PRIVACY AND CONFIDENTIALITY POLICY AND PROCEDURE

The purpose of this policy and procedure is to ensure that Empowering Connection protects the privacy and confidentiality of participants, staff and other stakeholders and manages personal and sensitive information appropriately.

This policy and procedure applies to all staff and meets relevant legislation, regulations and standards.

Applicable NDIS Practice Standards

Information Management

Outcome

Each participant’s information is managed appropriately and securely.

Indicators

  • Policies and procedures are in place to ensure personal information is collected, used, disclosed, stored and destroyed in accordance with relevant legislation.

  • Participants are informed about how their personal information is collected, used, stored and shared.

  • Systems are in place to protect information from loss, unauthorised access, misuse or disclosure.

  • Information is accurate, complete and up to date.

Definitions

Personal information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not.

Sensitive information

Information about an individual’s health, disability, racial or ethnic origin, religious beliefs, sexual orientation or criminal history.

Confidential information

Information provided in circumstances where it is reasonable to expect that the information will not be disclosed to others without consent.

Policy

Empowering Connection respects the privacy and dignity of participants, staff and others and is committed to maintaining the confidentiality of personal and sensitive information.

Information is collected, used and disclosed only for lawful and authorised purposes and in a way that supports participants’ rights, choice and control.

Procedures

Collection of Information

Empowering Connection collects personal and sensitive information only where necessary for service delivery, employment, governance or legal compliance.

Information is collected:

  • directly from the individual wherever possible and

  • with informed consent, unless otherwise authorised or required by law.

Use and Disclosure of Information

Personal and sensitive information is used and disclosed only:

  • for the purpose it was collected

  • with the individual’s consent or

  • where required or authorised by law.

Information may be shared with other service providers, regulators or authorities only where appropriate consent has been obtained or legal obligations apply.

Consent

Participants are informed about:

  • what information is collected

  • how it is used

  • who it may be shared with and

  • their rights regarding access and correction.

Consent is documented and may be withdrawn at any time unless disclosure is required by law.

Storage and Security of Information

Empowering Connection implements safeguards to protect information from unauthorised access, loss, misuse or disclosure.

Information is stored:

  • electronically in secure systems with access controls and

  • in hard copy in locked storage with restricted access.

Only authorised staff may access personal or sensitive information relevant to their role.

Access to Information

Participants and staff may request access to their personal information held by Empowering Connection.

Requests must be made in writing and will be responded to within a reasonable timeframe unless access is restricted by law.

Correction of Information

Where information is inaccurate, incomplete or outdated, Empowering Connection will take reasonable steps to correct the information upon request or when identified.

Breaches of Privacy or Confidentiality

Actual or suspected privacy breaches must be reported immediately to the Chief Executive Officer.

The Chief Executive Officer will:

  • investigate the breach

  • take action to minimise harm

  • notify affected individuals where required and

  • report to relevant authorities where required by law.

Staff Responsibilities

Staff must:

  • maintain confidentiality at all times

  • access information only as required for their role

  • not disclose information without authorisation

  • securely store and dispose of information and

  • report suspected privacy breaches.

Training

All staff receive training during induction and ongoing training as required on privacy, confidentiality and information management obligations.

Supporting Documents

Documents relevant to this policy and procedure include:

  • Records and Information Management Policy and Procedure

  • Risk Management Policy and Procedure

  • Feedback and Complaints Policy and Procedure

  • Staff Code of Conduct

  • Participant Incident Management Policy and Procedure

Monitoring and Review

This policy and procedure is reviewed at least every three years by the Board of Directors.

Reviews incorporate staff, participant and stakeholder feedback where relevant.

Improvements identified are recorded and monitored through Empowering Connection’s Continuous Improvement Plan and inform service planning and delivery.