• membership of a trade union
• sexual preferences or practices
• criminal record
• biometric information
• biometric templates
• health information about an individual and genetic information
Unauthorised party A party that has no actual, implied or apparent authority
Unsolicited
Information
All personal information received from an individual that we did not
actively seek to collect
16.0 POLICY INFORMATION
RELATED
DOCUMENTATION
REFERENCES The Federal Privacy Act 1988 and the Privacy Amendment (Private Sector) Act
2000
Privacy and Personal Protection Information Act 1998 (NSW)
Health Records and Information Privacy Act 2002 (NSW)
Information Protection Principles (IPPs) (2003)
Children and Young Persons (Care and Protection) Act 1998 (NSW)
http://www.legislation.nsw.gov.au/fullhtml/inforce/act+157+1998+FIRST+0+N
Education and Care Services National Regulations 2011
Early Childhood Australia (ECA) Code of Ethics (2008), the Education and Care
Services National Regulations 2011 and the Privacy Legislation
Australian Privacy Principles (from the Office of the Australian Information
Commissioner)
http://www.oaic.gov.au/privacy/privacy-act/australian-privacy-principles
Aged Care Act 1997
https://www.comlaw.gov.au/Details/C2013C00389
Aged Care Transitional Principles 2014
https://www.comlaw.gov.au/Details/F2014L00870/Html/Text#_Toc391564969
Privacy & Confidentiality – Policy
CORE Community Services
Updated: 20/06/2015 Electronic version in P drive is controlled. Printed copies are uncontrolled.
Version: 01 Risk Management : Privacy & Confidentiality Policy Page 15 of
15
CONTACT OFFICER Operations Manager
DATE APPROVED 23 June 2015
APPROVED BY Board
DATE OF
COMMENCEMENT
23 June 2015
REVIEWED 24 February 2017