Privacy and conficentiality Policy and procedure

Policy and Procedure

The aim of this policy and procedure is to lay out Melbourne Quality Care Services employee duties to gather, use, safeguard and disclose, confidential information in accordance with the legislation on privacy.

This policy and procedure extends to all Melbourne Quality Care Services employees and should be read in conjunction with Melbourne Quality Care Services’ Records and Information Management Policy and Procedure. It incorporates the policies and procedures outlined in Melbourne Quality Care Services’ general privacy policy and procedure.

This policy and procedure comply with all applicable laws, regulations and standards

Definitions

Health information - All details or perhaps an opinion regarding an individual's physical, emotional or psychological health or capacity at any moment.

Personal information - Documented records, like images or perceptions about an individual whose identity can reasonably be determined, either true or otherwise.

Sensitive information-Knowledge or a personal view on the ethnic roots of an individual, political opinions, political party member, religious views or associations, philosophical beliefs, professional or trade organization membership, trade union membership, sexual orientation or practices, or criminal history. Which is also regarded as personal information

Policy

Confidentiality and privacy are fundamental to Melbourne Quality Care Services.

Melbourne Quality Care Services shall protect the privacy of all individuals including the confidentiality of their clients and employees. Every individual and his or her legal representatives have the authority to decide who will have access to their private information.

Melbourne Quality Care Services supports and encourages confidentiality and privacy standards throughout its records and information management practices. 

See Melbourne Quality Care Services’ Records and Information Management Policy and Procedure

Melbourne Quality Care Services will only use the information gathered for the purpose for which it was collected and guarantee that it is safeguarded appropriately and will only obtain the data necessary for the effective and productive delivery of supports and services.

All Melbourne Quality Care Services employees are responsible for the protection of the privacy and confidentiality rights of the company, clients and all other employees.

In accordance with the applicable state and territory laws and the federal privacy act Melbourne Quality Care Services gathers, handles and discloses information.

The procedures of privacy and confidentiality communicate with the lifecycle of data as follows:

• Create a collection of all forms of client details and any other relevant information as well as service agreements to ensure they have given both verbal and written consent.
• Store all information securely as per the records and information management policy and procedure and limit access.
• Use the information to update when applicable, disclose the information to staff members and report if necessary.
• Archive the documents securely once the participant has exited the service as per the records and information management policy and procedure and limit access.
• Once the archive period is complete dispose of documents securely as per the records and information management policy and procedure.

Procedures

General

The director is committed to ensuring that Melbourne Quality Care Services follows the 1988 (Cth) Privacy Act standards and all other relevant government and territory laws and specifications.

This requires developing, implementing as well as reviewing procedures for how much information Melbourne Quality Care Services collects regarding individuals and their sources. Why and exactly how Melbourne Quality Care Services gathers, uses, and discloses an individual’s private information. Who will have access to the information as well as collection, storage, access, use, disclosure and disposal of data. How individuals can consent to the collection, retraction or modification of private information. Clients consent and review of Melbourne Quality Care Services stored personal information. How it uses records that require to be updated, destroyed or removed. How Melbourne Quality Care Services protects and handles private information, including how it manages questions and complaints about confidentiality.

The director regularly checks these procedures via periodic Privacy Audits. see Melbourne Quality Care Services‘ Privacy Audit Form and Schedule 2.

It is the responsibility of all Melbourne Quality Care Services employees to read and comply with this policy and procedure and their data protection, privacy and data management duties. Collection, processing, storage, use, disclosure and disposal of confidential and health data from clients, other employees and all other participants in agreement with state and federal legislation and this policy and procedure.

Documentation from other employees and other participants must be kept in compliance with the privacy criteria of their employment or contract.

Melbourne Quality Care Services employees must receive training to provide confidentiality privacy and data management guidelines. If required, employees will receive further official and at work education. see Melbourne Quality Care Services’ policy and procedure on human resources.

The employee’s knowledge and implementation of practices to manage the confidentiality and privacy of data will be tracked daily and through annual performance reviews.

Melbourne Quality Care Services’ Privacy Statement must be notably demonstrated at Melbourne Quality Care Services’ premises and it will be included in the Melbourne Quality Care Services’ Client Handbook.

Upon request, a copy of this policy and procedure will be provided to any Melbourne Quality Care Services employee, client or participant.

Photos and Videos

Some forms of personal information include:

• Photographs
• Films
• Recordings

Employees are required to respect the wishes made by individuals over being filmed or photographed and will only use an individual’s picture if notifiable consent has been given.

Employees will need to be mindful of cultural understandings and additionally the necessity for some pictures to be handled with particular care.

Information Collection and Consent

Client Information Collection and Consent

Melbourne Quality Care Services will only ask for confidential information required:

• To determine a potential client's suitability for a service
• To monitor the services provided
• To fulfil government non-identification and statistical data requirements.

Personal participant information that Melbourne Quality Care Services collects.  Involves but is not limited to:

• Incident reports
• Clients emergency contact details
• Health status of the client
• Clients and their guardians contact information
• Medical documents
• Immunisation records
• Medicine records
• Additional Organization information.
• Development of records, plans, portfolios and observations.
• Consent forms
• Intake of delivery of services, assessment, data review

It is the clients right to:

• Supply, access, update and use personal information.
• Refuse to disclose information
• Revoke their consent to disclose personal information

Before collecting personal information from clients or their advocates, employees must clarify:

• All private and confidential information will be stored safely
• Melbourne Quality Care Services will clarify why the information is being collected, exactly how it is being stored and used as well as why Melbourne Quality Care Services requires the information
• Melbourne Quality Care Services only gathers the necessary personal information of clients for the protected and effective provision of services.

Clients, their family members and advocates will obtain a Privacy Statement from Melbourne Quality Care Services and notify them that a copy of this policy and procedure is available on request. Employees are expected to provide privacy details to Clients and their families in forms that meet their individual communication needs. Written information can be provided or clarified verbally by employees in different languages and simple English. Melbourne Quality Care Services employees will support clients if they need to gain access to an interpreter

Following from the information provided in this policy and procedure. Melbourne Quality Care Services employees must use a Consent Form to verify and clarify the information stated in this policy and procedure and then obtain consent from the client or their advocate to gather, store, gain access to, use, disclose and dispose of their personal information.

Clients and their family and advocates are accountable for:

• Always being mindful of an individual's privacy when using photos and videos
• Return the completed consent form, in a well-timed manner.
• Being thoughtful, polite and respectful to individuals who do not desire to be photographed or videotaped
• when necessary, deliver accurate information

NDIS Audits

Melbourne Quality Care Services abide by the standards outlined in the 2018 National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guideline, therefor clients are automatically included in NDIS Practice Standards audits. A NDIS Approved Quality Auditor may contact a client at any time for an interview or for their client file and plans to be assessed. If a client does not intend to participate in these audits, they should inform an employee who will deliver written notice to the [Position title]. The Clients preference to not participate will be respected and recorded in their client file. Melbourne Quality Care Services must advise its Approved Quality Auditor prior to initiation of any audit processes, of any clients who do not wish to participate in the audit.

Workers Information Collection and Consent

Personal employee data that Melbourne Quality Care Services collects includes, but is not limited to:

• Specifics regarding qualified registration.
• Tax returns
• Superannuation details
• Payroll information
• Contract of employment
• Personal information
• Specifics of emergency contact
• Medical information
• NDIS Worker Screening Checks, Criminal History Checks and Working with Children Checks
• Qualifications
• First aid
• CPR
• Anaphylaxis and other certificates
• Personal resumes
• Consent forms

If appropriate, procedures used for gathering the above records will also require the employee’s approval to gather, store, view, utilise, report and dispose of their private data.

Access

The director will only access the employee's personal information if it necessary to fulfil their responsibilities.

Employees must only access the clients private and confidential information if it is necessary to deliver the services provided by Melbourne Quality Care Services

Employees and Clients have the right to access all this information as well as request access to private information that Melbourne Quality Care Services occupies concerning them, exclusive of presenting a justification to ask for access. Render adjustments and changes and if they believe the information is not accurate, correct or true.

Any client access or modification demands must be presented to the employee responsible for monitoring the Client's personal information. All employees have the same access to or requests for modification as clients.

The director must be addressed, within two business days of obtaining a request for access or correction, the responding representative will give access or make clear why access has been rejected, rectify the private and confidential information, or provide explanations for not modifying it as well as present clarifications for any anticipated interruption in responding to the request.

A request for access or correction may be rejected in whole or in portion where it would have an unwarranted impact on the privacy and confidentiality of other individuals, the request is thoughtless and annoying. It may cause a dangerous threat to any individuals life or wellbeing. All client requests for access or correction refused by the director must be authorized and documented in the Client's file.

All employees who have been refused access or correction requests must be approved by the CEO and recorded in the employees file.

Storage

See Melbourne Quality Care Services’ Records and Information Management Policy and Procedure for additional details on exactly how Melbourne Quality Care Services securely stores and protects private data of their employees and clients.

Disclosure

Employee or client personal information can only be disclosed:

• To comply with legislative responsibilities such as mandatory reporting when required by law.
• To outside associations with the employee or client’s consent, or parents/Guardians for those without capacity to consent.
• With the written consent of the authorized individual
• if emergency medical treatment is required.

If an individual is in a situation where they believe they must disclose information about a Client or other employee that they would not usually reveal, they must consult with the director before disclosing the information

International Disclosure

Under the Privacy Act 1988, Melbourne Quality Care Services is obliged to take proper measures to ensure that the foreign recipient does not infringe Australian Privacy Principles (APPs) Principle 8 prior to revealing private information and records to a foreign beneficiary. The director will be responsible for these investigations.

This obligation will not apply if the foreign recipient is dependent to a legislation or binding system which has the power to protect the private and confidential information in an approach significantly equivalent to that delivered by the APPs.

Reporting

Notifiable Data Breaches Scheme

Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) Scheme is a federal scheme. Organizations are required to disclose certain information breaches to those impacted by the infringement, and to the Australian Information Commissioner.

A data breach happens when the private information retained by companies is damaged or exposure to it is not permitted. A violation of the data can occur as a result of failure of the management or security system, deliberate intent or technical failure.

Instances of information violations include:

• Devices and documents that contain private and confidential information, either lost or stolen
• Unapproved entry by an employee to personal information.
• Unintentional release of private and confidential information. For example, an email accidentally being sent to the wrong person.
• Release of private information to a scammer because of lacking methods for identification conformation.

In addition to the damage done to individuals who are the subject of information violations, such an incident may also cause Melbourne Quality Care Services significant economic harm.

The Data Breach Preparation and Response — A Guide to Managing Data Breaches under the Privacy Act 1988 (Cth), released by the Office of the Australian Information Commissioner (OAIC), provides further details on the NDB Scheme.

The Data Breach Response Plan of Melbourne Quality Care Services explains its method to contain, assess and manage occurrences breaches of information.

Identifying a Notifiable Data Breach

A Notifiable Data Breach, occurs when:

Melbourne Quality Care Services is unable to prevent the potential risk of harm through corrective measures

Release or access to private information not permitted, or data lost in circumstances in which unauthorised access or release is probable to be present. Release or loss is expected to affect all individuals involved with the information. Serious damage may include damage to credibility in the form of a breach of information. Which may result in:

• Physical damage
• Emotional damage
• Financial damage

Any suspected or current information breaches must be identified to the [Position Title], who is responsible to assess the action of Melbourne Quality Care Services and if the breach is to be registered under the NDB Scheme. It will not be considered a notifiable data breach if the director of Melbourne Quality Care Services responds promptly to reduce the information violation.

Responding to a Data Breach

If the director assumes that a data breach is notifiable under the NDB Scheme, then an assessment must be conducted to evaluate whether this is the case. If the data breach is considered notifiable by the director, the Data Breach Response Team of Melbourne Quality Care Services must be advised.

• Director as support for risk leadership, assessing danger from infringement.
• CEO supporting human resources where the infringement was caused by the worker's actions;  and CEO providing media/communications knowledge and helping to communicate with impacted people and deal with media and external stakeholders.
• Director  of Services as Project Manager, coordinating the team and supporting its participants
• Director of Quality and Compliance to introduce privacy knowledge to the team.
• Director of services as Team Leader, accountable for guiding the reaction team and reporting to the CEO (unless they are the same person)
• CEO as legal assistance, identifying legal commitments and providing guidance.
• Director of Services as support for information and communication technology (ICT) or forensics, helping to define the cause and effect of infringement involving ICT technologies.
• Director of Quality and Compliance providing information and documents management knowledge, assisting in the review of breach-related safety and tracking checks (e.g. access, authentication, encryption, audit logs) and providing guidance on recording data breach reaction.

All implicated individuals will be informed of the breach of information as promptly as possible by the Data Breach Response Team.

All occurrences of database breach, whether reportable or otherwise, must always be handled in compliance with Melbourne Quality Care Services' Data Breach Response Plan and recorded in Melbourne Quality Care Services’ Incident Register. As well as appropriate activities recorded in the Continuous Improvement Register of Melbourne Quality Care Services where necessary.

Where a breach is submitted to the Data Breach Response Team, its response will be established on the subsequent measures:

• Control information violation.
• Evaluate the information breach and correlated threats
• inform individuals involved and the Australian Information Commissioner
• Prevent potential data breaches.

For additional information see Melbourne Quality Care Services’ Data Breach Response Plan.

Notifiable Data Breaches Involving More Than One Entity

The NDB Scheme acknowledges that the private information is often kept together by more than one individual. For example, one individual may have physical possession of the documentation while the other will have legal power or ownership of the document. Other examples include:

• Contracts for subcontracting or brokering
• Combined opportunities.
• Where Melbourne Quality Care Services service provider stores information

Under these circumstances, all companies ' responsibility under the NDB Scheme is deemed to be an eligible violation of the details. Just one corporation requires the measures needed by the NDB Scheme, and this should be the corporation most directly related to the individuals affected by the data breach. In which obligations are not fully met under the Scheme, both corporations will breach the Scheme's requirements.

Other Reporting Requirements

The NDIS Commission must be directly and immediately informed by the [position title] if Melbourne Quality Care Services becomes aware of any breaches or potential breaches of privacy law.

Breaches of information may also affect reporting obligations beyond the Privacy Act 1988, such as: 

• Government Departments of the Federal, State or Territory
• Insurance providers
• Australian Tax Office (ATO)
• Australian Cyber Security Centre (ACSC)
• Australian Digital Health Agency (ADHA)
• The financial service sector of Melbourne Quality Care Services
• Professional and regulatory organizations
• The police or other law prosecution organizations

Victorian Protective Data Security Standards

Information, staff, ICT and physical security are covered by requirements. Four protocols support each standard. The Victorian Information Commissioner's Office (OVIC) regulates the standards.

Even though Melbourne Quality Care Services does not require to report straight to OVIC or finish the VPDSS compliance records released on the OVIC website (which public sector organizations are needed to do), compliance with the VPDSS is needed. 

The Victorian Protective Data Security Standards (VPDSS) are component of the Victorian Protective Data Protection Structure (VPDSF) and create 18 compulsory high-level data security criteria across the Victorian public sector as well as service providers.

To ensure that Melbourne Quality Care Services cooperates completely with the Standards:

• Assess Melbourne Quality Care Services against Question 13 of the Organization Compliance Checklist (protective information safety) of the Department of Health and Human Services. On http:/fac.dhhs.vic.gov.au/organization-compliance-checklist you can find the checklist.
• The director will collaborate with the Victorian Government on the implementation of risk-based reporting mechanisms and ensure that Melbourne Quality Care Services takes reasonable steps to protect all Melbourne Quality Care Services participant records.
• The director will create an immediate measurement on information security
• Subscribe to the' Stay Smart Online ' website at: https:/www.staysmartonline.gov.au.
• Review Melbourne Quality Care Services’ compliance with the Essential Eight and rectify any identified gaps
• This website helps on knowledgeable Online behaviour patterns as well as how to respond to internet threats

You can find more details at: https:/www.asd.gov.au/publications/protect/eight-explained.htm.

Archiving and Disposal

For details on how Melbourne Quality Care Services archives and disposes of Clients ' personal details, see Melbourne Quality Care Services' Records and Information Management Policy and Procedure.

Supporting Documents

Documents relevant to this policy and procedure include:

• Melbourne Quality Care Services Information Sharing Guidelines Data Breach Response Plan
• Privacy Audit Form
• Continuous Improvement Register
• Records and Information Management Policy and Procedure
• Client Handbook
• Consent Form
• Privacy Statement

Policy Review

Melbourne Quality Care Services may make changes to this policy and procedures from time to time to improve the effectiveness of its operation.  Generally, this entire policy will be reviewed in consultation with people using the service, their families and carers and workers annually.

All service planning, delivery and evaluation activities will include workers, client and other stakeholders and their feedback.  Melbourne Quality Care Services’ annual service delivery and satisfaction surveys will include questions regarding:

• The extent to which clients and their supporters feel their privacy and confidentiality has been protected.
• Satisfaction with Melbourne Quality Care Services’ privacy and confidentiality processes.
• Whether stakeholders have received adequate information about privacy and confidentiality; and Melbourne Quality Care Services’ Continuous Improvement Plan will be used to record and monitor progress of any improvements identified and where relevant feed into Melbourne Quality Care Services's service planning and delivery processes.