PURPOSE: This policy outlines how MHACA will meet its obligations under the Commonwealth Privacy Act 1988 (The Act) in relation to how it manages personal information.
SCOPE: This policy applies to all MHACA staff (including contract, casual and peer staff), volunteers, students, and Board members.
DEFINITIONS:
Direct Marketing: Direct promotion of any good or services (usually by mail, email or phone).
Disclosure: Refers to the sharing of personal information with third parties outside of MHACA.
Government related identifiers: Unique codes or numbers used by government departments to identify individuals. Examples include Driver’s licence number, Medicare number, Health Record Number etc.
Mandatory Reporting: An obligation under law to report to the appropriate authority cases of actual or suspected serious harm/ risk of harm related to domestic or family violence or child abuse or neglect.
Personal information: The Privacy Act defines personal information as: “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable”
For this policy, personal information includes (but is not limited to) name, birthdate, address, family background, race, and health status.
Security: Security refers to how we ensure that personal information that it held by MHACA is not able to be accessed by unauthorised persons without the permission of the individual.
Sensitive information: Sensitive information refers to health information, and/ or other information or an opinion about an individual such as criminal record, sexual orientation, religious beliefs, or racial or ethnic origin.
Unsolicited Information: This refers to personal information which MHACA receives about an individual from a third party (person or organisation) without the consent of the individual.
POLICY STATEMENT:
MHACA collects a range of personal information from participants, staff and other stakeholders.
MHACA respects and upholds the rights of its stakeholders under the Commonwealth Privacy Act (1988) and complies with all the Act’s requirements in respect to how we collect, manage and share personal and sensitive information.
MHACA carefully considers our legal and ethical responsibilities in relation to privacy and confidentiality within all work practices, policy development and in relevant planning and decision-making activities.
In accordance with the Act, and the 13 Australian Privacy Principles within the Act, MHACA will:
- Ensure that participants, staff, and other relevant stakeholders are informed (at the point of first contact and regularly thereafter) of their rights under the Act, including providing information about what personal information MHACA collects, why MHACA collects information, and how that information is managed;
- Endeavour to collect personal information directly from the individual involved rather than from third parties where possible, and ensure that consent has been given when this is not possible;
- Where not directed otherwise under Australian legislation, provide the opportunity for individuals to choose to be anonymous or to use a pseudonym in their dealings with MHACA;
- Not collect or hold sensitive information unless it relates specifically to the individual’s participation in the activities of MHACA;
- Destroy or otherwise dispose of any unsolicited information which it receives about individuals, (unless it determines that such information could have been gained lawfully under the Act);
- Not use any personal information for purposes other than that for which it was collected (including direct marketing);
- Not disclose personal information to any third party without the expressed permission of the individual (unless required by legislation, including mandatory reporting requirements);
- Not use Government related identifiers as an internal organisational identifier;
- Take reasonable steps to ensure that the personal information we collect is accurate and up to date;
- Take reasonable steps to ensure the security of any personal information and to prevent loss, misuse or unauthorised access;
- Ensure that individuals can access personal information held about them, and make corrections if necessary;
- Ensure that any formal or informal research undertaken by or on behalf of MHACA, or by an external body with MHACA participants is conducted in accordance with legal and ethical guidelines;
- Ensure that confidentiality of participants is protected by offering private meeting spaces where personal information can be discussed;
- Follow accepted legal and ethical records management guidelines for archiving and/or destroying old or inactive files; and
- Regularly review policies, procedures and work practices to ensure MHACA meets its legaland ethical responsibilities in relation to Privacy and Confidentiality.
- Ensure the law and the NDIS Quality and Safeguarding Framework is followed if there are any Notifiable Data Breaches. This can include reporting the data breach to the Office of the Australian Information Commissioner and notifying any people affected by the data breach.
- Ensure IT systems and associated practices are designed to protect personal information.
RESPONSIBILITIES:
Board
The Board is ultimately responsible for ensuring that MHACA meets its legal and regulatory requirements, including its obligations under the Commonwealth Privacy Act 1988.
The Board is responsible for ensuring that MHACA has adequate policies to ensure compliance with the Act, and that those policies are regularly reviewed.
The Board is responsible for delegating responsibility for the development of procedures and protocols which ensure that the work practices of staff are compliant with legislation.
CEO
The CEO has delegated responsibility for ensuring that MHACA has procedures and protocols in place which ensure that staff are fully informed of their obligations under the Act, and that the work practices of staff are compliant with legislation.
Staff, Volunteers and Students.
Staff (including, contract, casual and peer staff), and volunteers and students must abide by all legal requirements, MHACA policies and procedures, the code of conduct and the signed confidentiality agreement.
Staff, volunteers and students are expected to maintain an awareness of their responsibilities under the Act, and to seek advice from management in cases where the Act is unclear, or additional guidance is required.
Staff with responsibility for conducting intake and assessment must ensure that individuals are informed of their privacy rights prior to collecting personal information.
Staff with responsibility for recruiting and supervising staff, volunteers and students are responsible for ensuring that the induction and orientation process includes a detailed introduction to privacy and confidentiality requirements.
LEGISLATION
Commonwealth Privacy Act (1988)
https://www.legislation.gov.au/Details/C2014C00076
NT Information Act (2002)
https://legislation.nt.gov.au/en/Legislation/INFORMATION-ACT-2002
Care and Protection of Children Act (2007)
https://legislation.nt.gov.au/Legislation/CARE-AND-PROTECTION-OF-CHILDREN-ACT-2007
NT Domestic and Family Violence Act
https://legislation.nt.gov.au/en/Legislation/DOMESTIC-AND-FAMILY-VIOLENCE-ACT-2007
CROSS REFERENCE
NB: MHACA aims to embed the principles of privacy and confidentiality through all levels of management and into all document and procedures which guide our work practices, too numerous to list in full here. Below is a list of the key documents which pertain to privacy and confidentiality.