|Created||Date 7/05/2014 By Teresa Clonan|
1.8 Privacy and Confidentiality
8.4 Legal and regulatory compliance
1.6 Knowledge management
1.8 Legal and regulatory compliance
2.4 Rights of consumers
PURPOSE: The purpose of this policy is clearly communicate to all of MHACA’s stakeholders how the organisation will meet its obligations under the Commonwealth Privacy Act 1988 (The Act) in relation to how it manages personal information.
SCOPE: This policy applies to all MHACA staff (including contract, casual and peer staff), volunteers, students, and Board members.
Direct Marketing: Direct promotion of any good or services (usually by mail, email or phone).
Disclosure: Refers to the sharing of personal information with third parties outside of MHACA.
Government related identifiers: Unique codes or numbers used by government departments to identify individuals. Such as Driver’s licence number, Medicare number, Health Record Number etc.
Mandatory Reporting: An obligation under law to report to the appropriate authority cases of actual or suspected serious harm/ risk of harm related to domestic or family violence or child abuse or neglect.
Personal information: The Privacy Act defines personal information as: “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.”
For the purpose of this policy, personal information includes (but is not limited to) such things as name, birthdate, address, family background, race, and health status.
Security: Security refers to how we ensure that personal information that it held by MHACA is not able to be accessed by unauthorised persons without the permission of the individual.
Sensitive information: Sensitive information refers to health information, and/ or other information or an opinion about an individual such as criminal record, sexual orientation, religious beliefs, or racial or ethnic origin.
Unsolicited Information: This refers to personal information which MHACA receives about an individual from a third party (person or organisation) without the consent of the individual.
POLICY STATEMENT: MHACA collects a range of personal information from participants, staff and other stakeholders
MHACA respects and upholds the rights of its stakeholders under the Commonwealth Privacy Act (1988) and complies with all of the Act’s requirements in respect to how we collect, manage and share personal and sensitive information.
MHACA carefully considers our legal and ethical responsibilities in relation to privacy and confidentiality within all work practices, policy development and in relevant planning and decision making activities.
In accordance with the Act, and the 13 Australian Privacy Principles within the Act, MHACA will:
- Ensure that participants, staff, and other relevant stakeholders are informed (at the point of first contact and regularly thereafter) of their rights under the Act, including providing information about what personal information MHACA collects, why MHACA collects information, and how that information is managed;
- Endeavour to collect personal information directly from the individual involved rather than from third parties where possible, and ensure that consent has been given when this is not possible;
- Where not directed otherwise under Australian legislation, provide the opportunity for individuals to choose to be anonymous or to use a pseudonym in their dealings with MHACA;
- Not collect or hold sensitive information unless it relates specifically to the individual’s participation in the activities of MHACA;
- Destroy or otherwise dispose of any unsolicited information which it receives about individuals, (unless it determines that such information could have been gained lawfully under the Act);
- Not use any personal information for purposes other than that for which it was collected (including direct marketing);
- Not disclose personal information to any third party without the expressed permission of the individual (unless required by legislation, including mandatory reporting requirements);
- Not utilise Government related identifiers as an internal organisational identifier;
- Take reasonable steps to ensure that the personal information we collect is accurate and up to date;
- Take reasonable steps to ensure the security of any personal information and to prevent loss, misuse or unauthorised access;
- Ensure that individuals are able to access personal information held about them, and make corrections if necessary;
- Ensure that any formal or informal research undertaken by or on behalf of MHACA, or by an external body with MHACA participants is conducted in accordance with legal and ethical guidelines;
- Ensure that confidentiality of participants is protected by offering private meeting spaces where personal information can be discussed;
- Follow accepted legal and ethical records management guidelines for archiving and/or destroying old or inactive files; and
- Regularly review policies, procedures and work practices to ensure MHACA meets its legal and ethical responsibilities in relation to Privacy and Confidentiality.
The Board is ultimately responsible for ensuring that MHACA meets its legal and regulatory requirements, including its obligations under the Commonwealth Privacy Act 1988.
The Board is responsible for ensuring that MHACA has adequate policies to ensure compliance with the Act, and that those policies are regularly reviewed.
The Board is responsible for delegating responsibility for the development of procedures and protocols which ensure that the work practices of staff are compliant with legislation.
The CEO has delegated responsibility for ensuring that MHACA has procedures and protocols in place which ensure that staff are fully informed of their obligations under the Act, and that the work practices of staff are compliant with legislation.
Staff, Volunteers and Students.
Staff (including, contract, casual and peer staff), and volunteers and students must abide by all legal requirements, MHACA policies and procedures, the code of conduct and the signed confidentiality agreement.
Staff, volunteers and students are expected to maintain an awareness of their responsibilities under the Act, and to seek advice from management in cases where the Act is unclear, or additional guidance is required.
Staff with responsibility for conducting intake and assessment must ensure that individuals are informed of their privacy rights prior to collecting personal information.
Staff with responsibility for recruiting and supervising staff, volunteers and students are responsible for ensuring that the induction and orientation process includes a detailed introduction to privacy and confidentiality requirements.
Commonwealth Privacy Act 1988
NT Information Act 2003
Care and Protection of Children Act
NT Domestic and Family Violence Act
NB: MHACA aims to embed the principles of privacy and confidentiality through all levels of management and into all document and procedures which guide our work practices, too numerous to list in full here. Below is a list of the key documents which pertain to privacy and confidentiality.
|Document Ref||Document Title|
|PRHR017||Staff orientation and induction procedures|
|PRHR027||Volunteer orientation and induction procedures|
|TBC||Mandatory Reporting policy and procedures|
|POSD020/ PRSD002||Referral policy and procedures|
|PRSD004||Procedures for the release of and request of information|
|POSD017/ PRSD018||Participant file policy and procedures|
|PRSD020||Protocol for the sharing of participant information within MHACA|
|PRSD022||Intake and assessment policy and procedures|
|POOD001/ PROD001||Archiving policy and procedures|
|POOD003/ PROD002||Data collection and management policy and procedures|