CAP001.02 Privacy & Confidentiality Policy
Date Last Updated:
Purpose And Scope
To ensure that management of clients’ personal information meets all relevant legislative and regulatory
This policy and procedure apply to current and potential clients, their carers and family members.
Because people with disabilities are more vulnerable to exploitation and abuse than others in the community,
workers with access to client information automatically occupy risk-assessed roles under the NDIS Commission.
The primary risk to privacy and confidentiality arises from the collection, storage and sharing of client information.
Access by non-authorised persons may expose clients to risk. Safe storage and access policy protect clients from
abuse and exploitation. This policy addresses these issues.
There is a risk that information will be shared inadvertently and without the intention to do harm. Information
may be unintentionally disclosed by careless use of tablet- or phone-based software, shared with a client’s
supporters against the client’s wishes, or disclosed to peers on the assumption that the information is publicly
Cultural assumptions around sharing information are diverse and change rapidly. Social media platforms
may allow clients to be identified. This risk may be minimised by:
• raising staff awareness of privacy and confidentiality
• ensuring consent is obtained before gathering data (including audio and photographic data)
• ensuring that consent is specific to the use of data, and that consent is current
• encouraging clients to provide feedback and complaints about the use of their information.
These issues are addressed in this policy.
Documents – all manuals, reference books, registers and files in hard copy or electronic data format.
Forms – all single or multi-part paperwork that has an approved layout used to record information. When data is
recorded on forms, they become records. Forms may be computer generated or pre-printed.
Health information – Any information or an opinion about the physical, mental or psychological health or ability
(at any time) of an individual.
Information – Knowledge communicated or received. The result of processing, gathering, manipulating and
organising data in a way that adds to the knowledge of the receiver.
Information management – supports effective and efficient management of information and is concerned with
the creation, production, collection, organisation, storage, protection, retrieval and dissemination of information
resources that may be in any format and available from internal or external sources.
Information Privacy – refers to the control of the collection, use, disclosure and disposal of information and the
individual’s right to control how their personal information is handled.
Personal information – Recorded information (including images)or opinion, whether true or not, from which the
identity (including those up to thirty years deceased) could be reasonably ascertained.
Records – Records are generatedas a result of some activity and are a statement of facts existing at the time and
cannot be revised. Superseded documents (or revised documents) can become records.
Records Management – the efficient and systematic control of the creation, receipt, maintenance, use and
disposal of records, including processes for capturing and maintaining evidence of and information about business
activities and transactionsin the form of records.
Sensitive information – Information or an opinion about an individual’s racial or ethnic origin, political opinions,
membership of a political party, religious beliefs or affiliations, philosophical beliefs, membership of a professional
or trade association, membership of a trade union, sexual preference or practices, or criminal record. This is also
considered to be personal information.
Sapphire Support is committed to the transparent management of personal and health information about its
clients and staff.
This commitment includes protecting the privacy of personal information, in accordance with the Australian
Privacy Principles (APPs) set out in the Privacy Act 1988 (Cwlth) amended by the Privacy Amendment (Enhancing
Privacy Protection) Act 2012 (Cwlth).
Personal information may include:
- date of birth
- current and previous addresses
- residency status
- telephone numbers and e-mail addresses
- bank account details
- tax file number
- Centrelink information
- race or ethnicity, and
- medical history or information provided by a health service
In collecting personal information, Sapphire Support will inform the client:
- that information is being collected
- the purposes for collection
- who will have access to the information
- the right to seek access to, and/or correct the information, and
- the right to make complaint or appeal decisions about the handling of their information
Client information is used to:
- assess and provide services
- administer and manage those services
- evaluate and improve those services
- contribute to research
- contact family, carers, or other third parties if required, and
- meet our obligations under the NDIS
- Consent must be voluntary, informed, specific and current
- Clients are to be provided with the Client Consent Form at the time of commencing service with Sapphire Support. This form is to be:
- signed and placed in the client’s file; held securely with access limited to staff members in the performance of their role
- Support, where rewuired, must be provided for the person to communicate their consent
Voluntary consent: A person must be free to exercise genuine choice about whether to give or withhold consent. This means they haven’t been pressured or coerced into make a decision, and they have all the information they need in a format they understand. Voluntary consent requires that the person is not affected by medications, other drugs or alcohol when making the decision.
Informed consent: A person’s capacity to make decisions will vary depending on the type of decision or its complexity, or how the person is feeling on the day. The way information is provided to a person will also affect his or her capacity to make decisions. Choices must be offered in a way that the person understands, for example by using images or signing.
Specific consent: Consent must be sought for a specific purpose and this purpose must be understood by the client.
Current consent: Consent cannot be assumed to remain the same indefinitely, or as the person’s circumstances change. People and guardians are entitled to change their minds and revoke consent at a later time.
Updating Client Information
To ensure that client information is accurate, complete, current, relevant and not misleading, Sapphire Support checks personal details and updates client files accordingly:
- whenever reviewing a client’s service; and/or
- upon being informed of changes or inaccuracies by clients or other stakeholders
There will be no charge for any correction of personal information.
Where Sapphire Support has previously disclosed client personal information to other parties, should the client request us to notify these parties of any change to their details, we must take reasonable steps to do so.
Collection and Storage of Personal Information
Sapphire Support collects information:
- directly from clients orally or in writing
- from third parties, such as medical practitioners, government agencies, client representatives, carer/s, and other health service providers
- from client referrals; and
- from publicly available sources of information
Sapphire Support will collect sensitive information:
- only with client consent, unless an exemption applies: e.g. the collection is required by law, court/tribunal order or is necessary to prevent or lessen a serious and imminent threat to life or health
- fairly, lawfully, and non-intrusively
- directly from client, if doing so is reasonable and practicable
- only where deemed necessary to support
- service delivery to clients
- staff activities and functions; and
- giving the client the option of interacting anonymity, if lawful and practicable
Sapphire Support takes all reasonable steps to protect personal information against loss, interference, misuse, unauthorised access, modification, or disclosure. Sapphire Support will destroy, or permanently de-identify personal information that is:
- no longer needed
- unsolicited and could not have been obtained directly; or
- not required to be retained by, or under, an Australian law or a court/tribunal order
Sapphire Support has appropriate security measures in place to protect stored electronic and hard-copy materials. Sapphire Support has an archiving process for client files which ensures files are securely and confidentially stored and destroyed in due course.
Sapphire Support respects the right to privacy and confidentiality, and will not disclose personal information except:
- where disclosure would protect the client and / or others
- where necessary for best service practice; or
- where obligated by law
For these purposes, Sapphire Support may disclose clients’ personal information to other people, organisations or service providers, including:
- medical and allied health service providers who assist with the services we provide to clients
- a ‘person responsible’ if the client is unable to give or communicate consent e.g. next of kin, carer, or guardian
- the client’s authorised representative/s e.g. legal adviser
- our professional advisers, e.g. lawyers, accountants, auditors
- government and regulatory authorities, e.g. Centrelink, government departments, and the Australian Taxation Office
- organisations undertaking research where information is relevant to public health or public safety; and
- when required or authorised by law
Accessing personal information
Clients can request and be granted access to their personal information, subject to exceptions allowed by law.
Requests to access personal information must state:
- the information to be accessed
- the preferred means of accessing the information
- and should be forwarded to the CEO either verbally, or in writing to:
Unit 1/42 Owen Creek Rd, Forest Glen, Qld 4556
The CEO will assess the request to access information, taking into consideration current issues that may exist with the client, and whether these issues relate to any lawful exceptions to granting access to personal information.
Should the CEO decide that access to personal information will be denied, they must, within 30 days of receipt of the request, inform the client in writing of:
- the reasons for denying access and
- the mechanisms available to complain or appeal
Should access be granted, the CEO will contact the client within 30 days of receipt of the request to arrange access to their personal information.
Should Sapphire Support be unable to provide the information in the means requested, the CEO will discuss with the client alternative means of accessing their personal information.
Reasonable charges and fees, incurred by Sapphire Support in providing the data as requested, may be passed on to the client.
Questions or concerns about Sapphire Support’s privacy practices should be brought, in the first instance, to the CEO’s attention.
Clients may directly email the CEO at email@example.com
In investigating the complaint Sapphire Support may, where necessary, contact the client making the complaint to obtain more information.
The client will be advised either in writing, or in a face to face meeting, of the outcomes and actions arising from the investigation.
If concerns cannot be resolved and clients wish to formally complain about how their personal information is managed, or if they believe Sapphire Support has breached an APP and/or IPP, they may send their concerns in writing to:
Office of the Information Commissioner, Queensland
PO Box 10143
Adelaide Street Brisbane
Telephone: (07) 3234 7373
Breaches of Privacy
Sapphire Support are required to disclose a data breach to the Office of Australian Information Commissioner if the data contains personal information that is likely to result in “serious harm”, which includes any of the following:
physical, psychological, financial or reputational harm. Personal information is information about an identified individual, or an individual who is reasonably identifiable.
Should a breach in privacy occur, potentially exposing client information (e.g. computer system hacked, laptop stolen etc.) the CEO will immediately act to rectify the breach in accordance with organisational policy and processes.
Any staff who identify a potential breach must immediately inform their line manager, who must report to the CEO for further action.