Privacy Policy - OzChild

OZCHILD POLICY SERVICE USERS PRIVACY

Policy Number: Service Delivery 12.4

Version Number: 2

Endorsed by: SLT, Date Endorsed: 19 May 2014

Approved by: CEO, Date Approved: 19 May 2014

Responsible Officer: Senior Manager, Workforce and Culture

Notional Review Date: Ongoing – review when / if required

1. POLICY

OzChild is committed to protecting the privacy of personal information collected by the organisation and is bound by the Australian Privacy Principles in the Privacy Act 1998 (Cth), the Information Privacy Principles in the Information Privacy Act 2000 (Vic) and the Health Privacy Principles in the Health Records Act 2001 (Vic) (Privacy Legislation) which regulate how organisations may collect, use, disclose and store personal information and how individuals may access and correct personal information held about them.

In the event that OzChild is sold or the business is transferred and OzChild will not be providing health services in the new business, the provisions of Health Privacy Principles 10 and 11 of the Health Records Act will apply.

This privacy policy outlines how OzChild handles personal information collected from clients and their families, volunteers and supporters.

Personal Information collected from employed team members is subject to a separate policy (refer Policy No 2.14 Team Member Privacy).

OzChild collects and handles a range of personal information for the purposes of delivering services. The services OzChild offers are referred to as “our services” and include:

• foster and kinship care;

• family and disability services;

• education and training.

OzChild will take reasonable steps to ensure that the personal information that is collected, used or disclosed is relevant, accurate, complete and up to date.

Where lawful and practicable, OzChild will take all reasonable steps to comply with a request to access services and information on an anonymous basis or using a pseudonym, however OzChild may not be able to deliver the services in question if an individual does not provide OzChild with the personal information requested

OzChild’s Privacy Policy will be publicly displayed on the OzChild web site in the form
of a ‘reader friendly’ “Privacy Statement” (see Attachment 1).

OzChild reserves the right to review, amend and / or update this policy and the web
site’s “Privacy Statement” from time to time.

2. PROCEDURE

2.1 Collecting Personal Information

OzChild collects personal information in a number of different ways including (but not limited to) telephone calls, by email, form completion and through the OzChild website.

OzChild will only collect information if it is relevant and reasonably necessary for an OzChild function or activity or to enable OzChild to deliver a service. The information will be collected by lawful and fair means.

OzChild will usually collect personal information directly from an individual, however sometimes information may need to be collected from a third party such as a carer, family member, trustee or authorised representative or from public sources.

OzChild will not normally adopt as its’ own an identifier of an individual that has been assigned by other organisations but will assign its’ own unique identifier to an individual.

OzChild will not disclose an identifier assigned to an individual unless the disclosure is permitted under the Privacy Legislation.

2.1.1 Collecting Confidential Information

If personal information about an individual is given in confidence to OzChild by a person other than the individual or a health services provider (who provides the service to the individual) with a request that the information must not be communicated to the individual to whom it relates, OzChild will:

• confirm with the person that the information is to remain confidential;

• record the information only if it is relevant to the provision of OzChild’s
service or the care of the individual;

• take reasonable steps to ensure that the information is accurate and not misleading; and

• take reasonable steps to record that the information is given in confidence and is to remain confidential.

In addition to the relevance of the request, in terms of health information, at least one of the following will also apply:

• the individual has consented;

• it is legally required;

• the information is necessary to provide the health service and the individual is incapable of giving consent;

• communication of the information is governed by other stipulations as outlined in the Health Records Act.

2.1.2 Collecting Sensitive Information

Sometimes OzChild may need to collect sensitive information about an individual to be able to provide services to the individual.

This might include information about the individual’s health, racial or ethnic origin, political opinions, association membership, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

As part of administering OzChild’s services, health information may be collected. For example, OzChild collects health information (such as medical history) from some clients or beneficiaries who obtain services.

When collecting health information from an individual OzChild will obtain the individual’s consent for the collection and explain how the information will be used and disclosed.

If OzChild collects health information from a third-party (such as a treating doctor) OzChild will inform the individual that this information has been collected and will explain how this information will be used and disclosed.

2.2 Use and Disclosure of Personal Information

OzChild will normally use or disclose personal information only for the purposes that it was given and for purposes that are related to one of OzChild’s functions or activities or to enable OzChild to provide a service.

OzChild may disclose an individual’s personal information to external organisations,
including:

• Government departments or agencies who provide funding for OzChild’s
services;

• Contractors who manage some of the services that OzChild offers to individuals.
OzChild will take steps to ensure that contractors comply with the Privacy
Legislation when they handle an individual’s personal information. Contractors are authorised only to use personal information in order to provide the services or
to perform the functions required by OzChild for an individual or group of
individuals;

• Doctors and other health care professionals who assist OzChild to deliver services;

• Other regulatory bodies;

• Referees or former employers of OzChild team members and volunteers and candidates for OzChild team member and volunteer positions; and;
• OzChild’s professional advisors, including accountants, auditors and lawyers. Except as set out above, OzChild will not disclose an individual’s personal information
to a third party unless one of the following applies:

• The individual (or the person who has authority to represent the individual) has consented;

• OzChild believes an individual would reasonably expect the organisation to use or disclose the information for another purpose related to the purpose for which it was collected (or in the case of sensitive information, directly related to the purpose for which it was collected);

• OzChild is legally required to disclose the information or it is reasonably necessary for the enforcement of a law conducted by an enforcement body;

• Disclosure will prevent or lessen a serious or imminent threat to somebody’s life,
health or safety or to public health or safety;

• Disclosure is necessary to provide a public health service;

• Disclosure is necessary for the management, funding or monitoring of a health service relevant to public health or safety;

• It is reasonably necessary to assist in locating a missing person;

• It is reasonably necessary to assist the conduct of proceedings before a court or tribunal, or for a confidential disputes resolution process; or

• Disclosure is necessary for research or the compilation or analysis of statistics relevant to public health or public safety.

OzChild will not usually send personal information out of Australia. If OzChild is required to send information overseas it will take measures to protect an individual’s personal information by either ensuring that the destination country has similar protections as Australia in relation to privacy, or that OzChild enters into contractual arrangements with the recipient of an individual’s personal information that safeguards their privacy.

2.3 Storing Personal Information

OzChild will take reasonable steps to protect personal information on hold from misuse, loss or interference and also from unauthorised access, modification and disclosure.

These measures will include password protection for accessing electronic IT systems, security of paper files in locked cabinets and physical access restrictions.

Only people with valid and appropriate authorisation will be permitted to access these details.

OzChild will only keep personal information for as long as it is required to be kept. Information that is retained will be archived in such a way that facilitates easy retrieval, yet does not compromise security.

When personal information is no longer required to be kept it will be de-identified or destroyed in a secure manner.

2.4 Accessing and Correcting Personal Information

If an individual requests access to the personal information OzChild holds about them or requests that the personal information is changed, OzChild will allow access or make the changes to the personal information unless it is considered that there is a sound reason under the Privacy Legislation to withhold the information or not to make the changes.

.Requests for access can be made to the Senior Manager Workforce and Culture who is OzChild’s Privacy Officer (see Clause 4 – How to Contact OzChild’s Privacy Officer). To ensure privacy is protected and security maintained a written request accompanied by proof of identity is required. This is necessary to ensure that personal information is only provided to the correct individual and the privacy of others is not undermined.

OzChild will take all reasonable steps to provide access or the requested information within 14 days of the request. In situations where the request is complicated or requires access to a large volume of information, reasonable steps will be taken to provide access to the requested information within 30 days.

OzChild may charge reasonable fees to reimburse costs incurred in responding to the request for access to information, including in relation to photocopying and delivery cost of information stored off site. The Privacy Officer can be contacted to obtain details of current fees.

Access to information may be denied where:

• the request does not relate to the personal information of the person making the request;

• Providing access would pose a serious threat to the life, health or safety of the person making the request;

• Providing the information would have an unreasonable impact on the privacy of other individuals;

• the request for access is frivolous or vexatious;

• the information relates to existing or anticipated legal proceedings;

• providing access would prejudice negotiations with the individual making the request;

• providing access would be unlawful;

• denying access is required or authorised by law;

• access would disclose a commercially sensitive decision-making process or information;

• providing access would be likely to prejudice:

• law enforcement activities or

• an action relating to suspected unlawful activity or misconduct of a serious nature relating to the functions or activities of OzChild;

• any other reason that is provided for under the Privacy Legislation.

Where an individual is given access to personal information and establishes that the information is not accurate, complete or up to date OzChild will take reasonable steps to correct the information.

If the individual and OzChild disagree about the content of the information the individual may request OzChild to add a statement claiming that the information is not accurate, complete or up to date. Oz Child will take all reasonable steps to do this.

If OzChild refuses to provide access or make changes it will provide reasons for doing so to the individual.

Upon request for access to or correction of personal information Oz Child will:

• provide access or reasons for denial of access;

• correct the personal information or provide reasons for refusal to correct personal information;

• provide reasons for any delays in responding to the request that are outside of the established response-time guidelines.

If OzChild denies access to information it will provide reasons for denying access. Any dispute about an individual’s right of access to information or forms of access will be dealt with in accordance with the Privacy complaints procedure (see Clause 3 – Complaints).

3. COMPLAINTS

If an individual has provided OzChild with personal and sensitive information or OzChild has collected and holds personal and sensitive information, the individual has a right to make a complaint if they feel aggrieved and have it investigated and dealt with promptly.

Complaints about OzChild’s privacy practices or the manner in which personal and sensitive information is handled can be lodged with OzChild’s Privacy Officer (see Clause 4 – How to Contact OzChild’s Privacy Officer).

All complaints will be confidentially logged on OzChild’s database.

4. HOW TO CONTACT OZCHILD’S PRIVACY OFFICER

Requests for further information or comments / feedback about OzChild’s privacy
policy can be directed to the Privacy Officer:

By Email privacy@ozchild.org.au or

By Post OzChild Privacy Officer, PO Box 1312 South Melbourne 3205

By Phone: (03) 9695 2200 (switchboard)

PRIVACY STATEMENT (OzChild web site) ATTACHMENT 1

OzChild is committed to protecting the privacy of your personal information. This privacy statement outlines how we handle your personal information.

We are bound by the Australian Privacy Principles in the Privacy Act 1998 (Cth), the Information Privacy Principles in the Information Privacy Act 2000 (Vic) and the Health Privacy Principles in the Health Records Act 2001 (Vic) (Privacy Legislation) which regulate how organisations may collect, use, disclose and store personal information, and how individuals may access and correct personal information held about them.

Whose personal information do we collect?

We collect personal information from our staff, clients and their families, volunteers and supporters of OzChild.

How does OzChild collect your personal information?

We collect and handle a range of personal information for the purposes of carrying out our services. The services OzChild offers include:

• foster and kinship care;
• family and disability services;
• education and training; and;

For the purposes of this privacy statement, these services are referred to as “our services”.

OzChild collects personal information in a number of different ways, for example when you contact us, through forms, telephone and through our website.

What personal information does OzChild collect?

We will only collect information if it is relevant and reasonably necessary for one of our functions or activities. The information will be collected by lawful and fair means.

OzChild will usually collect personal information directly from you. However, we sometimes need to collect information from a third party, such as your carer, trustee or authorised representative, or from public sources.

Confidential information

If personal information is given in confidence to us in our role as a health service provider about an individual by a person other than the individual or a health services provider (who provides the service to the individual) with a request that the information must not be communicated to the individual to whom it relates, we will:

• confirm with the person that the information is to remain confidential; and
• record the information only if it is relevant to the provision of our service or the care of the individual;
• take reasonable steps to ensure that the information is accurate and not misleading;
• take reasonable steps to record that the information is given in confidence and is to remain confidential;

In addition to the relevance of the request, in terms of health information, at least one of the following is also required:

• you must have consented;
• it is legally required;
• the information is necessary to provide the health service and you are incapable of giving consent;
• other stipulations as outlined in the Health Records Act;

Collecting sensitive information

Sometimes we may need to collect sensitive information about you, for example, to provide our services to you. This might include information about your health, racial or ethnic origin, political opinions, association membership, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

As part of administering our services, we may collect health information. For example, OzChild collects health information (such as medical history) from some clients or beneficiaries who obtain our services.

When collecting health information from you, we will obtain your consent to such collection and explain how the information will be used and disclosed.

If we collect health information from a third-party (such as your doctor) we will inform you that this information has been collected and will explain how this information will be used and disclosed.

Use and disclosure

We will normally use or disclose your personal information only for the purposes that it was given to us, and for purposes that are related to one of our functions or activities.

We may disclose your personal information to external organisations, including:

• Government departments or agencies who provide funding for OzChild’s services;
• Contractors who manage some of the services that we offer to you. We take steps to ensure that these contractors comply with the Privacy Legislation when they handle your personal information and they are authorised only to use personal information in order to provide the services or to perform the functions required by OzChild;
• Doctors and health care professionals who assist us to deliver our services;
• Other regulatory bodies;
• Referees or former employers of OzChild employees and volunteers, and candidates for
OzChild employee and volunteer positions; and
• Our professional advisors, including our accountants, auditors and lawyers.

Except as set out above, we will not disclose your personal information to a third party unless one of the following applies:

• You (or the individual for whom you are the representative) have consented;
• If we believe you would reasonably expect us to use or disclose the information for another purpose related to the purpose for which it was collected (or in the case of sensitive information, directly related to the purpose for which it was collected);
• If required to do so by law;
• If it will prevent or lessen a serious or imminent threat to somebody’s life, health or
safety or to public health or safety;
• It is necessary to provide a public health service;
• It is necessary for the management, funding or monitoring of a health service relevant to public health or safety;
• If it is reasonably necessary for the enforcement of a law conducted by an enforcement body;
• It is reasonably necessary to assist in locating a missing person;
• It is reasonably necessary to the conduct of proceedings before a court or tribunal, or for a confidential disputes resolution process; or
• It is necessary for research or the compilation or analysis of statistics relevant to public health or public safety.

Quality of the Information that we hold

We take reasonable steps to ensure that the personal information that we collect, use or disclose is relevant, accurate, complete and up to date.

Security of the Information that we hold

We take reasonable steps to protect the personal information that we hold from misuse, loss, interference and from unauthorised access, modification and disclosure. These measures include password protection for accessing our electronic IT systems, securing paper files in locked cabinets and physical access restrictions. Only authorised personnel are permitted to access these details.

Retention and disposal of information

We only keep personal information for as long as is required. Information that is retained will be archived in such a way that facilitates easy retrieval, yet does not compromise security. When personal information is no longer required it is destroyed in a secure manner or de- identified.

Access and correction of information that we hold

If you request access to the personal information we hold about you, or request that we change that personal information, we will allow access or make the changes to your personal information unless we consider there is a sound reason under the Privacy Legislation to withhold the information or not to make the changes.

Requests for access should be made to the Privacy Officer (details of which are set out below). For security reasons, you will be required to put your request in writing and provide proof of identity. This is necessary to ensure that personal information is only provided to the correct individuals and the privacy of others is not undermined.

We will take all reasonable steps to provide access or the requested information within 14 days of your request. In situations where the request is complicated or requires access to a large volume of information, we will take reasonable steps to provide access to the requested information within 30 days.

OzChild may charge you reasonable fees to reimburse us for the cost we incur relating to your request for access to information, including in relation to photocopying and delivery cost of information stored off site. For current fees, please contact OzChild’s Privacy Officer.

In general, access will be denied where:

• the request does not relate to the personal information of the person making the request;
• Providing access would pose a serious threat to the life, health or safety of the person making the requests;
• Providing the information would have an unreasonable impact on the privacy of other individuals;
• the request for access is frivolous or vexatious;
• the information relates to existing or anticipated legal proceedings;
• providing access would prejudice negotiations with the individual making the request;
• providing access would be unlawful;
• denying access is required or authorised by law;
• providing access would be likely to prejudice:
• law enforcement activities;
• an action relating to suspected unlawful activity, or misconduct of a serious nature relating to the functions or activities of OzChild;
• access discloses a commercially sensitive decision-making process or information; or
• any other reason that is provided for under the Privacy Legislation.

Where an individual is given access to personal information and establishes that the information is not accurate, complete or up to date, OzChild will take reasonable steps to correct the information accordingly. If the individual and OzChild disagree about the content of the information, the individual may request OzChild to add a statement claiming that the information is not accurate, complete or up to date.

OzChild will take all reasonable steps to do this.

If OzChild refuses to provide access or make changes, it will provide reasons for doing so to the individual.

Upon request for access to or correction of personal information Oz Child will:

• provide access or reasons for denial of access
• correct the personal information or provide reasons for refusal to correct personal information
• provide reasons for the delay in responding as soon as practicable but no later than 30 days after receiving the request.

If we deny access to information we will set our reasons for denying access.

Where there is a dispute about your right of access to information or forms of access, this will be dealt with in accordance with the complaints procedure set out below.

Unique identifiers

We will not normally adopt as our own an identifier of an individual that has been assigned by other organisations. We will not disclose an identifier assigned to an individual unless the disclosure is permitted under the Privacy Legislation.

Anonymity

Where lawful and practicable, OzChild will take all reasonable steps to comply with a request to access our services on an anonymous basis or using a pseudonym. However, we may not be able to deliver the services in question if you do not provide us with the personal information requested.

Trans-border data flows

We do not usually send personal information out of Australia.

If we are otherwise required to send information overseas we will take measures to protect your personal information, by either ensuring that the destination country has similar protections in relation to privacy or that we enter into contractual arrangements with the recipient of your personal information that safeguards your privacy.

Transfer or closure of a health service provider

In the event that OzChild is sold or the business is transferred and OzChild will not be providing health services in the new business, the provisions of Health Privacy Principles 10 and 11 of the Health Records Act will apply.

Complaints procedure

If you have provided us with personal and sensitive information, or we have collected and hold your personal and sensitive information, you have a right to make a complaint and have it investigated and dealt with under this complaints procedure.

All complaints will be logged on our database.

If you have a complaint about OzChild’s privacy practices or our handling of your personal and sensitive information please contact our Privacy Officer.

How to contact OzChild’s Privacy Officer

Requests for further information or comments / feedback about OzChild’s privacy statement can be directed to the Privacy Officer:

By Email privacy@ozchild.org.au or

By Post OzChild Privacy Officer, PO Box 1312 South Melbourne 3205

By Phone: (03) 9695 2200 (switchboard)

Changes to this privacy statement

OzChild reserves the right to review, amend and/or update this privacy statement from time to time.

X