Confidentiality and Privacy Policy and Procedures

This policy is necessary because:

• By the nature of the work being carried out, it is necessary for participants to entrust sensitive information to the practitioner.
• It is also frequently necessary, in line with best practices in PBS, to communicate and share information amongst stakeholders, which will often include staff of other organisations.
• Participants have the legal right to determine how their information is handled and with whom it is shared.
• There are also some rare circumstances when the practitioner is obliged to share the client's information with external parties, potentially without the client's knowledge or consent (when ordered by a court or statutory authority, or where there is serious safety risk).

This policy will achieve the following:

• Clients will be informed how their information is stored and the circumstances under which it is shared with external parties.
• Information shared by clients with the practitioner will be kept private and confidential at all times, unless:
  • They have provided consent for the information to be shared with other stakeholders involved in the case
  • They have provided consent for independent auditors, NDIS Quality and Safeguards Commission and/or the National Disability Insurance Agency to review their information (for instance for quality assurance purposes).
  • Exigent circumstances oblige the practitioner to share the information with external parties. These circumstances can include:
    • when sharing the information is necessary to safeguard the participant or others (as outlined in the Safeguarding Policy),
    • when subpoenaed by a legal entity, and
    • under reporting requirements (including NDIS reportable incidents requirements).

In order to achieve the above, the following steps will be followed.

• All participants (or their guardian) will provide written consent to the collection and sharing of their information (via the service agreement).
• All clients will be informed of the limits of confidentiality (as above) at the outset of service.
• Information will only be shared with other parties when the client has given consent (except where the law requires otherwise).
• Clients will sign a new service agreement at the commencement of each new plan period.
• Clients will be informed how they can withdraw their consent for the organisation to handle or share their information at any time.
• Any client information shared with external parties, in the course of professional development (for instance, clinical supervision) will have all identifying details removed/obscured.
• All information pertaining to reportable incidents will be kept for a period of at least seven years.
• Participants can request access to, or correction of, their personal information at any time; requests will be actioned within 30 days.
• In the event of a Notifiable Data Breach, the practitioner will comply with the Notifiable Data Breach scheme requirements, including notifying affected individuals and the OAIC.
• Privacy enquiries can be directed to Eddie Drury (Privacy Officer) via eddie@eddiedrurypbs.com.au or 0412 121 003.
• Consent to share information will be tracked in a central register under each client's casefile, including:
  • Who gave the consent.
  • When the consent was given.
  • Who they gave consent to share information with,
  • How the consent was given.
  • Any exclusions or conditions on what information can be shared and how it can be shared.

Client's information will be stored securely through the following means:

• Digital client records will only be stored on password protected devices, with full-disk encryption.
• Physical copies of information will be stored securely (ie held with the practitioner or in locked premises).
• All physical copies of data must be destroyed once they are no longer required.
• Third-party IT services contracted to store client information (eg email servers/off-site backup services) must be delivered by well-known, reputable companies, with policies explicitly outlining that their staff are never permitted access to the information.

In accordance with the Notifiable Data Breach Scheme, an notifiable data breach is when:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds,
• This is likely to result in serious harm to one or more individuals, and
• The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

If this occurs, the provider is required to notify the Office of the Australian Information Commissioner and any affected individuals.

• Service Agreement
• Privacy Act 1988
• Australian Privacy Principles (https://www.oaic.gov.au/privacy/australian-privacy-principles).
• Notifiable Data Breaches scheme (https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme)