This Privacy and Confidentiality Policy defines the way in which personal and other confidential information collected or created by members of the Ability Options Community, is to be protected.
Personal Information – Ability Options is committed to protecting the privacy and confidentiality of personal information which the organisation collects, holds and administers about various stakeholders including, but not limited to, employees and service participants. Personal information will not be disclosed to any unauthorised third party without the consent of the individual.
All personal information, including sensitive information, collected by Ability Options, is collected in accordance with the Privacy Act 1988 and the Australian Privacy Principles (Privacy Amendment (Enhancing Privacy Protection) Act 2012). This policy also ensures compliance with the National Disability Service Standards and Article 22 of the United Nations Convention of the Rights of Persons with Disabilities.
Corporate Information – Ability Options is committed to protecting the confidentiality of commercially sensitive information regarding its business activities.
Confidential information must never be used for personal gain.
Ability Options takes reasonable steps to protect any personal or corporate information received from clients, families, employees, volunteers or other service providers. These steps apply to the way the organisation collects, stores, uses or discloses these types of information. The type of information we collect, and the way we use this will depend on the individual’s relationship with Ability Options (e.g. as a client, family member/carer, employee, volunteer or other service provider).
All Ability Options People must comply with the standards detailed in this Policy and must not release personal or confidential information without proper authorisation.
In brief the Privacy and Confidentiality Policy explains:
- the kinds of personal information collected by the organisation
- how the organisation keeps personal information secure
- the ways the organisation collects personal information
- the purposes for which personal information is collected, held, used and disclosed
- how individuals can access, update or correct their personal information
- how an individuals can make a complaint if they feel Ability Options has breached the Australian Privacy Principles.
A breach of this Policy by an employee may result in disciplinary action up to and including termination of employment, or for non-employees, other appropriate sanctions, including legal action.
Ability Options Community: all persons involved in all current, and future and new business operations under the direction of Ability Options. The Ability Options Community is referred to in this policy as Ability Options.
Australian Privacy Principles (APP):
- legally binding principles which are the cornerstone of the privacy protection framework in the Privacy Act,
- set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information,
- apply to most Australian Government agencies and some private sector organisations — collectively referred to as APP entities.
The APPs are grouped into five parts to reflect the personal information lifecycle:
- Part 1 — Consideration of personal information privacy (APPs 1 and 2)
- Part 2 — Collection of personal information (APPs 3, 4 and 5)
- Part 3 — Dealing with personal information (APPs 6, 7, 8 and 9)
- Part 4 — Integrity of personal information (APPs 10 and 11)
- Part 5 — Access to, and correction of, personal information (APPs 12 and 13).
Corporate information – any nonpublic information pertaining to Ability Options business.
Personal information – is any information or an opinion about an identified individual, or an individual who is reasonably identifiable. Personal information collected by Ability Options may include: an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and/or employment details.
Personal information that has been de-identified will no longer be personal information.
De-identified information – personal information is de-identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’. Generally, de-identification includes:
- removing personal identifiers, such as an individual’s name, address, date of birth or other identifying information,
- removing or altering other information that may allow an individual to be identified, for example, a unique characteristic of the individual,.
De-identification may not altogether remove the risk that an individual can be re-identified.
Sensitive information – is part of the personal information about an individual. Sensitive information collected by Ability Options may include: racial or ethnic origin, religious beliefs, health information or criminal record.
Sensitive information is generally afforded a higher level of privacy protection than other personal information. Inappropriate handling of sensitive information can have adverse consequences for an individual; it may cause humiliation, embarrassment or undermine an individual’s dignity.
Reasonable Steps – it is the responsibility of Ability Options to be able to justify that reasonable steps were taken.
Government identifier – an identifier is a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.
Application of Australian Privacy Principles within Ability Options
Part 1 — Consideration of personal information privacy (APPs 1 and 2)
Open and Transparent Management of Information
1. Ability Options has a clearly expressed and up-to-date Privacy and Confidentiality Policy detailing how we manage personal information.
a. our policy statement is available on the Ability Options website
b. a copy of the Ability Options Privacy and Confidentiality Policy can be downloaded directly from the website, alternatively a hard copy can be sent, free of charge, on request.
2. Ability Options has procedures for dealing with privacy related inquiries and complaints.
a. Ability Options has practices, procedures and systems to ensure the organisation complies with the APPs and any binding registered APP code.
Anonymity and Pseudonymity
3. Where it is not unlawful or impracticable, individuals have the option of remaining anonymous or using a pseudonym when dealing with Ability Options.
a. Ability Options is not required to provide those options where:
i. the organisation is required or authorised by law or a court or tribunal order to deal with identified individuals, or
ii. it is impracticable for the organisation to deal with individuals who have not identified themselves.
Part 2 — Collection of personal information (APPs 3, 4 and 5)
4. Ability Options may only collect personal information that is reasonably necessary for, or directly related to, one or more of Ability Options functions or activities.
5. Ability Options must solicit and collect personal information:
a. by lawful and fair means
b. directly from the individual, unless:
i. the individual consents to the collection of the information from someone other than the individual; or
ii.. Ability Options is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or
iii. it is unreasonable or impracticable to do so.
6. Ability Options may only collect sensitive information where:
a. the individual has consented to the collection of that information and the information is reasonably necessary for Ability Options’ to carry out one or more of its’ functions or activities, or
b. the collection of information is required or authorised by or under Australian law or a court/tribunal order,
c. Ability Options reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
7. Where it receives unsolicited personal information, Ability Options must decide within a reasonable period of time whether that personal information about an individual could have been lawfully collected by Ability Options itself, and:
a. If so, the information will be dealt with in accordance with the treatment of solicited information documented in this Privacy and Confidentiality Policy, or,
b. If not, and the information is not contained within a Commonwealth record, Ability Options will, as soon as practicable, but only if lawful and reasonable to do so, destroy the information or ensure the information is de-identified.
Notification of Collection
8. At or before the time Ability Options collects personal information from an individual, or as soon as practicable after that, the organisation will take reasonable steps to ensure the individual is aware:
a. Ability Options is the collector of the personal information
b. of contact details, telephone number and email address (firstname.lastname@example.org), for the person responsible for handling enquiries and requests relating to the Privacy Act
c. how, when and from where the personal information was collected
d. whether the collection is required or authorised by law
e. the purposes for which the information has been collected
f. the consequences if all or part of the personal information is not collected by Ability Options
g. the organisations (or the types of organisations) to which Ability Options usually discloses personal information of the kind being collected
h. they can access their personal information and seek correction of this, if required
i. whether the personal information will be transferred overseas, and if practicable or known, to which the countries
9. If an individual is concerned about how Ability Options handles their personal information or that they have breached the APP they can make a complaint:
a. directly to Ability Options through the Ability Options website or our internal complaints mechanism
i. the organisation manages all complaints in line with our Complaints Procedure, a copy of which is available on request
ii. the Company Secretary or their delegate is responsible for handling enquiries, requests, complaints relating to the Privacy Act (email@example.com)
b. to the Office of the Australian Information Commissioner (OAIC). Further information is available on their website: http://www.oaic.gov.au/privacy/privacy-complaints
Part 3 – Dealing with personal information (APPs 6, 7, 8 and 9)
Use and Disclosure
10. Ability Options can only use or disclose personal information for a purpose for which it was collected (the ‘primary purpose’).
11. Where the information is sensitive information, Ability Options may only use that information for a primary purpose or a directly related purpose the individual has consented to.
12. Ability Options may sometimes use or disclose personal information about an individual for a ‘secondary purpose’. However, Ability Options will only use or disclose personal information about an individual for a secondary purpose in limited circumstances. Ability Options will, wherever reasonably possible, seek consent from individuals before using their personal information for a secondary purpose.
13. Ability Options may use personal information about an individual for a secondary purpose if
a. the individual has consented to a secondary use or disclosure
b. the individual would reasonably expect Ability Options to use or disclose the information for the secondary purpose, and that secondary purpose is:
i. if the information is personal information, it is related to the primary purpose of collection, or,
ii. in the case of sensitive information, it is directly related to the primary purpose
iii. the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order
14. Some special situations set out in the Law allow the use or disclosure of personal information without consent. In each case, if it does this, Ability Options will comply with the relevant Australian Privacy Principle or Rules made by the Privacy Commissioner. Some of these special situations are:
a. where Ability Options reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety;
b. Ability Options has reason to suspect an individual may have done something unlawful or engaged in serious misconduct that relates to Ability Options functions or activities, and Ability Options needs to disclose the information so that it can take appropriate action; or
c. Ability Options reasonably believes that the use or disclosure is reasonably necessary to assist another person to locate a person reported as missing, or
d. Ability Options reasonably believes that the use or disclosure of the information is reasonably necessary for an enforcement body’s enforcement related activities
i. Ability Options will make a written note that Ability Options has used the information for that purpose.
e. A complete list of these special situations is contained in law.
15. Whether or not an individual has consented to the use or disclosure, in the case of any obligation Ability Options has under a Commonwealth contract, Ability Options is entitled to comply with a requirement under that Commonwealth contract to disclose personal or sensitive information to the Commonwealth agency funding the activity.
16. Ability Options may only use personal information about an individual for direct marketing where an exception applies under the Law. In every situation where Ability Options is permitted to use or disclose personal information for direct marketing, Ability Options will allow the individual to ‘opt out’ and will act on the individual’s request to ‘opt out’.
17. Ability Options may use personal information (other than sensitive information) about an individual for direct marketing if:
a. Ability Options collected the information from the individual:
i. and the individual would reasonably expect Ability Options to use or disclose the information for direct marketing; and
ii. Ability Options has provided a simple means so the individual can easily request not to receive direct marketing communications from Ability Options; and
iii. the individual has not made a prior request to Ability Options to not receive direct marketing communications from Ability Options.
b. Ability Options collected the information from someone other than the individual and:
i. either the individual has consented to the use or disclosure for the purpose, or it is impracticable to obtain the individual’s consent; and
ii. in each direct marketing communication with the individual, Ability Options includes a prominent statement that the individual can ask not to receive further direct marketing communications from Ability Options; or
iii. Ability Options otherwise draws the individual’s attention in some other way to the fact that the individual may make that request; and
iv. the individual has not made a request asking Ability Options to stop sending direct marketing communications.
18. If Ability Options uses or discloses personal information about an individual for:
a. direct marketing, an individual may ask Ability Options to stop sending direct marketing communications from Ability Options and Ability Options must do that within 14 days after receiving the request unless exceptional circumstances apply; or
b. where the personal information is used for the purpose of facilitating direct marketing by other organisations on behalf of Ability Options, an individual may request Ability Options not to use or disclose the individual’s information for direct marketing by other organisations and Ability Options must act on that request within 14 days after receiving the request (unless exceptional circumstances apply).
19. The individual may request Ability Options to provide details of where his or her personal information came from (e.g. which other organisation) and Ability Options must do so within 14 days after receiving the request (except in exceptional circumstances) unless it is impractical or unreasonable to do so.
20. Ability Options will not charge any individual for the making of, or to give effect to, these requests.
Cross border disclosure
21. Occasionally, Ability Options may be required transfer personal information to an organisation (other than Ability Options or the individual concerned) that is in a foreign country or, Ability Options may store some personal information on databases that are in the cloud. In most cases, where Ability Options transfers information, the information will be de-identified.
22. Ability Options will only send information overseas if it has taken reasonable steps to ensure the transferred information, will be held, used or disclosed by the recipient organisation consistent with the APP. Further details on these steps can be found in the Law.
Adoption use or disclosure of Government Identifiers
23. Ability Options will not adopt a government related identifier of an individual as its own identifier of the individual unless the adoption of the government related identifier is required or authorised by law or a court/tribunal order.
24. Ability Options will not use or disclose a government related identifier of an individual unless:
a. the use or disclosure of the identifier is reasonably necessary for Ability Options to verify the identity of the individual for the purposes of the Ability Options’ activities or functions; or
b. the use or disclosure of the identifier is reasonably necessary for Ability Options to fulfil its obligations to an agency or a State or Territory authority; or
c. the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
d. some of the ‘[special situations’ under the Law allow the use or disclosure. In each case, if it does this, Ability Options will comply with the relevant APP or Rules made by the Privacy Commissioner. Some of these ‘special situations’ are:
i. where Ability Options reasonably believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety;
ii. Ability Options has reason to suspect an individual may done something unlawful or engaged in serious misconduct that relates to Ability Options functions or activities, and Ability Options needs to disclose the information so that it can take appropriate action; or
iii. Ability Options reasonably believes that the use or disclosure is reasonably necessary to assist another person to locate a person reported as missing; or
iv. Ability Options reasonably believes that the use or disclosure of the information is reasonably necessary for an enforcement body’s enforcement related activities (and Ability Options will make a written note that Ability Options has used the information for that purpose).
25. The complete list of these special situations is contained in the Law.
Part 4 — Integrity of personal information (APPs 10 and 11)
Quality of Personal Information
26. Ability Options will take all reasonable steps to ensure that the personal information it collects is accurate, complete and up-to-date and relevant, having regard to the purposes of the use or disclosure of the personal information that is collected.
Security of Personal Information
27. Ability Options will take all reasonable steps to protect the personal information it holds from misuse, interference (which may include measures to protect against computer attacks), loss and unauthorised access, modification or disclosure.
28. Ability Options data handling practices are regularly reviewed. All sensitive information is separately stored and shared among employees on a need to know basis only.
29. Client management records (that include personal, sensitive and health information) are stored on a central database – the Client Management System (CMS).
a. Each client’s records are assigned to a particular Team depending on their service/program
b. Client information can only be accessed by staff working on that Team (Team Based Security)
c. Within each Team, staff have different levels of access to client information, this is determined by their role within the Team (Function Based Security)
d. The CMS Analyst and Consultant have access to the full database and its’ all functions
e. The Clinical Services Team have access across the full database but have limited Functions as per point 29.c.
30. Training and guidance to Ability Options personnel has been established to support this Privacy and Confidentiality Policy.
31. Ability Options will take all reasonable steps to destroy or permanently de-identify personal information about an individual that it holds, if the information is no longer needed for any purpose for which it is able to be used or disclosed, and where there is no law or Court/tribunal or Commonwealth contract that requires Ability Options to keep the information.
32. Client records on the on the CMS are not able to be deleted or removed. Where a client leaves the program/service or is deceased their records can be de-activated.
Part 5 – Access to, and correction of, personal information (APPs 12 and 13).
Access to personal information
33. If Ability Options holds personal information about an individual, and the individual wants access to that information, Ability Options will provide the individual with access to that information.
34. This principle lists ten grounds on which Ability Options can refuse to give access to personal information. Ability Options need not to rely on any such ground and provide access upon request, unless disclosure is prohibited. Before relying on any of these grounds Ability Options should consider whether redacting some information would enable access to be provided (for example, redacting personal information about another person).
35. The ten grounds are:
a. Ability Options reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
b. giving access would have an unreasonable impact upon the privacy of other individuals; or
c. the request for access is frivolous or vexatious; or
d. the information relates to existing or anticipated legal proceedings between Ability Options and the individual, and the information would not be provided by the process of discovery in those proceedings; or
e. providing access would reveal the intentions of Ability Options in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
f. providing access would be unlawful; or
g. denying access is required or authorised by or under an Australian law or a court/tribunal order; or
h. Both of the following apply:
i. Ability Options has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates the Ability Options functions or activities has been or is being or may be engaged in; and
ii. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
i. providing access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
j. giving access would reveal evaluative information generated within Ability Options in connection with a commercially sensitive decision-making process.
36. Ability Options will respond to an access request within a reasonable period after the request is made and will give access to the personal information in the manner requested by the individual, if it is reasonable and practicable to do so. Ability Options may, in appropriate circumstances, charge the individual an appropriate (and not excessive) fee for giving access to the personal information.
37. If Ability Options refuses to give access to personal information in the manner requested by the individual or because one or more of the exceptions referred to in paragraph 35 of this policy apply, Ability Options will give the individual a written notice about the refusal that complies with the regulations to the Law and includes information about how a person can complain about the refusal.
Correction of personal information
38. Ability Options will take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. This requirement applies where:
a. Ability Options is satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held, or
b. the individual requests Ability Options to correct the personal information.
39. APP 13 sets out the following minimum procedural requirements in relation to correcting personal information:
a. take reasonable steps to notify other APP entities of a correction to an individual’s personal information
b. respond to a request for correction or to associate a statement, and
c. not charge an individual for making a request, correcting personal information or associating a statement.
40. If Ability Options refuses to correct the personal information when requested to do so by an individual:
a. Ability Options will give the individual a written notice about the refusal that complies with the regulations to the Law and includes information about how a person can complain about the refusal.
b. An individual can request Ability Options to attach a statement to information saying that the information is inaccurate, out of date, incomplete, irrelevant or misleading. Ability Options will answer that request within a reasonable period after it is made and will take reasonable steps as are to ensure the statement is able to be seen by the users of the information.
41. Special considerations apply to Commonwealth records, which can only be destroyed or altered in accordance with the Archives Act 1983 (Archives Act).
Part 6 – Confidentiality of Corporate information
42. While Parts 1-5 above have been written with a focus on the privacy of personal information, the intent of each of these points applies to the confidentiality of corporate information.
43. Confidential information includes, but is not limited to, the following stored in any form or manner (except where is or has been made generally known by the organisation to the public or is otherwise already in the public domain):
a. Any information about, and any documents relating to, our commercial clients and/or the people we support.
b. Any information about and any documents relating to our employees.
c. All confidential deliberations of the Ability Options Board and Committees of the Board.
d. Information in any personnel or employment manuals, policy documents and/or quality assurance manuals (or similar documents) developed from time to time by the organization.
e. The investigation of any matter and the materials contained in any investigation reports.
f. Any of Ability Options trade secrets and business processes.
g. Any information and documents relating to our strategy, business plans, budgets and/or financial position.
h. Any information about our suppliers and/or or price lists of such suppliers.
i. Any information from any supplier listing services, goods or products used by the organisation.
j. Any information about the method of presentation or supply of services.
k. Any information, research programs, concepts or results connected with any proposed or new services that may be supplied by Ability Options before the general introduction or availability to the public of that service.
l. Any information in connection with any advertising and promotional activities proposed to be undertaken by or for the organisation prior to the general introduction of that advertising or promotional material to the public or prior to such advertising and promotional activity first being undertaken.
m. Any information maintained in any database maintained by the organisation in connection with its business.
n. Any information, know how or expertise relating to the business of the organisation, including knowledge, whether or not it is the product of any research concerning investment opportunities.
o. Any information about any plans or proposals to improve or develop Ability Options business.
p. Any information about the contents of any training programs or materials used in any training proposed or undertaken by us relating to training of Ability Options People.
q. Any information about any new or proposed trademark, service mark, patent or copyrighted work that it is intended to introduce for use the business prior to the lodging of any relevant application.
r. Any information about any mergers/acquisitions for Business Development.
44. Confidential corporate information must be securely stored in a manner, which protects the confidentiality of the information.
45. Permission for service participant or employee participation in research programs must be referred to the Chief Executive Officer for consideration and approval.
If you require any further information please email firstname.lastname@example.org