ACSO collects information about clients to help us provide an effective service. However, this process is carefully controlled. Protecting privacy is something we value highly.
ACSO is strongly committed to protecting its clients’ rights to privacy, and complies with the Information Privacy Act 2000, including the Privacy Amendment (Enhancing Privacy Protection) Act 2012, and the Health Records Act 2001. This policy applies to both personal and health information held by ACSO.
Personal information means information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. For example: address, marital status or family history. Health information means information or an opinion about the physical, mental or psychological health or disability of an individual; or an individual’s expressed wishes about the future provision of health services to him or her. For example: a medical diagnosis.
ACSO complies with the eleven Health Privacy Principles (HPPs) contained in the Health Records Act, and the thirteen Australian Privacy Principles (APPs) contained in the Information Privacy Act and subsequent Amendments
ACSO will only collect personal information that is necessary for specific and legitimate functions and activities and either:
· Has the individual’s consent, or
· Is required or permitted by law, or
· For any other reason permitted in the Act.
The information will be collected by a fair and lawful means and not in an unreasonably intrusive way.
ACSO will provide details of:
· Why the personal information is being collected
· How that information can be accessed
· The purpose for which the information is collected
· With whom ACSO will share the information
· Any relevant laws, and
· The consequences for the individual if all or part of the information is not collected.
Under normal circumstances ACSO must collect personal information about an individual only from that individual. However, if ACSO collects personal information about an individual from someone else, ACSO will take all reasonable steps to ensure that individual is informed of his or her rights relating to the information collected.
All personal and health information about clients that is collected by ACSO will be adequately stored, recorded and accessible within Penelope Case Management. All reasonable security precautions are in place to safeguard the information collected.
ACSO’s complaints resolution processes will be fair and equitable and the privacy, confidentiality and dignity of the complainant shall be maintained. All complaints shall be investigated and followed up promptly and courteously with active engagement of the complainant and/or their representative. All complaints received will be documented in the ACSO complaints register or RiskMan® database for auditing by funding and accreditation bodies, to enable review of complaints received, identify any trends or issues and identify opportunities for improvement.
Use and Disclosure
ACSO keeps records to:
· Provide an historical account of the operations and activities to facilitate sound decision-making
· Provide evidence of treatment, service delivery and decisions, for purposes of accountability
· Meet service delivery requirements
· Minimise or eliminate risks of poor decision-making arising from gaps in information and background.
ACSO uses the information collected to:
· Provide support for individuals accessing our services and their families
· Link them to other services to enhance their quality of life and enable their inclusion in the everyday life of their communities.
ACSO will not use or disclose personal information for a purpose other than:
· The primary purpose for which it was collected, or
· A directly related secondary purpose the person would reasonably expect, or
· For those conditions specified in the Acts, or
· Where the use or disclosure is specifically authorised under another Act, or
· Where consent has been obtained from the individual.
ACSO may use or disclose personal information for a secondary purpose if reasonable necessary as specified under the Act.
ACSO will take steps that are reasonable in the circumstance to make sure that, having regard to the purpose for which the information is to be used, that the personal and health information it collects, uses, holds or discloses is accurate, complete, up to date and relevant to its functions or activities.
Data Security and Data Retention
ACSO will take reasonable steps to protect the personal information it holds from misuse and loss from unauthorised access, modification or disclosure. ACSO’s client files will be stored, recorded and accessible within the Penelope Case Management System. The system safeguards the personal information from loss, misuse, unauthorised access and disclosure. ACSO will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. ACSO will not delete health information unless it is allowed under the Health Records Act 2001.
ACSO will make publicly available its policies relating to its management of personal and health information, and the steps that an individual must take in order to obtain access to their health information. On request, ACSO will take reasonable steps to provide individuals with general information on the types of personal information it holds and for what purposes and how it collects, holds, uses and discloses that information.
Access and Correction
ACSO will provide an individual with access to their personal and health information upon request, except in specific circumstances as outlined within the Act. Where ACSO holds personal or health information about an individual and the individual is able to establish that information is incorrect, ACSO will take reasonable steps to correct information as soon as is practicable but within 30 days of the request.
If ACSO, however denies access or correction to such information then the Council will provide the individual with reasons for such decision. In the event that the Council and an individual disagree about the veracity of the personal or health information held by ACSO, then if requested by the individual, ACSO will take reasonable steps to record a statement relating to the disputed information.
A unique identifier (usually a number) is assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual’s name.
ACSO will not assign, adopt, use, disclose or require unique identifiers from individuals, except for the course of conducting its functions efficiently, or if required by law. ACSO will not adopt as its own identifier of an individual or an identifier that has been assigned by a public sector organisation unless the individual gives consent, or required or authorised by law.
ACSO will only use or disclose unique identifiers assigned to individuals by other organisations, if the individual consents to the use and disclosure, or the conditions for use and disclosure set out within the Acts are satisfied.
Wherever it is lawful and practicable individuals must have the option of not identifying themselves or of using a pseudonym when entering transactions with ACSO.
Trans-border Data Flows
ACSO may transfer personal or health information outside Victoria only if that data transfer conforms to the reasons and conditions outlined within the Act.
Sensitive information is information or an opinion about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices or criminal record. ACSO will only collect sensitive information about an individual if the individual consents to the collection and the information is reasonably necessary for ACSO’s functions or activities or an exception apples under the Act.
Closure of the Practice of Health Service Provider
If ACSO discontinues its health services it will give notice of the closure to past service users directly and by way of notice in a metropolitan newspaper.
Making information available to another health service provider
ACSO will make health information relating to an individual available to another health service provider if requested to do so by the individual.
Dealing with Unsolicited Personal Information
If ACSO receives unsolicited information and determines, according to “APP3 Collection of Solicited Personal Information”, that it could not have been collected, then ACSO must destroy the information or de-identify it as soon as practicable, but only if it is lawful to do so.
If the unsolicited personal information is determined that it could have been collected by ACSO under the APP3 ACSO will apply the principles 5-13 as if it had collected the information under the APP3.
ACSO will not disclose any information for the purposes of direct marketing.