Well Life Privacy and Confidentiality Policy

Summary

WELL LIFE is committed to safeguarding the confidentiality of any personal or health information of individuals by:

Creating procedures that protect privacy with regard to the collection, storage and disclosure of personal information; and
Complying with the Australian Privacy Principles and the Privacy Act 1988 (Commonwealth) (the Privacy Act).

Who should read this document?

This Policy applies to the Personal Information of all WELL LIFE staff, participants, volunteers, clients/beneficiaries, donors, business partners and Online Users collected or held by WELL LIFE.

Risk

Because people with disabilities are more vulnerable to exploitation and abuse than others in the community, workers with access to client information automatically occupy risk-assessed roles under the NDIS Commission.

The primary risk to privacy and confidentiality arises from the collection, storage and sharing of client information. Access by non-authorised persons may expose clients to risk. Safe storage and access policy protects clients from abuse and exploitation. This policy addresses these issues.

There is a risk that information will be shared inadvertently and without the intention to do harm. Information may be unintentionally disclosed by careless use of tablet- or phone-based software, shared with a client’s supporters against the client’s wishes, or disclosed to peers on the assumption that the information is publicly known. Cultural assumptions around sharing information are diverse and change rapidly. Social media platforms may allow clients to be identified. This risk may be minimised by:

raising staff awareness of privacy and confidentiality
ensuring consent is obtained before gathering data (including audio and photographic data)
ensuring that consent is specific to the use of data, and that consent is current
encouraging clients to provide feedback and complaints about the use of their information.

These issues are addressed in this policy.

The meaning of terms and words used in this document (optional)

Personal Information means:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Health Information is information or an opinion about:

the physical, mental or psychological health (at any time) of an individual
a disability (at any time) of an individual
an individual’s expressed wishes about the future provision of health services to him or her
a health service that is provided or to be provided to an individual;
other Personal Information collected to provide, or in providing, a Health Service
other Personal Information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances
other Personal Information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.

Health Service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

to assess, record, maintain or improve the individual’s health; or
 to diagnose the individual’s illness or disability; or
to treat the individual’s illness or disability or suspected illness or disability; or
the dispensing of a prescription drug or medicinal preparation by a pharmacist.

Sensitive Information means information or an opinion about an individual’s

racial or ethnic origin;
political opinion, or membership of a political association;
religious beliefs or affiliations;
philosophical beliefs;
membership of a professional or trade association;
membership of a trade union;
sexual preferences or practices;
criminal record; or
health, genetic, biometric information or biometric templates

What is our aim?

WELL LIFE is an organisation operating in South East Queensland. Our innovative care and support services deliver meaningful outcomes for children, young people, families, and communities, promoting rights and valuing relationships.

WELL LIFE provides services across the NDIS, Residential Care, Allied Health and NIISQ. WELL LIFE engages volunteers, employees and contractors and holds contracts and may receive funding from State and Federal governments to deliver government programs. In providing such services, we comply with the Privacy Act and the Australian Privacy Principles (APPs) and any additional obligations under the contract.

This privacy policy sets out how we comply with our obligations under the Privacy Act. We are bound by the Australian Privacy Principles in the Privacy Act which regulate how organisations may collect, use, disclose and store personal information, and how individuals may access, and correct personal information held by them.

Policy Guideline

We recognise that our obligations under Queensland Information Privacy Act 2009 will prevail in relation to records held by us for services provided that are funded by a Queensland Government department. 

Objectives

To ensure information is received, recorded, accessed and stored appropriately to maintain confidentiality;

To remain compliant with:

the Privacy Act 1988 (Commonwealth) (as amended);
all other relevant legislation;
obligations imposed by Government body funding agreements as well as accreditation and licensing standards; and,
any other WELL LIFE Policies and Procedures related to the collection, storage or other use of Personal Information.
To ensure that all individuals are aware of their rights in regard to privacy and confidentiality and are aware of the means to access or amend private information held about them; and,
To ensure that any Personal information collected is directly related to WELL LIFE service functions or activities.

Guiding Principles

WELL LIFE believes that NDIS participants, individuals, young people and communities have a right to privacy, dignity, and confidentiality. This right will be upheld at all times through practices of sharing and providing information in a discrete manner and on a need-to-know basis.
WELL LIFE will be guided by the Australian Privacy Principles at all times;
Where WELL LIFE operates information systems, the relevant policies and procedures are to be followed for the appropriate use of Personal Information within these systems.
WELL LIFE aims to create a workplace which is respectful, ethical and professional in all matters pertaining to confidential or private information held about an individual.

Policy Committments

WELL LIFE will make available to individuals’ information about privacy rights and how to access or amend their personal information through the provision of the client intake process, welcome letter explaining the Privacy and Confidentiality brochure provided on intake to the service.
WELL LIFE will ensure that the manager will act as a central contact point for any individual requiring information or wanting to contact WELL LIFE about a privacy matter.
WELL LIFE will take steps to ensure that in reasonable circumstances the privacy policy is available free of charge and in an appropriate form.

Performance Indicators

Zero instances of a breach of confidentiality relating to Personal Information, Health Information or Sensitive Information.
100% of personnel, contractor, volunteer or carer files to hold a signed confidentiality agreement and a completed privacy checklist (where applicable).

Collection of Personal and Sensitive Information

Personal and/or sensitive information collected by WELL LIFE from clients/beneficiaries, business partners, WELL LIFE staff and online users is Personal Information and/or Sensitive Information and as such, falls under this policy.

WELL LIFE can be accessed on an anonymous basis or using a pseudonym if requested. If this is possible and lawful, we will take all reasonable steps to comply with your request. However, we may not be able to provide the services in question if we are not provided with the Personal Information requested, or it is impractical to deal with individuals who have not identified themselves or use a pseudonym.

The WELL LIFE website may from time to time contain links to other websites. When an online user accesses a website that is not WELL LIFE website, it may have a different privacy policy.

WELL LIFE collects information:

directly from clients orally or in writing;
from third parties, such as medical practitioners, government agencies, client representatives, carer/s, and other health service providers;
from client referrals; and
from publicly available sources of information.

WELL LIFE will collect sensitive information:

only with client consent, unless an exemption applies: e.g. the collection is required by law, court/tribunal order or is necessary to prevent or lessen a serious and imminent threat to life or health;
fairly, lawfully, and non-intrusively;
directly from client, if doing so is reasonable and practicable;
only where deemed necessary to support
service delivery to clients;
staff activities and functions; and
giving the client the option of interacting anonymity, if lawful and practicable.

WELL LIFE takes all reasonable steps to protect personal information against loss, interference, misuse, unauthorised access, modification, or disclosure. WELL LIFE will destroy, or permanently de-identify personal information that is:

no longer needed;
unsolicited and could not have been obtained directly; or
not required to be retained by, or under, an Australian law or a court/tribunal order.

WELL LIFE has appropriate security measures in place to protect stored electronic and hard-copy materials. WELL LIFE has an archiving process for client files which ensures files are securely and confidentially stored and destroyed in due course.

Should a breach in privacy occur, potentially exposing client information (e.g. computer system hacked, laptop stolen etc.) the Director will immediately act to rectify the breach in accordance with organisational policy and processes (see Breaches of Privacy, below).

How we collect information

Where possible, we collect your Personal Information and Sensitive Information directly from you. We collect information through various means. We will not collect information unless it is necessary for the functions or activities of WELL LIFE.

If you do not want to disclose information that we have requested, please raise this with us.

There are situations where we may also obtain Personal Information about you from a third-party source. If we collect information about you in this way, we will take reasonable steps to contact you and ensure that you are aware of the purpose for which we are collecting your personal information and the organisations to which we may disclose your information, subject to any exceptions under the Privacy Act.

Health information

As necessary to administer WELL LIFE and functions, WELL LIFE may collect Health Information relating solely to the members of the organisation or to individuals who have regular contact with the organisation in connection with its activities. When collecting Health Information from you, as this is Sensitive Information, WELL LIFE will obtain your consent to such collection and explain how this information will be used and disclosed.

If Health Information is collected from a third party, WELL LIFE will inform you that this information has been collected and will explain how this information will be used and disclosed.

WELL LIFE will not use Health Information beyond the consent provided by you, unless your further consent is obtained or in accordance with one of the exceptions under the Privacy Act or in compliance with another law. If WELL LIFE uses your Health Information for research or statistical purposes, it will be de-identified if practicable to do so.

Use and disclosure of Personal Information

We only use Personal Information for the purposes for which it is given to us, or for the purposes which are related to one of our functions or activities. Personal information will not be disclosed for marketing purposes.

For the purposes referred to in this Privacy Policy (discussed above under “Collection of Personal and Sensitive Information”), we may also disclose your personal information to other external organisations including:

government departments/agencies who provide funding for WELL LIFE;
contractors who manage some of the services we offer. In such circumstances, steps are taken to ensure that the contactors comply with the APPs when they handle Personal Information and are only authorised to use Personal Information in order to deliver the services or perform the functions required by WELL LIFE;
doctors and health care professionals, who assist us to deliver our services;
other regulatory bodies, such as WorkCover/WorkSafe; and our professional advisors, including our accountants, auditors and lawyers.

Except as set out above, WELL LIFE will not disclose an individual’s personal information to a third party unless one of the following applies:

the individual has consented;
the individual would reasonably expect us to use that information for another purpose related to the purpose for which it was collected (or in the case of sensitive information – directly related to the purpose for which it was collected);
it is otherwise required or authorised by law;

it will prevent or lessen a serious threat to somebody’s life, health or safety or to the public health or safety;
it is reasonably necessary for us to take appropriate action in relation to suspected unlawful activity, or misconduct of a serious nature that relates to our functions or activities;
it is reasonably necessary to assist in locating a missing person;
it is reasonably necessary to establish, exercise or defend a claim at law;
it is reasonably necessary for a confidential dispute resolution process;
it is necessary to provide health services;
It is necessary for the management, funding or monitoring of a health service relevant to public health or public safety;
it is necessary for research or the compilation or analysis of statistics relevant to public health or public safety; o it is reasonably necessary for the enforcement of a law conducted by an enforcement body, in this case WELL LIFE will make a written note of the disclosure;
a permitted general situation exists, as defined in s16A of the Privacy Amendment (Enhancing Personal Privacy) Act 2012; or
a permitted health situation exists as outlined by s16B of the Privacy Amendment (Enhancing Personal Privacy) Act 2012.

We do not send personal information out of Australia. If we are legally required to send information overseas we will take all reasonable measures to protect your personal information by gaining your consent to the disclosure, or ensuring that the country of destination has similar protections in relation to privacy, and does not breach the Australian Privacy Principles, or that we enter into contractual arrangements with the recipient of your personal information that safeguards your privacy. Alternatively, if the information is required under Australian law, or if the information is required or authorised under international agreement to which Australia is a party to, or if is reasonably necessary by an enforcement body it may be shared.

For our child placement service, sharing information will be guided by the Department’s Information Sharing Guidelines – To meet the protection and care needs and promote the wellbeing of children.

Security of Personal Information and Sensitive Information

WELL LIFE takes reasonable steps to protect the Personal Information and Sensitive Information we hold against misuse, interference, loss, unauthorised access, modification, and disclosure.

These steps include password protection for accessing our electronic IT systems, securing paper files in locked cabinets and applying physical access restrictions. Only authorised personnel are permitted to access our systems and controlled premises.

When Personal Information is no longer required, it is destroyed in a secure manner, or will be de-identified.

Use of Artificial Intelligence (AI) Tools

WELL LIFE may use approved AI tools to assist with data analysis, interpretation, and the preparation of internal reports derived from staff-written case notes or incident reports.
AI tools will only be used in ways that uphold privacy, confidentiality, and ethical standards. No personal, sensitive, or identifying information will be entered into public or unapproved AI platforms.
All AI-generated outputs will be reviewed by a qualified staff member before use or dissemination.
The use of AI tools will comply with the WELL LIFE Artificial Intelligence (AI) Policy and relevant privacy legislation.

Access to and correction of personal information

If an individual requests access to the Personal Information we hold about them, or seeks to change that Personal Information, upon this request we will give the individual access, unless:

the request does not relate to the personal information of the person making the request;
the request would have an unreasonable impact on the privacy of other individuals;
providing access would pose a serious threat to the life, health or safety of a person or to
public health or public safety;
providing access would create an unreasonable impact on the privacy of others;
the request is frivolous and vexatious;
the request relates to existing or anticipated legal proceedings;
providing access would prejudice negotiations with the individuals making the request;
access would be unlawful;
denial of access is authorised or required by law;
access would prejudice an action in relation to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of the WELL LIFE.
access discloses a ‘commercially sensitive’ decision making process or information; or
any other reason that is provided for in the APPs or in the Privacy Act.

Requests for access and/or correction should be made to the Operations manager or CEO. For security reasons, any request must be made in writing with proof of identity. This is necessary to ensure that personal information is provided only to the correct individuals and that the privacy of other persons is preserved.

In the first instance, WELL LIFE will assume (unless otherwise informed) that any request relates to current records. These current records will include personal information which is included in WELL LIFE databases and in paper files which may be used on a day to day basis.

We will take all reasonable steps to provide access to the information requested with 14 days of your request. In situations where the request is complicated or requires access to a large volume of information, we will take all reasonable steps to provide access to the information requested within 30 days.

We will provide access by allowing you to inspect, take notes or print outs of personal information that we hold about you.

WELL LIFE may charge you reasonable fees to reimburse us for the costs we incur relating to your request for access to information, including in relation to photocopying and delivery cost of information stored off site. For current fees, please contact the administration team.

If we deny access to information, we will set out our reasons for denying access in writing. Where there is a dispute about the right to access information or forms of access, this will be dealt with in accordance with the WELL LIFE complaints procedure. More information about this process can be obtained from the Operations Manager.

If an individual is able to establish that personal information WELL LIFE holds about her/him is not accurate, complete or up to date, WELL LIFE will take reasonable steps to correct our records unless it is impracticable or unlawful to do so.

In the event a request for change is refused WELL LIFE will set out, in writing, the reasons for refusal and the mechanism by which you can complain. We will not charge an individual for making the request or correcting the information.

Storage and Access

All hard copy records are kept in appropriate conditions and protected from known risks, degradation and unauthorised access.

Electronic records are stored securely, password protected and are backed up regularly.

Where client files are transported out of the office, the records should be moved securely in a non-transparent container (eg. locked briefcase).

Archiving

WELL LIFE will maintain a secure archive system for records and information no longer in use. Contents of individual archive boxes will be attached to the outside of each box and kept for the period specified in relevant legislation. Client files will be kept for a period of seven (7) years and general correspondence and documents for two (2) years.

Financial records will be archived in order of financial year in which they occur and kept for a minimum period of seven (7) years.

Client records, files and information will be stored, accessed and used in accordance with WELL LIFE’ policies on privacy and confidentiality.

Staff files (including paid staff and volunteers) will be stored securely with access limited to the Director. Personnel files of ex-staff members will be kept on file for a period of seven (7) years.

Obsolete documents containing personal information will be shredded or disposed of in such a way that no identifying information is visible.

Complaints procedure

If you have a complaint about WELL LIFE privacy practices or our handling of your Personal Information or Sensitive Information, you may notify our manager.

All efforts will be made to address complaints and achieve an effective resolution of your complaint within a reasonable timeframe. In most cases this will be 30 days or as soon as practicable. However, if the matter is complex, the resolution of the complaint may take longer.

All complaints and outcomes will be recorded.

In the event that an anonymous complaint is received we will note the issues raised and where appropriate, investigate and resolve them appropriately.
If concerns cannot be resolved and clients wish to formally complain about how their personal information is managed, or if they believe WELL LIFE has breached an APP and/or IPP, they may send their concerns in writing to:

Office of the Information Commissioner, Queensland

PO Box 10143
Adelaide Street Brisbane
Queensland 4000

Telephone: (07) 3234 7373
Email: enquiries@oic.qld.gov.au

Breaches of privacy

WELL LIFE are required to disclose a data breach to the Office of Australian Information Commissioner if the data contains personal information that is likely to result in “serious harm”, which includes any of the following: physical, psychological, financial or reputational harm. Personal information is information about an identified individual, or an individual who is reasonably identifiable.

Any staff who identify a potential breach must immediately inform their line manager, who must report to the Director for further action.

A review of this policy

This policy will be reviewed on a two-yearly basis. However, if at any time the legislative, policy or funding environment is so altered that the Policy is no longer appropriate in its current form, the Policy will be reviewed immediately and amended accordingly.