Private

Intended for or restricted to the use of a particular person.

Confidential Information

Any documentation or information received or developed during employment, which is not publicly available. This can relate to clients of CORE, staff, volunteers, executive committee, students on placement or contractors. It also relates to the processes, equipment, techniques and business information used by CORE in the course of operation including all trade secrets, drawings, techniques, business, financial and marketing plans and material, manuals of any kind, gross profit and cost information, business connections including identity and requirements, concepts not reduced to material form, designs, plans, models, methods of operation, and the nature and content of contracts and documents.

Consent

Australian Privacy Principle Guidelines defines consent as:

Chapter B: Key concepts B.35: Consent means ‘express consent or implied consent’ (s 6(1)). The four key elements of consent are:

▪ the individual is adequately informed before giving consent;

▪ the individual gives consent voluntarily;

▪ the consent is current and specific; and

▪ the individual has the capacity to understand and communicate their consent.

B.56 The Privacy Act does not specify an age after which individuals can make their own privacy decisions. An APP entity will need to determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent.

https://www.oaic.gov.au/__data/assets/pdf_file/0009/1125/app-guidelines-july-2019.pdf

Staff Records

A record of personal information relating to the employment of a staff member. Examples of personal information relating to the employment of a staff member are Health Information (see 6.0 Definitions: Health Information) about the staff member and personal information including but not limited to all or any of the following:

▪ The engagement, training, disciplining or resignation of the staff member;

▪ The termination of the employment of the staff member;

▪ The terms and conditions of employment of the staff member;

▪ The staff member’s personal and emergency contact details;

▪ The staff member’s performance or conduct;

General Situation

There are seven permitted general situations listed in Division 2, Section 16A of the Privacy Act 1988 (Cth):

i.lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d)).

ii.taking appropriate action in relation to suspected unlawful activity or serious misconduct (see APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d)).

iii.locating a person reported as missing (see APPs 3.4(c), 6.2(c) and 8.2(d)).

iv.asserting a legal or equitable claim (see APPs 3.4(c) and 6.2(c)).

v. conducting an alternative dispute resolution process (see APPs 3.4(b) and 6.2(c)).

vi. performing diplomatic or consular functions — this permitted general situation only applies to agencies (see APP 3.4(b), 6.2(c) and 8.2(d)).

vii. conducting specified Defence Force activities — this permitted general situation only applies to the Defence Force (see APP 3.4(b), 6.2(c) and 8.2(d)).

Health Information

(Subset of Personal Information)

Information or an opinion about:

1. The health or a disability (at any time) of an individual;
2. An individual’s expressed wishes about the future provision of health services to him or her; or
3. A health service provided, or to be provided, to an individual that is also personal information.

Other personal information collected to provide, or in providing, a health service.

Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

Genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Health Situation

There are five permitted health situations listed in Division 2, Section 16B of the Privacy Act 1988 (Cth):

1. the collection of health information to provide a health service (s 16B(1)) (see APP 3.4(c)).
2. the collection of health information for certain research and other purposes (s 16B(2)) (see APP 3.4(c)).
3. the use or disclosure of health information for certain research and other purposes (s 16B(3)) (see APP 6.2(d)).
4. the use or disclosure of genetic information (s 16B (4)) (see APP 6.2(d)).
5. the disclosure of health information for a secondary purpose to a responsible person for an individual (s 16B(5)) (see APP 6.2(d)).

Mandatory Reporting

Aged Care

Under the Aged Care Act 1997 reporting of significant harm is mandatory when providing home care services to the elderly.

Children and Young People

Under the Children and Young Persons (Care and Protection) Act 1998 (NSW) and Education and Care Services National Regulations 2011 reporting of risk of significant harm is mandatory.

Disability

Under the Commonwealth NDIS Quality and Safeguards Commission NDIS registered providers are required to notify the NDIS Commission of the following incidents (including allegations) affecting NDIS participants in connection with the provision of NDIS supports and services.

Personal Information

Information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information may include:

• an individual’s name, signature, address, phone number or date of birth,
• sensitive information,
• credit information,
• employee record information,
• photographs,
• internet protocol (IP) addresses,
• voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique), or
• location information from a mobile device (because it can reveal user activity patterns and habits).

Reasonable/reasonable grounds

Australian Privacy Principle Guidelines defines reasonable as:

B.105 ‘Reasonable’ and ‘reasonably’ are not defined in the Privacy Act. The terms bear their ordinary meaning, as being based upon or according to reason and capable of sound explanation. What is reasonable is a question of fact in each individual case. It is an objective test that has regard to how a reasonable person, who is properly informed, would be expected to act in the circumstances. What is reasonable can be influenced by current standards and practices.[33]. It is the responsibility of an APP entity {CORE} to be able to justify that its conduct was reasonable.

In a related context, the High Court has observed that whether there are ‘reasonable grounds’ to support a course of action ‘requires the existence of facts which are sufficient to[persuade]a reasonable person’;[34] it ‘involves an evaluation of the known facts, circumstances and considerations which may bear rationally upon the issue in question’.[35] As

Responsible Person

From the Privacy Act 1988 (Cth):

1. A responsible person for an individual is:

a) a parent of the individual; or

b) a child or sibling of the individual if the child or sibling is at least 18 years old; or

c) a spouse or de facto partner of the individual; or

d) a relative of the individual if the relative is:

i. at least 18 years old; and

ii. a member of the individual’s household; or

e) a guardian of the individual; or

f) a person exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

g) a person who has an intimate personal relationship with the individual; or

h) a person nominated by the individual to be contacted in case of emergency.

Sensitive Information

(Subset of Personal Information)

Information or an opinion about an individual’s:

▪ racial or ethnic origins,

▪ political opinions,

▪ membership of a political organisation,

▪ religious beliefs or affiliations,

▪ philosophical beliefs,

▪ membership of a professional or trade association,

▪ membership of a trade union,

▪ sexual preferences or practices,

▪ criminal record,

▪ biometric information,

▪ biometric templates, or

▪ health information about an individual and genetic information.

Unauthorised party

A party that has no actual, implied or apparent authority.

Unsolicited Information

All personal information received from an individual that we did not actively seek to collect.

13.1 Personal Information and Sensitive Information (including Health Information), (see 6.0 Definitions: Personal Information; Sensitive Information; Health Information) may be collected: From a client.

From any person or organisation that assesses health status or care requirements, for example the aged care assessment team.

i.From the health practitioner of a client.

ii.From other health providers or facilities.

iii. From family members or significant persons of a client.

iv. From a legal advisor of a client.

13.2 CORE will collect Personal Information (see 6.0 Definitions) directly from the client, unless: We have the consent of the client to collect the information from someone else.

i.We are required or authorised by law to collect the information from someone else. or

ii. It is unreasonable or impractical to do so (see 6.0 definitions: reasonable).

13.3 At first assessment by CORE, a client should identify any parties from whom they do not wish Personal Information accessed or to whom they do not wish Personal Information provided. This should be recorded in the file of the client and complied with to the extent permitted by law.

14.1 If CORE receives Personal Information (see 6.0 Definitions) from an individual that has not been solicited, and the information could not have been obtained by lawful means, CORE will destroy or de-identify the information as soon as practicable and in accordance with the law.

15.1 CORE will keep a record in respect of staff members for:

i.Basic employment details such as the name of the staff and the nature of their employment (e.g. part-time, full-time, permanent, temporary or casual), as per the contract of engagement.

ii.Emergency contact details in case of illness or injury.

iii.Pay.

iv.Overtime hours.

v. Averaging arrangements.

vi. Leave entitlements.

vii. Superannuation contributions.

viii. Termination of employment where applicable.

ix. Individual flexibility arrangements and guarantees of annual earnings.

x. Vaccination status.

15.2 CORE will also collect Personal Information about a staff member relating to their contract of engagement (see 6.0 Definitions: Staff Records).

16.1 We will, at or before the time, or as soon as practicable after CORE collects Personal Information (see 6.0 Definitions: Personal Information) from an individual, take all reasonable steps to ensure that the individual is notified or made aware of: CORE identity and contact details (who is collecting the information)The purpose for which CORE is collecting Personal Information (how it will be used).The identity of other entities or persons to whom CORE usually discloses Personal Information to (who will have access to the information).

i. That the individual has the right to access the information and correct it at any time.

ii. That information will only be retained according to legislative requirements.

iii. That this Privacy Policy contains information about how an individual may complain about a breach of Privacy, and how a complaint will be dealt with.

iv. Whether CORE is likely to disclose Personal Information to overseas recipients and if so, the countries in which such recipients are likely to be located.

17.1 CORE may not use or disclose Personal Information (see 6.0 Definitions: Personal Information) for a purpose other than the primary purpose of collection, unless: The secondary purpose is related to the primary purpose (and if Sensitive Information, (see 6.0 Definitions: Sensitive Information is directly related) and the individual would reasonably expect disclosure of the information for the secondary purpose.

i. The individual has consented.

ii. The information is Health Information (see 6.0 Definitions: Health Information) and the collection, use or disclosure is necessary for research, the compilation or analysis of statistics, relevant to public health or public safety, it is impractical to obtain consent, the use or disclosure is conducted within the privacy principles and guidelines and we reasonably believe that the recipient will not disclose the Health Information.

iii. We believe on reasonable grounds (see 6.0 Definitions: reasonable grounds) that the disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.

iv.We have reason to suspect unlawful activity and use or disclose the Personal Information as part of our investigation of the matter or in reporting our concerns to relevant persons or authorities.

v.We reasonably believe that the use or disclosure is reasonably necessary to allow an enforcement body to enforce laws, protect the public revenue, prevent seriously improper conduct or prepare or conduct legal proceedings.

vi. The use or disclosure is otherwise required or authorised by law.

18.1 CORE may disclose an individual’s Personal Information (see 6.0 Definitions: Personal Information) to an overseas recipient. CORE will take steps to ensure that the overseas recipient does not breach the Australian Privacy Principles: The overseas recipient is subject to laws similar to the Australian Privacy Principles and the individual has mechanisms to take action against the overseas recipient.

1. 1. 1. CORE reasonably believes the disclosure is necessary or authorised by Australian Law.
      2. The individual has provided express consent to the disclosure.

19.1 CORE may disclose Health Information (see 6.0 Definitions: Health Information) about an individual to a person who is responsible (see 6.0 Definitions: Responsible Person) for the individual if: The individual is incapable of giving consent (see 6.0 Definitions: consent) or communicating consent.

1. 1. 1. The disclosure is necessary to provide appropriate care or treatment, or is made for compassionate reasons, or is necessary for the purposes of undertaking a quality review of our services (and the disclosure is limited to the extent reasonable and necessary for this purpose).
      2. The disclosure is not contrary to any wish previously expressed by the individual, or of which the Service Manager could reasonably be expected to be aware, and the disclosure is necessary for providing care or treatment.
      3.  

20.1 Any individual that has information held by CORE has a right to request that CORE provides them access to the Personal Information (see 6.0 Definitions: Personal Information) held about them, and CORE shall provide the information unless the request: Is frivolous or vexatious.

1. 1. 1. Poses a serious threat to the life or health of any individual.
      2. Unreasonably impacts upon the privacy of other individuals.
      3. Jeopardises existing or anticipated legal proceedings.
      4. Prejudices negotiations between the individual and CORE.
      5. Is unlawful or would be likely to prejudice an investigation of possible unlawful activity.
      6. Federal/state government law enforcement body performing a lawful security function asks us not to provide access to the information.
      7. Giving access would reveal information CORE holds about a commercially sensitive decision-making process.

20.2 Requests for access to information can be made in writing and addressed to the Service Manager of the relevant service. CORE will respond to each request, see QA-SOP 001 Privacy & Confidentiality Procedure.

21.0 DECLINING ACCESS 21.1 An individual’s identity should be established prior to allowing access to the requested information. If unsatisfied with the individual’s identity, or access is requested from an unauthorised party (see 6.0 Definitions: unauthorised party), CORE can decline access to the information.

21.2 CORE can also decline access to information if: There is a serious threat to life or health of any individual.

1. 1. 1. The privacy of others may be affected.
      2. The request is frivolous or vexatious.
      3. The information relates to existing or anticipated legal proceedings involving CORE and the requesting party, and CORE has obtained legal advice.
      4. The access would be unlawful.

21.3 CORE will provide in writing the reasons for declining access to the requested information, see QA-SOP 001 Privacy & Confidentiality Procedure.

22.0 GRANTING ACCESS 22.1 On request and after determining an individual’s right to access the information CORE will provide access to Personal Information (see 6.0 Definitions: Personal Information), see QA-SOP 001 Privacy & Confidentiality Procedure.

23.1 CORE aims to ensure that the Personal Information (see 6.0 Definitions: Personal Information) held is accurate, complete and up-to-date and upon notification of an issue, will take steps to correct the information held.

23.0 PERSONAL INFORMATION QUALITY

24.1 If an individual establishes the Personal Information held about them is inaccurate, incomplete, out-of-date, irrelevant or misleading CORE must take reasonable steps to correct the information.

24.2 If CORE disagrees with an individual about whether information is accurate, complete and up- to-date, CORE will let you know in writing: the reasons for refusing to correct your personal information

1. 1. 1. your right to request that a statement be associated with your personal information
      2. how to make a complaint.

24.3 If CORE refuses your request to correct your personal information, you may request that CORE associate a statement that you think your personal information is inaccurate, out of date, incomplete, irrelevant or misleading.

25.1 CORE will not use or disclose Personal Information (see 6.0 Definitions: Personal Information) about an individual for the purposes of direct marketing, unless the information is collected directly from the client and: The individual would reasonably expect CORE to use or disclose Personal Information for the purpose of direct marketing.

1. 1. 1. CORE has provided the individual with a means to ‘opt-in’, if the individual does not ‘opt in’ information will not be used for the purpose of direct marketing.

24.0 CORRECTION OF INFORMATION HELD

25.0 DIRECT MARKETING

1. 1. 1. 25.1 CORE will not use or disclose Personal Information (see 6.0 Definitions: Personal Information) about an individual for the purposes of direct marketing, unless the information is collected directly from the client and: The individual would reasonably expect CORE to use or disclose Personal Information for the purpose of direct marketing.
      2. CORE has provided the individual with a means to ‘opt-in’, if the individual does not ‘opt in’ information will not be used for the purpose of direct marketing.

      3. 25.2 CORE will not use or disclose Sensitive Information (see 6.0 Definitions: Sensitive Information) about an individual for the purposes of direct marketing, unless the individual has consented to the information being used for direct marketing.

25.3 If CORE uses information for the purposes of direct marketing, the individual may ask CORE:

i. Not to provide direct marketing communications to them.

ii. Not to disclose or use the information.

iii. To provide the source of the information.

26.1 CORE is committed to keeping secure Personal Information (see 6.0 Definitions: Personal Information) that has been provided. CORE will take all reasonable steps to ensure the Personal Information held either hardcopy or digital is protected from misuse, interference, loss, from unauthorised access, modification or disclosure.

27.1 CORE will keep client records in a secure storage area as per the QA-P004 Records Management Policy.

27.2 If Personal information is being carried while providing care, only the staff carrying the personal information will have access to them.

27.3 Personal Information of previous clients and earlier unused volumes of current clients shall be archived and stored in a locked service away from general use, see QA-P004 Records Management Policy.

27.4 Only professionals attending to the care of a client will have access to information of the client (This could include builders, external meal providers or transportation providers). All records shall only be used for the purpose it was intended.

27.5 A client, or their representatives, shall be provided access to records as requested and after consultation with the Service Manager. At these times, a qualified Staff member is to remain with a client or representative to facilitate the answering of any questions raised.

27.6 Details of a client are not to be provided over the phone, unless the Staff member is sure of the person making the enquiry. If in doubt, consult the Service Manager.

27.7 Client information will not be provided to members of the client’s family or other persons without express signed consent forms including advocacy forms.

27.8 Staff will not make any statements about the condition or treatment of a client to any person not involved in the care, except to the immediate family or representative of the client and then only after consultation with the Service Manager.

27.9 Staff must always be discrete with their comments, protecting and respecting the privacy, dignity and confidentiality of all clients.

27.10 Handovers shall be conducted in a private and confidential manner.

28.1 Security measures include, but are not limited to: Training staff on their obligations with respect to Personal Information.

1. 1. 1. Use of passwords when accessing our data storage system.
      2. Security measures for devices are in line with IT-P004 Information Security Management System Policy
      3. As soon as practicable and in accordance with the law, CORE will destroy or de-identify any Personal Information that is no longer required for CORE’s functions.

26.0 PERSONAL INFORMATION SECURITY

27.0 SECURING CLIENT INFORMATION

28.0 SECURITY MEASURES

1. 1. 1. Security measures include, but are not limited to: Training staff on their obligations with respect to Personal Information.
      2. Use of passwords when accessing our data storage system.
      3. Security measures for devices are in line with IT-P004 Information Security Management System Policy
      4. As soon as practicable and in accordance with the law, CORE will destroy or de-identify any Personal Information that is no longer required for CORE’s functions.

29.0 CONTRACTORS

1. 1. 1. 29.1 Contractors working on behalf of CORE are required to: Comply with the Australian Privacy Principles.
      2. Have up-to-date virus protection software and firewalls installed on their information technology systems and devices used to access Personal Information.
      3. Notify CORE immediately of any actual or potential breaches of security.
      4. Indemnify CORE in relation to any loss suffered by a breach.

30.1 No staff member shall make any statement to the press, radio or television station or to any reporter for the media. If a staff member is approached to make a statement or comment they must refer the person to their Service Manager. See MAR-P002 Marketing, Advertising & the Media Policy.

30.0 MEDIA

31.0 COMPLAINTS

31.1 If an individual would like to make a complaint about the way CORE has managed their personal information, they may make that complaint to the Privacy officer, verbally or in writing to CORE, See QA-P003 Customer Feedback and Complaints Policy for process in detail.

31.2 CORE Community Services Privacy Officer details:

i. Juana Reinoso

ii. Email: privacy@corecs.org.au

31.3 Alternatively complaints regarding breaches in privacy can be made directly to the Office of the Australian Information Commissioner (OAIC) by:

i. Online at: https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

Version

Version Changes

Date Approved

Approved By

Date of Next Review

V1

Document Created

27/10/2015

Board

2018

V2

Updated information under the following headings: introduction, scope, responsibilities, references, definitions, policy, collection of information, Methods of collection, use and disclosure of information, Access to information, personal information, quality, direct marketing, personal information security, media, complaints.

13/05/2019

Board

13/05/2021

V3

Minor formatting, changed employee’s to staff.

27/04/2022

Board

27/04/2024

V4

Reviewed with Minor changes

30/10/2024

Board

30/10/2027