Policy and Procedure
The aim of this policy and procedure is to lay out Melbourne Quality Care Services employee duties to gather, use, safeguard and disclose, confidential information in accordance with the legislation on privacy.
This policy and procedure comply with all applicable laws, regulations and standards
Health information - All details or perhaps an opinion regarding an individual's physical, emotional or psychological health or capacity at any moment.
Personal information - Documented records, like images or perceptions about an individual whose identity can reasonably be determined, either true or otherwise.
Sensitive information-Knowledge or a personal view on the ethnic roots of an individual, political opinions, political party member, religious views or associations, philosophical beliefs, professional or trade organization membership, trade union membership, sexual orientation or practices, or criminal history. Which is also regarded as personal information
Confidentiality and privacy are fundamental to Melbourne Quality Care Services.
Melbourne Quality Care Services shall protect the privacy of all individuals including the confidentiality of their clients and employees. Every individual and his or her legal representatives have the authority to decide who will have access to their private information.
Melbourne Quality Care Services supports and encourages confidentiality and privacy standards throughout its records and information management practices.
See Melbourne Quality Care Services’ Records and Information Management Policy and Procedure
Melbourne Quality Care Services will only use the information gathered for the purpose for which it was collected and guarantee that it is safeguarded appropriately and will only obtain the data necessary for the effective and productive delivery of supports and services.
All Melbourne Quality Care Services employees are responsible for the protection of the privacy and confidentiality rights of the company, clients and all other employees.
In accordance with the applicable state and territory laws and the federal privacy act Melbourne Quality Care Services gathers, handles and discloses information.
The procedures of privacy and confidentiality communicate with the lifecycle of data as follows:
The director is committed to ensuring that Melbourne Quality Care Services follows the 1988 (Cth) Privacy Act standards and all other relevant government and territory laws and specifications.
This requires developing, implementing as well as reviewing procedures for how much information Melbourne Quality Care Services collects regarding individuals and their sources. Why and exactly how Melbourne Quality Care Services gathers, uses, and discloses an individual’s private information. Who will have access to the information as well as collection, storage, access, use, disclosure and disposal of data. How individuals can consent to the collection, retraction or modification of private information. Clients consent and review of Melbourne Quality Care Services stored personal information. How it uses records that require to be updated, destroyed or removed. How Melbourne Quality Care Services protects and handles private information, including how it manages questions and complaints about confidentiality.
The director regularly checks these procedures via periodic Privacy Audits. see Melbourne Quality Care Services‘ Privacy Audit Form and Schedule 2.
It is the responsibility of all Melbourne Quality Care Services employees to read and comply with this policy and procedure and their data protection, privacy and data management duties. Collection, processing, storage, use, disclosure and disposal of confidential and health data from clients, other employees and all other participants in agreement with state and federal legislation and this policy and procedure.
Documentation from other employees and other participants must be kept in compliance with the privacy criteria of their employment or contract.
Melbourne Quality Care Services employees must receive training to provide confidentiality privacy and data management guidelines. If required, employees will receive further official and at work education. see Melbourne Quality Care Services’ policy and procedure on human resources.
The employee’s knowledge and implementation of practices to manage the confidentiality and privacy of data will be tracked daily and through annual performance reviews.
Melbourne Quality Care Services’ Privacy Statement must be notably demonstrated at Melbourne Quality Care Services’ premises and it will be included in the Melbourne Quality Care Services’ Client Handbook.
Upon request, a copy of this policy and procedure will be provided to any Melbourne Quality Care Services employee, client or participant.
Photos and Videos
Some forms of personal information include:
Employees are required to respect the wishes made by individuals over being filmed or photographed and will only use an individual’s picture if notifiable consent has been given.
Employees will need to be mindful of cultural understandings and additionally the necessity for some pictures to be handled with particular care.
Information Collection and Consent
Client Information Collection and Consent
Melbourne Quality Care Services will only ask for confidential information required:
Personal participant information that Melbourne Quality Care Services collects. Involves but is not limited to:
It is the clients right to:
Before collecting personal information from clients or their advocates, employees must clarify:
Clients, their family members and advocates will obtain a Privacy Statement from Melbourne Quality Care Services and notify them that a copy of this policy and procedure is available on request. Employees are expected to provide privacy details to Clients and their families in forms that meet their individual communication needs. Written information can be provided or clarified verbally by employees in different languages and simple English. Melbourne Quality Care Services employees will support clients if they need to gain access to an interpreter
Following from the information provided in this policy and procedure. Melbourne Quality Care Services employees must use a Consent Form to verify and clarify the information stated in this policy and procedure and then obtain consent from the client or their advocate to gather, store, gain access to, use, disclose and dispose of their personal information.
Clients and their family and advocates are accountable for:
Melbourne Quality Care Services abide by the standards outlined in the 2018 National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guideline, therefor clients are automatically included in NDIS Practice Standards audits. A NDIS Approved Quality Auditor may contact a client at any time for an interview or for their client file and plans to be assessed. If a client does not intend to participate in these audits, they should inform an employee who will deliver written notice to the [Position title]. The Clients preference to not participate will be respected and recorded in their client file. Melbourne Quality Care Services must advise its Approved Quality Auditor prior to initiation of any audit processes, of any clients who do not wish to participate in the audit.
Workers Information Collection and Consent
Personal employee data that Melbourne Quality Care Services collects includes, but is not limited to:
If appropriate, procedures used for gathering the above records will also require the employee’s approval to gather, store, view, utilise, report and dispose of their private data.
The director will only access the employee's personal information if it necessary to fulfil their responsibilities.
Employees must only access the clients private and confidential information if it is necessary to deliver the services provided by Melbourne Quality Care Services
Employees and Clients have the right to access all this information as well as request access to private information that Melbourne Quality Care Services occupies concerning them, exclusive of presenting a justification to ask for access. Render adjustments and changes and if they believe the information is not accurate, correct or true.
Any client access or modification demands must be presented to the employee responsible for monitoring the Client's personal information. All employees have the same access to or requests for modification as clients.
The director must be addressed, within two business days of obtaining a request for access or correction, the responding representative will give access or make clear why access has been rejected, rectify the private and confidential information, or provide explanations for not modifying it as well as present clarifications for any anticipated interruption in responding to the request.
A request for access or correction may be rejected in whole or in portion where it would have an unwarranted impact on the privacy and confidentiality of other individuals, the request is thoughtless and annoying. It may cause a dangerous threat to any individuals life or wellbeing. All client requests for access or correction refused by the director must be authorized and documented in the Client's file.
All employees who have been refused access or correction requests must be approved by the CEO and recorded in the employees file.
See Melbourne Quality Care Services’ Records and Information Management Policy and Procedure for additional details on exactly how Melbourne Quality Care Services securely stores and protects private data of their employees and clients.
Employee or client personal information can only be disclosed:
If an individual is in a situation where they believe they must disclose information about a Client or other employee that they would not usually reveal, they must consult with the director before disclosing the information
Under the Privacy Act 1988, Melbourne Quality Care Services is obliged to take proper measures to ensure that the foreign recipient does not infringe Australian Privacy Principles (APPs) Principle 8 prior to revealing private information and records to a foreign beneficiary. The director will be responsible for these investigations.
This obligation will not apply if the foreign recipient is dependent to a legislation or binding system which has the power to protect the private and confidential information in an approach significantly equivalent to that delivered by the APPs.
Notifiable Data Breaches Scheme
Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) Scheme is a federal scheme. Organizations are required to disclose certain information breaches to those impacted by the infringement, and to the Australian Information Commissioner.
A data breach happens when the private information retained by companies is damaged or exposure to it is not permitted. A violation of the data can occur as a result of failure of the management or security system, deliberate intent or technical failure.
Instances of information violations include:
In addition to the damage done to individuals who are the subject of information violations, such an incident may also cause Melbourne Quality Care Services significant economic harm.
The Data Breach Preparation and Response — A Guide to Managing Data Breaches under the Privacy Act 1988 (Cth), released by the Office of the Australian Information Commissioner (OAIC), provides further details on the NDB Scheme.
The Data Breach Response Plan of Melbourne Quality Care Services explains its method to contain, assess and manage occurrences breaches of information.
Identifying a Notifiable Data Breach
A Notifiable Data Breach, occurs when:
Melbourne Quality Care Services is unable to prevent the potential risk of harm through corrective measures
Release or access to private information not permitted, or data lost in circumstances in which unauthorised access or release is probable to be present. Release or loss is expected to affect all individuals involved with the information. Serious damage may include damage to credibility in the form of a breach of information. Which may result in:
Any suspected or current information breaches must be identified to the [Position Title], who is responsible to assess the action of Melbourne Quality Care Services and if the breach is to be registered under the NDB Scheme. It will not be considered a notifiable data breach if the director of Melbourne Quality Care Services responds promptly to reduce the information violation.
Responding to a Data Breach
If the director assumes that a data breach is notifiable under the NDB Scheme, then an assessment must be conducted to evaluate whether this is the case. If the data breach is considered notifiable by the director, the Data Breach Response Team of Melbourne Quality Care Services must be advised.
All implicated individuals will be informed of the breach of information as promptly as possible by the Data Breach Response Team.
All occurrences of database breach, whether reportable or otherwise, must always be handled in compliance with Melbourne Quality Care Services' Data Breach Response Plan and recorded in Melbourne Quality Care Services’ Incident Register. As well as appropriate activities recorded in the Continuous Improvement Register of Melbourne Quality Care Services where necessary.
Where a breach is submitted to the Data Breach Response Team, its response will be established on the subsequent measures:
For additional information see Melbourne Quality Care Services’ Data Breach Response Plan.
Notifiable Data Breaches Involving More Than One Entity
The NDB Scheme acknowledges that the private information is often kept together by more than one individual. For example, one individual may have physical possession of the documentation while the other will have legal power or ownership of the document. Other examples include:
Under these circumstances, all companies ' responsibility under the NDB Scheme is deemed to be an eligible violation of the details. Just one corporation requires the measures needed by the NDB Scheme, and this should be the corporation most directly related to the individuals affected by the data breach. In which obligations are not fully met under the Scheme, both corporations will breach the Scheme's requirements.
Other Reporting Requirements
The NDIS Commission must be directly and immediately informed by the [position title] if Melbourne Quality Care Services becomes aware of any breaches or potential breaches of privacy law.
Breaches of information may also affect reporting obligations beyond the Privacy Act 1988, such as:
Victorian Protective Data Security Standards
Information, staff, ICT and physical security are covered by requirements. Four protocols support each standard. The Victorian Information Commissioner's Office (OVIC) regulates the standards.
Even though Melbourne Quality Care Services does not require to report straight to OVIC or finish the VPDSS compliance records released on the OVIC website (which public sector organizations are needed to do), compliance with the VPDSS is needed.
The Victorian Protective Data Security Standards (VPDSS) are component of the Victorian Protective Data Protection Structure (VPDSF) and create 18 compulsory high-level data security criteria across the Victorian public sector as well as service providers.
To ensure that Melbourne Quality Care Services cooperates completely with the Standards:
You can find more details at: https:/www.asd.gov.au/publications/protect/eight-explained.htm.
Archiving and Disposal
For details on how Melbourne Quality Care Services archives and disposes of Clients ' personal details, see Melbourne Quality Care Services' Records and Information Management Policy and Procedure.
Documents relevant to this policy and procedure include:
Melbourne Quality Care Services may make changes to this policy and procedures from time to time to improve the effectiveness of its operation. Generally, this entire policy will be reviewed in consultation with people using the service, their families and carers and workers annually.
All service planning, delivery and evaluation activities will include workers, client and other stakeholders and their feedback. Melbourne Quality Care Services’ annual service delivery and satisfaction surveys will include questions regarding: