Policy statement

Therapy Connect is committed to maintaining a person’s right to privacy by upholding the Australian Privacy Principles (APP) and complying with the Privacy Act 1988 (Cth) and other relevant regulation, legislation and contractual requirements.

Scope

This policy applies to all Therapy Connect representatives, both paid and unpaid, including employees, directors, contractors and board members.

Responsibilities

It is the responsibility of directors to ensure that:

  • employees, contractors and board members are supported to understand and maintain privacy within and outside their professional roles;
  • personal and sensitive information, both electronic and physical, is kept safe and confidential in line with legislation and accessible only by authorised persons;
  • all personal information is stored securely with reasonable security precautions against misuse or unauthorised access;
  • key service information, including personal information, is regularly backed up as insurance against data loss; and
  • assessment, mitigation and required notification occurs where there is a breach of personal and/or sensitive data.

It is the responsibility of employees and contractors to:

  • only collect personal and sensitive information with the prior knowledge and consent of the person and for the purpose of delivering service;
  • protect personal, sensitive and confidential information from misuse, loss, unauthorised access, modification or disclosure while working with Therapy Connect and after this work has ended;
  • disclose personal, sensitive and confidential information to third parties only with consent and as authorised or in compliance with legislation;
  • safeguard any devices used for service delivery or the storage of personal information from loss, damage or unauthorised access;
  • consistently follow practices to maintain the health and security of computers and other systems and devices used for service delivery;
  • consistently use strong passwords for computers and systems used for service delivery;
  • ensure passwords are not accidentally or deliberately disclosed to a third party; and
  • notify a director immediately of any suspected or actual unauthorised access, misuse or loss of data containing personal information.

Definitions

Personal information – Information or an opinion that identifies an individual. This may include a person’s name, address, photograph, contact details, date of birth, employment details or any information where the person is reasonably identifiable. It can be verbal or recorded in a material form.

Sensitive information – A subset of personal information and may include a person’s cultural or ethnic origin, health information (such as disability or use of health services), religious or philosophical beliefs, political opinions or party membership, membership of a professional or trade association or union, sexual orientation or practices, or criminal record.

Confidential information – Other information that Therapy Connect informs employees and contractors is to be kept private, or could reasonably be assumed to be. This may include organisational finances, governance information, employee or contractor information and records and the intellectual property of the organisation.

Consent – Consent can be explicit, for example verbal or in writing, or implied and relies on the person being adequately informed before giving consent, that they give consent voluntarily, that the consent is current and specific and they have the capacity to understand and communicate their consent. It is assumed that any person aged 15 or over has the capacity to consent, unless there is something to suggest otherwise.

Strong password – A password that cannot be easily determined or guessed and is unique to that purpose and device or tool.

Backing up – Ensuring there are always two copies on separate devices of important information.

Data breach – The unauthorised access or disclosure of personal and/or sensitive information, either deliberately or accidentally.

Collecting information

Therapy Connect collects personal information only with the person’s knowledge and for the purpose of delivering services and supports. This may happen when a person contacts us for information or to enquire about a service, agrees to the commencement of service, participates in therapy sessions, provides feedback or lodges a complaint, or joins a mailing list.

The types of personal and sensitive information that we collect vary with the circumstances and will only be what is needed to deliver service. It may include information about a person’s name, age, contact details, cultural background, family relationships and health and may be in video form. It will primarily be information provided directly by the person or their family member to Therapy Connect in forms, documents and during service delivery or, with consent, by a health or other professional.

Remaining anonymous

A person can choose to be anonymous or use a pseudonym when interacting with Therapy Connect, except where identification is necessary, for example in order to effectively deliver a service.

Keeping information secure

Therapy Connect and its employees and contractors hold personal information electronically through secure shared drives, online portals, cloud-based services in and outside of Australia and on personal computers. Access to personal information is restricted through the use of encryption, authorised access, user authentication, virus protection and the regular back-up of data.

Accessing and correcting information

Any person wanting to access information about themselves held by Therapy Connect can contact the organisation by phone or email and provide identification. All reasonable steps will be taken to correct personal information if it is found to be inaccurate, incomplete, misleading or not current.

Disclosing information

Therapy Connect and its employees and contractors will only disclose a person’s personal or sensitive information, including health information, with other individuals, organisations and agencies with the person’s verbal or written consent. This consent will be renewed at least annually.

Therapy Connect is permitted to share information with specified agencies without consent if:

  • there are concerns about the safety, welfare and wellbeing of children and young people;
  • there have been allegations against a Therapy Connect employee or contractor of sexual offence or misconduct to, or in the presence of, a child or any other form of harm or neglect of a child; or
  • it is essential to lessen or prevent a serious threat to the life, health or safety of any person, or to public health or safety, or to take appropriate action in relation to suspected unlawful activity or serious misconduct.

On occasion, Therapy Connect may seek still and video images of people receiving service to use in printed, electronic, video and audio publications. Specific written consent of any people able to be reasonably identified will be gained before publication.

Assessing, mitigating and reporting data breaches

Therapy Connect has obligations under the Privacy Amendment (Notifiable Data Breaches) Act 2017. Where a breach of data occurs, Therapy Connect will assess the circumstances of the breach, act quickly to mitigate any harm, notify individuals affected if there is a likelihood of serious harm, recommend any steps individuals should take and report eligible breaches to the Australian Information Commissioner.

An eligible data breach arises when the following three criteria are satisfied:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
  • this is likely to result in serious harm to one or more individuals, and
  • the entity has not been able to prevent the likely risk of serious harm with remedial action.

Retaining and de-identifying information

Therapy Connect and its contractors will retain personal information for as long as it is needed for the purpose for which it was obtained and in order to comply with legal, regulatory, financial and administrative requirements. Where personal information is no longer needed for the purpose for which it was obtained, Therapy Connect will take reasonable steps to destroy or permanently de-identify it.

Relevant legislation

  • Privacy Act 1988
  • Privacy Amendment (Notifiable Data Breaches) Act 2017
  • Children and Young Persons (Care and Protection) Act 1998 Chapter 16A