Purpose
Yorgum is bound by the Privacy Act 1988 (Privacy Act). Any personal information collected will be handled in accordance with the Australian Privacy Principles (APPs) outlined in the Privacy Act.
Yorgum is committed to protecting client and employee information.
Scope
This policy must be followed by all employees and Directors.
Relevant Legislation and Standards
- Privacy Act 1988
- Australian Privacy Principles
Related Policies and Documents
- Records Management Policy
- Data Breach Response Policy and Procedures
- Client Rights and Responsibilities (Healing Services)
- Client Rights Link-Up
- Request for Access of Information form
- Consent to Release and Obtain Information form
- Client Consent form
- Photo Consent form
Definitions
- Privacy – protects consumers from unfair or unauthorised use of personal or sensitive information.
- Personal information – is any information that can lead to an individual being identified.
- Sensitive information – any information about an individual’s racial or ethnic origin, sexuality, health, religious/philosophical/political beliefs, criminal record.
- Confidentiality – relates to how information that has been disclosed in a professional relationship is treated.
Policy
Yorgum collects and administers a range of personal information for the purposes of employee and client management. The organisation is committed to protecting the privacy of personal information it collects, holds, and administers.
Yorgum recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected on one hand and made accessible to them on the other. These privacy values are reflected in and supported by our core values and philosophies and also reflected in our Privacy Policy which is compliant with the Privacy Act 1988 (Cth).
Yorgum is bound by laws which impose specific obligations when it comes to handling information. The organisation has adopted the following principles contained as minimum standards in relation to handling personal information. Yorgum will:
- Collect only information which the organisation requires for its primary function;
- Ensure that stakeholders are informed as to why we collect the information and how we administer the information gathered;
- Use and disclose personal information only for our primary functions or a directly related purpose or for another purpose with the person’s consent;
- Store personal information securely, protecting it from unauthorised access; and
- Provide stakeholders with access to their own information and the right to seek its correction.
Personal Information Handling Practices
1. Collection of Personal Information
Yorgum will only collect personal information necessary to deliver services and conduct the business activities that support this. The following personal information may be collected but is not limited to:
- Contact and identification details
- Personnel matters for staff and contractors
- Information to meet funding and service agreement obligations
- Information for quality improvement purposes
Sensitive information will be collected if necessary for service provision and to meet funding agreements. Sensitive information collected may include details of a complaint, racial or ethnic origin, and/or other health information or services sought by the individual.
Collecting Personal Information from Children and Young People
Personal information about children and young people may be collected directly through their parents or guardians or from their education providers. If children and young people are over the age of 16, information will be collected directly as they are likely to have the capacity to understand any privacy notices provided to them and to give informed consent to collection. For children under the age of 16 or where capacity to provide consent is at issue, a parent or guardian will be notified and their consent sought.
Anonymous/Pseudonym
Clients have the right to remain anonymous or use a pseudonym as per the Privacy Act (1988). However, in some of the work undertaken in Yorgum, it may be impracticable for clients to use a pseudonym or remain anonymous. There may be certain circumstances where Yorgum is required or authorised by law to only deal with identified individuals.
2. Methods of Collecting Personal Information
Personal information is collected directly from individuals or their authorised representatives and through referrals from other service providers. Methods used to collect this information include:
- Face to face interactions through client interviews and counselling sessions.
- Forms and documents completed by the client.
- Communication via telephone, mail, email, or SMS.
3. Storage and Security of Personal Information
Yorgum will take all reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification, or disclosure and undertakes the following measures:
- Hard copy documents are stored in secure filing systems.
- Electronic records are stored in secure databases and are password protected.
- Only authorised users are provided with access to individuals’ personal information.
- Destroy or de-identify information in accordance with legal requirements for retention and disposal.
- Conduct regular audits to ensure compliance with record keeping practices.
4. Use of Personal Information
Yorgum uses personal information for the following reasons:
- To provide services to clients which may include:
- The provision of counselling, support, and advocacy
- Undertake family tracing
- Organise and manage reunions
- Performing employment and personnel functions – Yorgum collects personal information from employees and job applicants and may store information for the purposes of future recruitment.
- Meet regulatory and funding requirements – for the purposes of internal reporting and improvement of services.
- Marketing purposes – Yorgum may use personal information to communicate with individuals through direct marketing to inform them about Yorgum events.
5. Disclosure of Personal Information
Yorgum will not use or disclose client’s personal information to any other persons or organisations for any other purpose unless:
- Consent has been granted by the client to disclose their personal information to other organisations or persons.
- The use or disclosure is for a purpose directly related to providing care to the client.
- It is a legal requirement.
6. Accessing Personal Information and Correction
Individuals may request access to the personal information that Yorgum holds about them. Requests to access personal information:
- Must be made in writing by completing a Request for Access of Information form.
- Be addressed to the appropriate Manager.
- Request for Access of Information form to be emailed to admin@yorgum.org.au
All requests for access are processed in conjunction with privacy legislation as soon as practicable and generally within 30 days.
Yorgum can refuse a client access to their personal information only if providing access would:
- Pose a serious threat to the life or health of any person.
- Have an unreasonable impact on the privacy of other people.
- Be unlawful.
- Be likely to prejudice an investigation of possible unlawful activity.
and if:
- The information relates to legal proceedings (existing or anticipated) between Yorgum and the person.
- Denying access is required or authorised under another law or has been requested by a law enforcement agency.
- The request for access has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again.
- The person has been provided with access to their information already and is making an unreasonable repeated request for access to the same information in the same manner.
If access to view a client file is refused, a written reason for the refusal (with the reason relating to the exemptions above) will be provided.
7. Maintaining the Quality of Personal Information
Yorgum will take reasonable steps to make sure that client’s personal information is accurate, complete and up to date. Employees will check contact details with clients before embarking on outreach or at a client appointment. If a client needs to change their personal information that is inaccurate, incomplete or out of date, they should advise Yorgum staff and all reasonable steps to correct the information will be taken.
8. Unsolicited Personal Information
Personal information unintentionally received by Yorgum such as misdirected mail or promotional flyers will be disposed of accordingly.
9. Disclosure of Personal Information to Overseas Recipients
Yorgum does not disclose personal information to overseas recipients.
10. Data Security and Retention
Yorgum will:
- Only destroy records in accordance with the organisation’s Records Management Policy.
11. Notifiable Data Breaches Scheme
In the event of any loss or unauthorised access or disclosure of personal information that is likely to result in serious harm, Yorgum will:
- Investigate; and
- Notify the people concerned and the Australian Information Commissioner as soon as practicable in accordance with the Privacy Act.
12. Privacy Complaints
If there are questions or concerns about the collection, use or disclosure of personal information or non-compliance with this Privacy Policy or the Privacy Act, clients can contact Yorgum directly.
Yorgum will investigate the complaint and determine whether a breach has occurred and what action, if any, to take.
Yorgum will aim to resolve any such complaint in a timely and efficient manner. The target response time is 30 days.
To lodge a complaint about a privacy issue, clients can complete a Client Feedback form or contact Yorgum directly by telephoning, emailing, or speaking to a staff member using the details set out below:
- Phone: (08) 9218 9477 or 1800 469 371
- Mail: Yorgum Healing Services, PO Box 236, Northbridge WA 6865
- Email: admin@yorgum.org.au
- Website: https://www.yorgum.org.au/contact/
Yorgum expects its internal procedures will deal fairly and promptly with a privacy complaint. However, clients who remain dissatisfied can make a formal complaint in writing to the Officer of the Australian Information Commissioner (OAIC):
Phone: 1300 363 992