- Purpose and Objectives
- Privacy Act 1988 - Australian law which regulates the way personal information about individuals is handled including the collection, use, storage and disclosure of that information.
- Notifiable Data Breach scheme – The Notifiable Data Breach scheme is the reporting of eligible data breaches to the Office of Australian Information Commissioner (OAIC). The scheme comes into effect from 22nd February 2018 through amendments to the Privacy Act 1988.
- Office of the Australian Information Commissioner (OAIC) – an independent Australian Government agency which acts as the national data protection authority for Australia.
- Australian Privacy Principles – outlines how Australian and Norfolk Island Government agencies, all private sector and not for profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses must handle, use and manage personal information.
- Personally Identifiable Information – any data that could potentially identify a specific individual. Any data that can be used to distinguish one individual from another.
- Confidentiality – is the protection of personal information. Maintaining confidentiality means keeping client, patient, customer and or organisation information to yourself and not telling others the information.
- Sensitive Information – the type of personnel information that includes information about an individual’s health, racial or ethnic origin, political opinions, membership of a political association, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, biometric information used for certain purposes or biometric templates
- Policy Content
The Australian Privacy Principles set out how businesses handle individuals’ personal information. It is the policy of Inspire Ability to follow and comply with the privacy principles set out in the Privacy Act 1988.
- APP 1 - Open and transparent management of personal information
Inspire Ability will ensure compliance with the Privacy Act 1988 and Australian Privacy Principles through the implementation of this policy and the sharing of the policy with clients, associates, stakeholder and the general public where requested. Inspire Ability will take all reasonable steps to ensure the transparent management of personal information.
- APP 2 – Anonymity and pseudonymity
Inspire Ability will take all reasonable steps to ensure that all clients, families and carers are provided with the option of not identifying themselves or using a pseudonym.
- APP 3 – Collection of solicited personal information
All personal information that is collected through the provision of services will be managed in a secure and confidential way. Only Inspire Ability staff who require access to the information for the completion of their duties will be able to access the information.
- APP 4 Dealing with unsolicited personal information
Any personal information that is not solicited for the purposes of service provision but is provided willingly by the client will be treated with the same level of security and confidentiality as any other personal or sensitive information collected by the organisation.
- APP 5 - Notification of the collection of personal information
Inspire Ability will at all times ensure that the client, family or carer is aware that information being collected will be stored and utilised to provide the highest level of service. All clients, families and carers will be advised when information is being collected and how that information will be stored and managed.
- APP 6 - Use or disclosure of personal information
Inspire Ability will not disclose any personal information collected or held through the provision of service. It is the policy of Inspire Ability to take all reasonable steps to ensure that all personal information held is secure and accessed only by those who use the information for the provision of service either within the organisation or through the shared delivery with another provider. Inspire Ability has an access control policy in place which determines which employees or service providers are able to access certain personal and sensitive information. Only those authorised are able to access personal and sensitive information. Inspire Ability will only disclose relevant information to another provider for ongoing provision of service and where there has been permission provided or where there is the expectation that the information will be shared with another provider for the ongoing provision of service.
Where information held by Inspire Ability is to be used for compliance, reporting or statistical reasons, all information will be de-identified before it is used in these ways.
- APP 7 - Direct marketing
Inspire Ability will not use any information collected to directly market to the client, family or carer. Information collected will not be shared with any third-party marketing company. Inspire Ability will only use information collected to provide advice and information to the client, family or carer about the service they are involved with.
- APP 8 - Cross-border disclosure of government related identifiers
Inspire Ability will not share any personal information with an entity outside of Australia unless there is written consent relating to the sharing of information for the purposes of ongoing provision of service for the client. All reasonable steps will be taken to ensure that the information is secure.
- APP 9 – Adoption, use or disclosure of government related identifiers
Where Inspire Ability may have access to a clients government identifiers for the purposes of providing service to the client, the identifier will not be used or disclosed and will remain confidential in all ways.
- APP 10 – Quality of personal information
Inspire Ability will take all reasonable steps to ensure that all information collected form the client, family or carer is accurate, up to date and complete. Where Inspire Ability is required to disclose information for the purposes of ongoing service provision, all reasonable steps will be taken to ensure that any information shared is correct, complete and up to date.
- APP 11 - Security of personal information
Inspire Ability will take all reasonable steps to ensure the security of all personal and sensitive information that is collected, used and held within the organisation. Inspire Ability will input all reasonable security solutions to provide best practice security throughout the organisation and its operations. Through the implementation of, best practice security features, Inspire Ability will develop a security culture among all staff and associates of the organisation.
Security measures may include, but are not limited to:
- Access controls policies and procedures
- Password policies and protocols
- Business grade virus protection
- Enterprise grade firewall
- Multi-factor authentication
- Regular risk management and assessment policies and procedures
Where third party providers are a part of the operations Inspire Ability will take all reasonable steps to ensure that all data is secure and third-party providers operate in a secure, privacy conscious environment.
- APP 12 – Access to personal information
Inspire Ability will endeavour to make all information accessible to the client where it is requested. Clients may request access to their personal information that is stored by the organisation. This request must be made in writing to the manager of Inspire Ability. Information will only be shared where approval is provided.
- APP 13 – Correction of personal information
Clients of Inspire Ability may request the correction of personal information stored where they are aware of incorrect information. The request must be made in writing to the manager of Inspire Ability, who will take all reasonable steps to ensure that the information is corrected and complete.
Inspire Ability has implemented a policy around staff access to data and who has access to what data based on the needs and requirements of their position within the organisation.
Where there is an identified breach of data, Inspire Ability will follow the organisation Notifiable Data Breach policy and any other relevant legislation and guidelines. For more information about how Inspire Ability manages data breaches see the Notifiable Data Breach Policy.
Where the held data is no longer needed, Inspire Ability will ensure all personal data is de-identified or destroyed in a manner where no identifying part of the data is accessible. Inspire Ability will adhere to the Data Destruction Policy of the organisation. See the Data De-identification and Destruction Policy for more information.
- Review Statement
This policy will be reviewed annually as a part of the ongoing review and continuous improvement of all of Inspire Ability policies and procedures. In the case where changes to legislation and regulations that may impact this policy, a review will be carried out within 30 days of the change to legislation, regulation or other regulatory requirements.