__________________________________________________ CONFIDENTIALITY AND PRIVACY POLICY AND PROCEDURES __________________________________________________ 1 Purpose ========= This policy is necessary because: - By the nature of the work being carried out, it is necessary for participants to entrust sensitive information to the practitioner. - It is also frequently necessary, in line with best practices in PBS, to communicate and share information amongst stakeholders, which will often include staff of other organisations. - Participants have the legal right to determine how their information is handled and with whom it is shared. - There are also some rare circumstances when the practitioner is obliged to share the client's information with external parties, potentially without the client's knowledge or consent (when ordered by a court or statutory authority, or where there is serious safety risk). 2 Policy Statement ================== This policy will achieve the following: - Clients will be informed how their information is stored and the circumstances under which it is shared with external parties. - Information shared by clients with the practitioner will be kept private and confidential at all times, unless: - They have provided consent for the information to be shared with other stakeholders involved in the case - They have provided consent for independent auditors, NDIS Quality and Safeguards Commission and/or the National Disability Insurance Agency to review their information (for instance for quality assurance purposes). - Exigent circumstances oblige the practitioner to share the information with external parties. These circumstances can include: - when sharing the information is necessary to safeguard the participant or others (as outlined in the Safeguarding Policy), - when subpoenaed by a legal entity, and - under reporting requirements (including NDIS reportable incidents requirements). 3 Procedures ============ In order to achieve the above, the following steps will be followed. - All participants (or their guardian) will provide written consent to the collection and sharing of their information (via the service agreement). - All clients will be informed of the limits of confidentiality (as above) at the outset of service. - Information will only be shared with other parties when the client has given consent (except where the law requires otherwise). - Clients will sign a new service agreement at the commencement of each new plan period. - Clients will be informed how they can withdraw their consent for the organisation to handle or share their information at any time. - Any client information shared with external parties, in the course of professional development (for instance, clinical supervision) will have all identifying details removed/obscured. - All information pertaining to reportable incidents will be kept for a period of at least seven years. - Participants can request access to, or correction of, their personal information at any time; requests will be actioned within 30 days. - In the event of a notifiable data breach, the practitioner will comply with the Notifiable Data Breach scheme requirements, including notifying affected individuals and the OAIC. - Privacy enquiries can be directed to Eddie Drury (Privacy Officer) via eddie@eddiedrurypbs.com.au or 0412 121 003. Client's information will be stored securely through the following means: - Digital client records will only be stored on password protected devices, with full-disk encryption. - Physical copies of information will be stored securely (ie held with the practitioner or in locked premises). - All physical copies of data must be destroyed once they are no longer required. - Third-party IT services contracted to store client information (eg email servers/off-site backup services) must be delivered by well-known, reputable companies, with policies explicitly outlining that their staff are never permitted access to the information. 4 References ============ - Service Agreement - Privacy Act 1988 - Australian Privacy Principles (). - Notifiable Data Breaches scheme ()