top of page

Well Life Privacy and Confidentiality Policy

Summary

WELL LIFE Services (WLS) is committed to safeguarding the confidentiality of any personal or health information of individuals by:  

  • Creating procedures that protect privacy with regard to the collection, storage and disclosure of personal information; and 

  • Complying with the Australian Privacy Principles and the Privacy Act 1988 (Commonwealth) (the Privacy Act).  

Any service we deliver on behalf of the Queensland Government will follow the Queensland Information Privacy Act 2009 and be deemed an IP Act Program, ensuring we treat people’s stories, identity and personal information with the highest level of care, protection and cultural respect. Wherever the IP Act applies, it guides how we collect, use, share and safeguard information so young people, families and communities can trust in the safety of our practice.

Who should read this document?  

This Policy applies to the Personal Information of all WLS workers, clients,  clients/beneficiaries, donors, business partners and Online Users collected or held by WLS.  

Risk

Because people with disabilities are more vulnerable to exploitation and abuse than others in the community, workers with access to client information automatically occupy risk-assessed roles under the NDIS Commission.  

 

The primary risk to privacy and confidentiality arises from the collection, storage and sharing of client information. Access by non-authorised persons may expose clients to risk. Safe storage and access policy protects clients from abuse and exploitation. 

 

There is a risk that information will be shared inadvertently and without the intention to do harm. Information may be unintentionally disclosed by careless use of tablet- or phone-based software, shared with a client’s supporters against the client’s wishes, or disclosed to peers on the assumption that the information is publicly known. Cultural assumptions around sharing information are diverse and change rapidly. Social media platforms may allow clients to be identified. This risk may be minimised by:  

  • raising worker awareness of privacy and confidentiality  

  • ensuring consent is obtained before gathering data (including audio and photographic data) 

  • ensuring that consent is specific to the use of data, and that consent is current 

  • encouraging clients to provide feedback and complaints about the use of their information. 

The meaning of terms and words used in this document (optional)  

Personal Information means:

  • information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.  

 

Health Information is information or an opinion about: 

  • the physical, mental or psychological health (at any time) of an individual 

  • a disability (at any time) of an individual 

  • an individual’s expressed wishes about the future provision of health services to him or her 

  • a health service that is provided or to be provided to an individual; 

  • other Personal Information collected to provide, or in providing, a Health Service 

  • other Personal Information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances 

  • other Personal Information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants. 

 

Health Service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it: 

  • to assess, record, maintain or improve the individual’s health; or 

  •  to diagnose the individual’s illness or disability; or  

  • to treat the individual’s illness or disability or suspected illness or disability; or  

  • the dispensing of a prescription drug or medicinal preparation by a pharmacist.  

 

Sensitive Information means information or an opinion about an individual’s 

  • racial or ethnic origin;  

  • political opinion, or membership of a political association; 

  • religious beliefs or affiliations;  

  • philosophical beliefs;  

  • membership of a professional or trade association;  

  • membership of a trade union;  

  • sexual preferences or practices;  

  • criminal record; or  

  • health, genetic, biometric information or biometric templates  

What is our aim?

WLS is an organisation operating in South East Queensland.  Our innovative care and support services deliver meaningful outcomes for clients,  families, and communities, promoting rights and valuing relationships.  

 

WLS provides services across the NDIS and NIISQ through the provision of  Out of Home Care, Lifestyle Support, Allied Health, and Support Coordination..  WLS engages volunteers, employees and contractors and holds contracts and may receive funding from State and Federal governments to deliver government programs. In providing such services, we comply with the Privacy Act and the Australian Privacy Principles (APPs) and any additional obligations under the contract.  

Policy Guideline

This privacy policy sets out how we comply with our obligations under the Privacy Act. We are bound by the Australian Privacy Principles in the Privacy Act which regulate how organisations may collect, use, disclose and store personal information, and how individuals may access, and correct personal information held by them.  

 

We recognise that our obligations under Queensland Information Privacy Act 2009 will prevail in relation to records held by us for services provided that are funded by a Queensland Government department.  

Objectives

To ensure information is received, recorded, accessed and stored appropriately to maintain confidentiality; 

 

To remain compliant with:  

  • the Privacy Act 1988 (Commonwealth) (as amended);  

  • all other relevant legislation;  

  • obligations imposed by Government body funding agreements as well as accreditation and licensing standards; and,  

  • any other WLS Policies and Procedures related to the collection, storage or other use of Personal Information.  

  • To ensure that all individuals are aware of their rights in regard to privacy and confidentiality and are aware of the means to access or amend private information held about them; and,  

  • To ensure that any Personal information collected is directly related to WLS functions or activities.  

Guiding Principles

  • WLS believes that clients and communities have a right to privacy, dignity, and confidentiality. This right will be upheld at all times through practices of sharing and providing information in a discrete manner and on a need-to-know basis maintaining a person centred practice approach; 

  • WLS will be guided by the Australian Privacy Principles at all times;  

  • Where WLS operates information systems, the relevant policies and procedures are to be followed for the appropriate use of Personal Information within these systems.

  • WLS aims to create a workplace which is respectful, ethical and professional in all matters pertaining to confidential or private information held about an individual.  

Policy Committments

  • WLS will make available to individuals’ information about privacy rights and how to access or amend their personal information through the provision of the client intake process, welcome letter explaining the Privacy and Confidentiality brochure provided on intake to the service.

  • WLS will ensure that the manager will act as a central contact point for any individual requiring information or wanting to contact WLS about a privacy matter. 

  • WLS will take steps to ensure that in reasonable circumstances the privacy policy is available free of charge and in an appropriate form.  

Performance Indicators

  • Zero instances of a breach of confidentiality relating to Personal Information, Health Information or Sensitive Information.

  • 100% of personnel, contractor, volunteer or carer files to hold a signed confidentiality agreement and a completed privacy checklist (where applicable).  

Collection of Personal and Sensitive Information 

Personal and/or sensitive information collected by WLS from clients/beneficiaries, business partners, WLS Workers and online users is Personal Information and/or Sensitive Information and as such, falls under this policy.  

 

WLS can be accessed on an anonymous basis or using a pseudonym if requested. If this is possible and lawful, we will take all reasonable steps to comply with your request. However, we may not be able to provide the services in question if we are not provided with the Personal Information requested, or it is impractical to deal with individuals who have not identified themselves or use a pseudonym.  

​​

The WLS website may from time to time contain links to other websites. When an online user accesses a website that is not WLS website, it may have a different privacy policy.  

​​

WLS collects information: 

  • directly from clients orally or in writing; 

  • from third parties, such as medical practitioners, government agencies, client representatives, carer/s, and other health service providers;  

  • from client referrals; and 

  • from publicly available sources of information. 

​

WLS will collect sensitive information: 

  • only with client consent, unless an exemption applies: e.g. the collection is required by law, court/tribunal order or is necessary to prevent or lessen a serious and imminent threat to life or health;  

  • fairly, lawfully, and non-intrusively;  

  • directly from client, if doing so is reasonable and practicable; 

  • only where deemed necessary to support 

  • service delivery to clients;  

  • staff activities and functions; and 

  • giving the client the option of interacting anonymity, if lawful and practicable. 

 

WLS embraces secure digital storage because it helps us protect the dignity, privacy and stories of the clients and families we walk alongside. When paper records are required, we scan and secure them safely in our online systems and destroy the originals, ensuring only the right people can access them.   When the law says we must keep the originals, WLS takes all reasonable steps to protect personal information against loss, interference, misuse, unauthorised access, modification, or disclosure.  WLS will destroy, or permanently de-identify personal information that is: 

  • no longer needed; 

  • unsolicited and could not have been obtained directly; or  

  • not required to be retained by, or under, an Australian law or a court/tribunal order.   

​​

WLS has appropriate security measures in place to protect stored electronic and hard-copy materials including:

  • an archiving process for client files which ensures files are securely and confidentially stored and destroyed in due course.  

  • ​

Should a breach in privacy occur, potentially exposing client information (e.g. computer system hacked, laptop stolen etc.) the CEO will immediately act to rectify the breach in accordance with organisational policy and processes (see Breaches of Privacy, below).  

How we collect information

Where possible, we collect your Personal Information and Sensitive Information directly from you. We collect information through various means. We will not collect information unless it is necessary for the functions or activities of WLS.  

If you do not want to disclose information that we have requested, please raise this with us.  

 

There are situations where we may also obtain Personal Information about you from a third-party source. If we collect information about you in this way, we will take reasonable steps to contact you and ensure that you are aware of the purpose for which we are collecting your personal information and the organisations to which we may disclose your information, subject to any exceptions under the Privacy Act.  

Health information

As necessary to administer WLS and functions, WLS may collect Health Information relating solely to the service users of the organisation or to individuals who have regular contact with the organisation in connection with its activities. When collecting Health Information from you, as this is Sensitive Information, WLS will obtain your consent to such collection and explain how this information will be used and disclosed.  

 

If Health Information is collected from a third party, WLS will inform you that this information has been collected and will explain how this information will be used and disclosed.  

 

WLS will not use Health Information beyond the consent provided by you, unless your further consent is obtained or in accordance with one of the exceptions under the Privacy Act or in compliance with another law. If WLS uses your Health Information for research or statistical purposes, it will be de-identified if practicable to do so.  

Use and disclosure of Personal Information  

We only use Personal Information for the purposes for which it is given to us, or for the purposes which are related to one of our functions or activities. Personal information will not be disclosed for marketing purposes.  

 

For the purposes referred to in this Privacy Policy (discussed above under “Collection of Personal and Sensitive Information”), we may also disclose your personal information to other external organisations including:  

  • government departments/agencies who provide funding for WLS;  

  • contractors who manage some of the services we offer. In such circumstances, steps are taken to ensure that the contactors comply with the APPs when they handle Personal Information and are only authorised to use Personal Information in order to deliver the services or perform the functions required by WLS;  

  • doctors and health care professionals, who assist us to deliver our services; 

  • other regulatory bodies, such as WorkCover/WorkSafe; and our professional advisors, including our accountants, auditors and lawyers.  

 

Except as set out above, WLS will not disclose an individual’s personal information to a third party unless one of the following applies:  

  • the individual has consented;  

  • the individual would reasonably expect us to use that information for another purpose related to the purpose for which it was collected (or in the case of sensitive information – directly related to the purpose for which it was collected);  

  • it is otherwise required or authorised by law;  

  • it will prevent or lessen a serious threat to somebody’s life, health or safety or to the public health or safety;  

  • it is reasonably necessary for us to take appropriate action in relation to suspected unlawful activity, or misconduct of a serious nature that relates to our functions or activities;  

  • it is reasonably necessary to assist in locating a missing person;  

  • it is reasonably necessary to establish, exercise or defend a claim at law;  

  • it is reasonably necessary for a confidential dispute resolution process;  

  • it is necessary to provide health services;  

  • It is necessary for the management, funding or monitoring of a health service relevant to public health or public safety;  

  • it is necessary for research or the compilation or analysis of statistics relevant to public health or public safety; or it is reasonably necessary for the enforcement of a law conducted by an enforcement body, in this case WLS will make a written note of the disclosure; 

  • a permitted general situation exists, as defined in s16A of the Privacy Amendment (Enhancing Personal Privacy) Act 2012; or 

  • a permitted health situation exists as outlined by s16B of the Privacy Amendment (Enhancing Personal Privacy) Act 2012.  

 

We do not send personal information out of Australia. If we are legally required to send information overseas we will take all reasonable measures to protect your personal information by gaining your consent to the disclosure, or ensuring that the country of destination has similar protections in relation to privacy, and does not breach the Australian Privacy Principles, or that we enter into contractual arrangements with the recipient of your personal information that safeguards your privacy. Alternatively, if the information is required under Australian law, or if the information is required or authorised under international agreement to which Australia is a party to, or if is reasonably necessary by an enforcement body it may be shared.  

 

For our Out of Home Care placement service, sharing information will be guided by the Department’s Information Sharing Guidelines – To meet the protection and care needs and promote the wellbeing of children. 

Use of Artificial Intelligence (AI) Tools

WLS may use approved AI tools to assist with data analysis, interpretation, and the preparation of internal reports derived from staff-written case notes or incident reports. 
 

  • AI tools will only be used in ways that uphold privacy, confidentiality, and ethical standards.  No personal, sensitive, or identifying information will be entered into public or unapproved AI platforms.
     

  • All AI-generated outputs will be reviewed by a qualified staff member before use or dissemination.
     

  • The use of AI tools will comply with the WLS Artificial Intelligence (AI) Policy and relevant privacy legislation.

Security of Personal Information and Sensitive Information  

WLS takes reasonable steps to protect the Personal Information and Sensitive Information we hold against misuse, interference, loss, unauthorised access, modification, and disclosure.  

 

These steps include

  • password protection or encryption

  • MFA or SSO for accessing our electronic IT systems

  • securing paper files in locked cabinets

  • applying physical access restrictions.

  • only authorised workers are permitted to access our systems and controlled premises. 

  • Where client files are transported out of the office, the records should be moved securely in a non-transparent container (e.g. locked briefcase).  

Archiving 

WLS will maintain a secure archive system for records and information no longer in use. Contents of individual archive boxes will be attached to the outside of each box and kept for the period specified in relevant legislation.

  • Client records will be kept for a period of seven (7) years and general correspondence and documents for two (2) years. 

  • Financial records will be archived in order of financial year in which they occur and kept for a minimum period of seven (7) years.  

  • Workers files will be stored securely with access limited to the CEO. Personnel files of ex-workers will be kept on file for a period of seven (7) years. 

Obsolete documents containing personal information will be shredded or disposed of in such a way that no identifying information is visible. 

Access to and correction of personal information  

If an individual requests access to the Personal Information we hold about them, or seeks to change that Personal Information, upon this request we will give the individual access, unless:  

  • the request does not relate to the personal information of the person making the request;  

  • the request would have an unreasonable impact on the privacy of other individuals;

  • providing access would pose a serious threat to the life, health or safety of a person or to 

  • public health or public safety;  

  • providing access would create an unreasonable impact on the privacy of others; 

  • the request is frivolous and vexatious; 

  • the request relates to existing or anticipated legal proceedings; 

  • providing access would prejudice negotiations with the individuals making the request;  

  • access would be unlawful;  

  • denial of access is authorised or required by law; 

  • access would prejudice an action in relation to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of WLS. 

  • access discloses a ‘commercially sensitive’ decision making process or information; or 

  • any other reason that is provided for in the APPs or in the Privacy Act.  

 

Requests for access and/or correction should be made to the Operations manager or CEO. For security reasons, any request must be made in writing with proof of identity. This is necessary to ensure that personal information is provided only to the correct individuals and that the privacy of other persons is preserved.  

 

In the first instance, WLS will assume (unless otherwise informed) that any request relates to current records. These current records will include personal information which is included in WLS databases and in paper files which may be used on a day to day basis.  

 

We will take all reasonable steps to provide access to the information requested with 14 days of your request. In situations where the request is complicated or requires access to a large volume of information, we will take all reasonable steps to provide access to the information requested within 30 days.  

 

We will provide access by allowing you to inspect, take notes or print outs of personal information that we hold about you.  

 

WLS may charge you reasonable fees to reimburse us for the costs we incur relating to your request for access to information, including in relation to photocopying and delivery cost of information stored off site. For current fees, please contact the administration team.  

 

If we deny access to information, we will set out our reasons for denying access in writing. Where there is a dispute about the right to access information or forms of access, this will be dealt with in accordance with the WLS complaints procedure. More information about this process can be obtained from the Operations Manager.  

 

If an individual is able to establish that personal information WLS holds about them is not accurate, complete or up to date, WLS will take reasonable steps to correct our records unless it is impracticable or unlawful to do so.  

 

In the event a request for change is refused WLS will set out, in writing, the reasons for refusal and the mechanism by which you can complain. We will not charge an individual for making the request or correcting the information.  

Complaints procedure

If you have a complaint about WLS privacy practices or our handling of your Personal Information or Sensitive Information, you may; notify our manager.  

 

  • notify our team in person, by email or over the phone

  • submit confidential feedback by scanning the QR Code at our reception or on our website https://www.welllife.com.au/feedback

 For more information see our Feedback, Complaints and Resolution Policy

 

All efforts will be made to address complaints and achieve an effective resolution of your complaint within a reasonable timeframe. In most cases this will be 30 days or as soon as practicable. However, if the matter is complex, the resolution of the complaint may take longer.  

 

  • All complaints and outcomes will be recorded.  

  • In the event that an anonymous complaint is received we will note the issues raised and where appropriate, investigate and resolve them appropriately.  

  • If concerns cannot be resolved and clients wish to formally complain about how their personal information is managed, or if they believe WLS has breached an APP and/or IPP, they may send their concerns in writing to: 

 

Office of the Information Commissioner, Queensland 

PO Box 10143 
Adelaide Street Brisbane 
Queensland 4000 

Telephone: (07) 3234 7373 
Email: enquiries@oic.qld.gov.au 

Breaches of privacy

WLS are required to disclose a data breach to the Office of Australian Information Commissioner if the data contains personal information that is likely to result in “serious harm”, which includes any of the following: physical, psychological, financial or reputational harm. Personal information is information about an identified individual, or an individual who is reasonably identifiable.  

 

Any staff who identify a potential breach must immediately inform their line manager, who must report to the CEO or Operations Manager for further action. The date breach incident, risk assessments and treatments and continuous improvements must be documented in line with the WLS Risk Management Policy and Framework.

References

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

  • Queensland Information Privacy Act 2009 (for QLD‑government‑funded programs)

  • NDIS Quality & Safeguards

    • Practice Standards Core Modules (Rights & Responsibilities; Provider Governance)

  • Human Services Quality (HSQF)Standards

  • Child Safety Standards

Related Documents

​This policy should be read in conjunction with the following WLS policies, procedures, and documents. These documents provide additional guidance, outline related responsibilities, or support compliance with legislative, regulatory, and organisational requirements. Where applicable, they must be used together to ensure consistent practice, safety, and alignment with WLS values and standards.

​

  • 1.5 Client Rights and Responsibilities Policy

  • 1.8 Qld Child Safe Policy

  • 3.11 Child Protection Incident Management Policy and Procedure

  • 3.13 Child Protection Client Safety and Wellbeing Policy and Procedure

  • 4.1 Feedback and Complaints Resolution Policy

  • 4.2 Child Protection Feedback, Complaints, and Appeals Policy and Procedure

  • 6.11 Incident and Reportable Incident Policy

  • 6.19 Person Centred Practice Approach

  • 6.2 Compliance policy

  • 6.23 Quality Management and Continuous Improvement Policy

  • 6.3 Code of Conduct

  • 6.42 Telephone, Mobile, Email and Internet Policy

  • 6.421 Artificial Intelligence Policy

  • 6.9 Risk Management Policy and Framework

A review of this policy

This policy will be reviewed on a two-yearly basis. However, if at any time the legislative, policy or funding environment is so altered that the Policy is no longer appropriate in its current form, the Policy will be reviewed immediately and amended accordingly.

Definitions & Abbreviations

Client / Clients

Clients refers to all individuals who access or receive services from WLS. This includes children, young people, privately funded clients and NDIS participants as well as individuals supported through youth residential care, support coordination, lifestyle support services, and allied health programs. Clients may also include families and carers where they are engaged as part of children, young people, privately funded clients or NDIS participant’s support network.

This term is used interchangeably with Service Users. 

​

Ensure or ensuring

Where either term is used in respect of work health and safety, the term is qualified by s 18 of the WHS Act to ‘ensure’, so far as is reasonably practicable, the health and safety of Workers and other persons.

 

Health Information

Health Information is information or an opinion about: 

  • the physical, mental or psychological health (at any time) of an individual 

  • a disability (at any time) of an individual 

  • an individual’s expressed wishes about the future provision of health services to him or her 

  • a health service that is provided or to be provided to an individual; 

  • other Personal Information collected to provide, or in providing, a Health Service 

  • other Personal Information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances 

other Personal Information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants. 

 

Health Service

Health Service means an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it: 

  • to assess, record, maintain or improve the individual’s health; or 

  •  to diagnose the individual’s illness or disability; or  

  • to treat the individual’s illness or disability or suspected illness or disability; or  

the dispensing of a prescription drug or medicinal preparation by a pharmacist.  

​

IP Act Program

An IP Act Program is a WLS-delivered program that meets all or some of the following criteria:

  • Funded by a Queensland Government department such as the QLD Department of Families, Seniors, Disability Services and Child Safety (examples of such funding appear in several program agreements in your system, where the Funding Party is “Dept of CS”).

  • Contractually bound to comply with the Queensland Information Privacy Act 2009 as a condition of funding or service delivery.

  • Handles personal information in the course of delivering services on behalf of, or under agreement with, a Queensland Government entity.

Requires staff to apply the Information Privacy Principles (IPPs) as the primary privacy framework for that program, unless a contract specifies APPs in addition to the IP Act.

 

Person Centred Practice

Person‑centred practice places the person at the centre of all decision‑making, ensuring supports are built around what matters most to them, their preferences, their culture, their goals, and their wider life circumstances. It prioritises autonomy, participation, and meaningful engagement in planning and support delivery.

According to NDIS evidence reviews, “‘Person‑centred’ puts the person at the centre of their own life, focusing on their needs and circumstances, including making decisions in service planning and delivery.” [ndiscommis...ion.gov.au]

 

Personal Information

Personal Information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.  

 

Reasonably Necessary

refers to situations where using or disclosing personal information is needed to carry out a lawful, legitimate, and proportionate action. For example:

  • taking action about suspected unlawful or serious misconduct related to WLS functions or activities

  • helping locate a missing person

  • establishing, exercising, or defending a legal claim

  • participating in a confidential dispute resolution process

  • providing or managing health services

  • supporting research or statistical activities relevant to public safety

  • assisting law‑enforcement agencies in enforcing the law

 

Sensitive Information

Sensitive Information means information or an opinion about an individual’s

  • racial or ethnic origin;  

  • political opinion, or membership of a political association; 

  • religious beliefs or affiliations;  

  • philosophical beliefs;  

  • membership of a professional or trade association;  

  • membership of a trade union;  

  • sexual preferences or practices;  

  • criminal record; or  

  • health, genetic, biometric information or biometric templates  

 

Worker

Refers to any individual who carries out work in in the business or undertaking of WLS.

This includes:

  • Employees (full-time, part-time, casual)

  • Contractors & Subcontractors

  • Volunteers

  • Students on placement

  • Agency staff

It may include other persons who carries out work in the business or undertaking of WLS. For clarity, a contractor engaged by WLS to perform construction and / or other trade or supply works for example is not another person carrying out work in the business or undertaking of WLS.

All Workers are expected to uphold the WLS values, comply with relevant

legislation and policies, and contribute to a safe, inclusive, and respectful

environment for children, young people, participants, colleagues, and the

community.

 

Abbreviations

​

APP -Australian Privacy Principal

IPP - Information Privacy Principles

WLS - Well Life Services

MFA - Multi-Factor Authentication

bottom of page