General Policy Statement
The Australian Privacy Principles are part of the Privacy Act 1988 and came into effect on 12 March 2014 to protect the privacy of individuals. You can find out more about these principles by calling the Office of the Privacy Commissioner on 1300 36 39 92 or through their website at www.oaic.gov.au
CatholicCare ensures that clients who access services and CatholicCare personnel, are always treated with dignity and respect. CatholicCare demonstrates this regard by respecting the individual’s right to privacy and by safe-guarding personal information. The individual’s privacy rights are held paramount unless there are serious legal requirements to the contrary e.g. release is required by a court-issued subpoena.
CatholicCare’s policy and procedures are based on the Australian Privacy Principles and Health Privacy Principles. They set out agency practice in the collection, holding, use and disclosure of personal information. By providing CatholicCare with personal information clients and personnel consent to the agency using, disclosing and handling it in accordance with this policy.
As legally required, CatholicCare follows detailed privacy procedures to be compliant with contractual obligations to a range of stakeholders and government departments.
Any eligible data breach is reported to the Office of the Australian Information Commissioner. Individuals who have been affected are notified and provided with recommendations about any action they can take to minimise the impact of the breach.
1. Transparent Management of Personal Information
Further information for clients regarding management of personal information is contained in CS Policy 8 Client Records Management which is publicly available.
Information for employees is contained in WS Policy 2.7 Employee Records to which all employees have electronic or paper access.
Clients have the right to remain anonymous when making contact with CatholicCare. However, it is usually necessary for CatholicCare to obtain some information in order to facilitate the effective delivery and management of services. Due to contractual obligations CatholicCare may also be required to obtain certain data to demonstrate accountability for the funding received. If clients choose not to disclose any personal information at all, this may result in limited service.
3. Collection and Notification of Collection of Personal Information
In all programs clients are provided with information about privacy and the limitations of confidentiality during their first contacts with CatholicCare. They are advised of the type of information that is collected and the purposes for which it is used. They are required to agree to the delivery of services from CatholicCare. By giving this agreement and providing CatholicCare with personal information, clients consent to the agency using, disclosing and handling the information in accordance with this policy.
In situations where they are legally obliged to participate (e.g. children in foster care) every effort is made to empower clients to determine the nature of the services to be given.
CatholicCare only collects personal information relevant to the application being made, to the service being provided or to its improvement. This may include (but is not limited to) a person's name, contact details, date of birth, email address, occupation, family background and financial records.
Personal information is collected verbally (e.g. face-to-face, telephone), in writing (e.g. letters, forms) or electronically (e.g. emails, website). Clients and personnel provide personal information in a range of circumstances including:
- provision of information about services
- assessment of eligibility for services
- service provision
- participation in surveys and other research
- handling of complaints
- applying for a job with CatholicCare and assessment of eligibility for employment
- the meeting of legal employment obligations and management of employee records
- placement of someone on a mailing list and sending out newsletters
CatholicCare only collects personal information directly from the person concerned unless:
- that person has given consent for collection from someone else or
- it is unreasonable to do so
Other people or organisations from which CatholicCare may collect personal information may include:
- a person's representative
- a person's employer
- referring agencies
- non-government organisations
- government agencies
- law enforcement agencies
Unless allowed by legislation (e.g. Working with Children Checks must be verified for all applicants for child related work) sensitive information is only collected if the individual consents to its collection, it is reasonably necessary for CatholicCare to carry out its activities with that person and it is in the best interests of the individual to do so. This information may include details about health, disability, racial or ethnic origin, criminal convictions and tax file numbers. Sensitive information is generally afforded a higher level of protection.
4. Dealing with Unsolicited Personal Information
If CatholicCare receives unsolicited personal information, it determines whether this information is reasonably necessary for the activities conducted by the agency in relation to the client concerned and could have been solicited by CatholicCare. If so, CatholicCare treats the information with the same regard to privacy as if it had been solicited. If not, CatholicCare destroys the information or ensures that it is de-identified.
5. Use or Disclosure of Personal Information
CatholicCare only discloses personal information to another party if:
- consent is given by the individual or
- disclosure is authorised by an Australian law or court order or
- disclosure is reasonably believed to be necessary to lessen or prevent a serious & imminent threat to the life, health or safety of the individual or another person or a serious threat to public health or public safety.
Wherever possible consent is obtained in writing. If only verbal consent is possible the fact that this has been given is recorded in the individual's file.
When it is not possible for someone to exercise a valid consent in regard to the collection or possible disclosure of their personal information CatholicCare follows the guidelines of the Office of the Australian Information Commissioner.
Although it is not absolute, CatholicCare respects the rights of children to have a reasonable level of control over their personal information. In matters that affect children, much will depend on the child's age, maturity, ability to comprehend and the particular circumstances of the case. Appropriate communication is critical in these situations.
6. Direct Marketing
CatholicCare only uses personal information for direct marketing purposes if the
information has been provided by the individual with the expectation that it would be used for this purpose. A simple request, either verbal or written, is all that is required for a person to discontinue receipt of direct marketing communications.
At any time, an individual may ‘opt-out’ of receiving Direct Marketing communications by:
- using the Unsubscribe link / facility provided, or by
- contacting CatholicCare on 4227 1122 or via firstname.lastname@example.org
7. Cross Border Disclosure of Personal Information and Data Flow to Government Agencies
Personal information is not transferred to state or Commonwealth agencies unless the consent of the client is obtained or transfer is required as part of a funding or service agreement between the government body and CatholicCare, eg Out of Home Care and, ParentsNext Programs.
8. Use or Disclosure of Government Related Identifiers
CatholicCare does not use government related identifiers in its own management of personal information unless required or authorised by legislation.
9. Quality and Correction of Personal Information
CatholicCare is committed to making sure that the personal information collected is accurate, up-to-date and complete. Where appropriate, information is substantiated by official documents, e.g. birth certificates.
If CatholicCare is satisfied that personal information held is inaccurate, out of date, incomplete, irrelevant or misleading or if an individual requests that information be corrected, then CatholicCare takes reasonable steps to correct the information and to notify other parties to whom it may have given incorrect information.
Requests for amendments are made in writing and, where possible, substantiated by relevant documentation. The decision to amend a CatholicCare client record is made by a Manager. Should a request for amendment be refused CatholicCare provides the reasons for refusal. In this situation clients or personnel have the right to request CatholicCare to place a statement on the file that the person concerned believes the information is incorrect.
10. Security of Personal Information
Access within CatholicCare to personal information of both clients and personnel is restricted to those with a direct professional interest in the matter on a 'need to know' basis. This is generally to personnel directly involved in the delivery of services and those who are responsible for the management of such activities. Specific details are set out in CS 8 Client Records Management and WS 2.7 Employee Files.
Access is restricted to both paper and electronic records. Secure storage information includes lockable cabinets and protected access to electronic files.
Records are kept for the amount of time required by legislation or best practice guidelines and then securely destroyed. For most clients and personnel, information collected from adults is kept for 7 years. Information collected from people under 18 years of age is kept until they are 25 years old. In some instances, legislation requires information to be kept for longer periods eg children in the Permanency Support Program (formerly Out of Home Care Program), employees involved in Workers Compensation claims.
11. Access to Personal Information
Generally, clients and personnel have the right to access their personal information held by CatholicCare, subject to some exceptions permitted by law.
Requests should be made in writing and specify, as far as possible, the information sought. Approval for access is given by Managers on the recommendation of a staff member familiar with the client records. Wherever reasonable and practicable, the information is provided in the manner requested by the person concerned. If CatholicCare refuses a request reasons for the refusal are given. CatholicCare endeavours to respond to requests within 30 days.
Where appropriate a CatholicCare staff member assists and supports the client (or former client) when accessing a file.
Children aged from 13 yrs to 18 yrs are assisted in understanding that they have the right to ask for any information that is kept about them by CatholicCare, to read their files and to add information to their files. For younger children an assessment is made of the information to be provided and the most appropriate and supportive way in which to do this. This decision is made by the Manager on the recommendation of the child's Caseworker.
Formal complaints about breaches of the Australian Privacy Principles, the Health
CatholicCare endeavours to resolve complaints within 30 days.
Complaints may also be made to the Privacy Commissioner.
13. Mandatory Data Breach Notification to the Office of the Australian Information Commissioner (OAIC)
CatholicCare takes reasonable steps to protect the personal information of individuals from unauthorised disclosure, misuse, interference and loss (see Section 7.10 Security of Personal Information).
If an employee becomes aware that there are reasonable grounds to believe that there has been any form of data breach in relation to personal information, this is reported to the relevant Executive Manager and the Executive Manager, Quality and People & Culture immediately.
These Executive Managers take the following action as soon as practicable:
- Ensure that appropriate remedial action is taken, both to contain the breach & to minimize the likelihood and seriousness of harm to those to whom the information relates. This is done in consultation with Manager, Information and Communication Technology if relevant.
- Using the Notifiable Data Breach Scheme: Resources for agencies and organisations (OAIC) assess whether the breach meets the criteria for an eligible data breach i.e. there is a likelihood of serious harm (see Section 6 Definitions).
- If so, determine which individuals have been affected and ensure that they are notified and provided with recommendations about any action they can take to minimise the impact of the breach.
- Oversee the identification and implementation of system or process changes to prevent a future recurrence
Within 30 days the Executive Manager, Quality and People & Culture prepares a Notifiable Data Breach Statement (form) for signature of the Director and notifies the Office of the Australian Information Commissioner. Depending on the circumstances of the breach the Executive Managers also consider if any disciplinary action is warranted (see WS 4.2 Managing Conduct and Performance).
15. For Further Information
CatholicCare Privacy Officer
25-27 Auburn Street, Wollongong NSW 2500
Phone: 02 4227 1122