Privacy and Records Management Policy and Procedures
1. PURPOSE OF POLICY
In accordance with the Privacy Act 1988, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (including the Australian Privacy Principles (APPs), Privacy and Data Protection Act (2014) and Health Records Act 2012, in conjunction with all relevant state and territory privacy legislation, the Altius Group has established standards for the management of personal and health information. The Altius Group consists of Altius Holdco Pty Ltd and its subsidiaries.
These standards set out our obligations in relation to the collection, retention, security, access, use and disclosure of personal and health information.
In the course of providing our services, there is certain personal information we may require.
Who is responsible for privacy?
It is the responsibility of all Altius Group team members and contractors to protect the privacy of any individuals by managing personal and health information in accordance with this policy.
What is personal information?
Personal information is any information or opinion about an identifiable person (“an individual”). This includes records containing an individual’s name, address, telephone number and gender.
What is health information?
Health information is a specific type of personal information, which includes information or an opinion about the physical or mental health of an individual, or the disability of an individual.
2. PRIVACY STANDARDS
Lawful – Altius Group will only collect personal and health information directly related to a function or activity related to the function or activity being offered.
Relevant – Altius Group will ensure that the health information collected is necessary, relevant, accurate, complete and up to date.
Direct – Altius Group will collect personal and health information directly from an individual whom the information relates to unless; the individual has authorised collection of the information from someone else, or in the case of information relating to a person under the age of 16 years, the information has been provided by a parent or guardian of the person, or other authorised representative of an NDIS participant.
Open – Altius Group will take reasonable steps to inform individuals (and their representatives) why we are collecting information, what we will do with it and who will see it.
2.2 Storage and Protection
- Storage – Altius Group records of individuals’ information are kept in electronic form, when not required for clinical care.
- Altius Group is required by law to retain medical records as long as it is required for our business function, for a minimum period of seven years or as required by state and territory legislation.
- CIM Employment by Altius adheres to the directive from the National Archives of Australia Notice of Disposal Freeze, meaning all records are archived and not disposed of.
- Altius Group, for the purposes of its NDIS Services, adheres to the directive from the National Archives of Australia Notice of Disposal Freeze, meaning all records are archived and not disposed of.
- Protection – Electronic information kept on computers is password protected and is available only to Altius team members and contractors who are involved in managing an individual, in the course of the Altius business.
- Disposal – Information or hard copy documents that are no longer required are disposed of appropriately using shredding machines into secure bins. Electronic data is securely archived so it is no longer accessible without a password.
2.3 Access and Accuracy
Transparent, Accessible and Accurate – Altius Group will take all reasonable steps to explain what personal and health information we are storing and how an individual is able to access this information without unreasonable delay or expense. Altius Group will endeavour to ensure that the information is relevant, up to date, complete and accurate before using it.
2.4 Use and Disclosure
Limited – Altius Group will only use and disclose an individuals’ health information for the purpose for which it was collected, where the individual concerned is aware of through explicit consent and it is a directly related purpose that you would expect.
Altius Group collect personal, sensitive and health information of the primary purpose of providing occupational rehabilitation services and to provide information to stakeholders including the employer.
When we collect personal, sensitive and health information we will explain the reasons for collecting the information and how we plan to use it.
If we do not collect your personal, sensitive and health information, we may not be able to provide our services, of our full range of services to you and other stakeholders.
Personal information collected may be disclosed to the WorkSafe Agency, the employer, Insurer Agents, treating health practitioners and regulators where you gave consented to the use or disclosure, or where we are required or authorised by law.
Personal, sensitive information may be disclosed to our research partners; however they are required to follow strict privacy procedures.
Altius Group does not expect to disclose personal information to any overseas recipients.
Altius Group does not use or disclose personal information for the purpose of direct marketing. However, we may use personal or health information without consent in order to deal with a serious and imminent threat to any person's health or safety, where illegal activity is suspected or where requested by law enforcement authorities.
Identification – Altius Group allocates unique case numbers to all clients for internal use only, in order to effectively manage case records including file notes, reports and case records.
2.6 Information Collected
The amount and type of personal information Altius Group’ collects and holds about an individual referred to us may, but not be limited to include:
- Personal details such as name, address, date of birth, primary language, racial or ethnic origin and contact details including telephone numbers, address and photo ID.
- Detail of medical conditions and injuries and the manner in which any injury or condition arose.
- Information about a NDIS participant’s disability and the nature of the disability including functional capacity, psychological capacity and any other medical factors in relation to the disability that may be disclosed, which may impact on functional or psychological capacity and recovery.
- Functional and psychological status in relation to the compensable injury or condition (compensable under a government or private insurance scheme) and any other medical factors that may be disclosed that may impact on functional or psychological capacity, recovery and/or return to work.
- Information regarding employment, membership to a trade union, wage histories and compensation benefits where relevant.
- Information regarding social and work relationships as and when applicable to the purpose for which we are engaged.
- Information collected is relevant to the purpose, not excessive, is accurate and up to date.
- Information does not intrude to unreasonable extent on the personal affairs of the individual to whom the information relates to.
2.7 How is the information collected?
Via telephone, correspondence and liaison.
Face to face during assessments or meetings.
Through any photographic, auditory or video recordings. Please note: no recordings or photography will take place without the explicit consent of all parties in attendance.
Via Telehealth for the purposes of assessments, treatment or counselling sessions and meetings.
Through medical case conferences.
At the workplace through assessment or meetings with the employer.
At the NDIS participant’s home, day facility, school or other location as nominated by the participant or their representative through assessment or meetings.
Through the reports of third parties including treatment providers.
Through medical reports and investigations that are provided by other parties as required for eligibility of benefits within the Personal injury and / or Workers Compensation Scheme.
2.8 Purpose of collecting and holding information?
To ensure the most efficient and useful direction of services.
2.9 Anonymity and Pseudonymity
Individuals have the option of not identifying themselves or of using a pseudonym unless the Altius Group is required or authorised under Australian law or a court/tribunal to identify the individual or it is impracticable to deal with the individual anonymously or by a pseudonym.
2.10 Overseas recipients
No personal data is provided to overseas recipients. Your personal, sensitive and health information is securely stored within Australia, however Altius Group team members can access this information remotely from outside of Australia, through secure password protected sign in.
Consent is provided by one or more of the following means.
By signing relevant medical certificates that explicitly outline how an individual consents to information release and exchange by relevant participants in the relevant scheme.
By completing and signing the Altius Group or related Business Unit consent form. This includes during direct face to face contact or through Telehealth platforms and electronic applications.
By completing and signing the Altius Group NDIS Service Agreement Schedule of Supports and Consent section of this form, either prior to the commencement of services or during the first direct face to face contact following provision of the Service Agreement.
By obtaining verbal approval from the individual for the release and exchange of information to relevant scheme participants. In this instance a clear file note is documented.
Where an interpreter is involved, Altius ensures that the interpreter co-signs any information release agreement.
In relation to the Altius Group service provision, information may be exchanged between the nominated treating doctor, the employer, the insurer or agent, other treating practitioners, injury management consultants and any other authorised scheme authority or administrator.
For the purposes of Altius Group NDIS service provision, information may be exchanged between the participant’s treating doctor and allied health professionals, the support coordinator or other referring party and any other person nominated by the participant in writing on the Service Agreement.
Where reasonable and practicable to do so, we will collect your personal Information only from you. However, in some circumstances we may be provided with information by third parties. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party.
4. INFORMATION AND DOCUMENT ACCESS
All requests for personal information must be sent in writing to Altius Group by emailing email@example.com. Altius Group endeavours to respond within a reasonable period after the request is made and provide access to the information in the manner requested where reasonable and practicable to do so.
Any request for the release of an individuals’ information is to be forwarded to the quality management team via the continuous improvement email.
Altius Group will provide an individual with copies of all assessments, plans or progress reports prepared for them, unless it is deemed that information contained within those reports may be detrimental to the health and welfare of the individual. This may be particularly relevant for individuals with psychological injuries. Further, note that there may be other grounds on which information may not be disclosed including where it is unlawful to give access to the information or to the extent that giving access would have an unreasonable impact on the privacy of other individuals. If access to personal information is refused, or access in the manner requested is refused, Altius Group will write to the individual to inform them of the reasons why (unless unreasonable to give reasons having regard to the grounds of refusal) and the complaints process.
Altius Group will not provide an individual’s or any other party, reports received from third parties. The individual will be advised that requests for such information need to be forwarded to the relevant author of the report or the third party in question.
Altius Group may also provide information to other parties in the case where:
- We reasonably believe it is necessary to assist an enforcement body to perform its functions.
- We suspect that an unlawful activity has been, is being or may be engaged in and the personal information is a necessary part of our investigation or reporting of the matter.
- We reasonably believe it is necessary to prevent a threat to life, health or safety.
- We are authorised or required by law to do so, (e.g. where information is required by bodies regulating us or in response to subpoenas or warrants).
- We have contracted an external organisation to provide support services and that organisation has agreed to conform to our privacy standards.
5. FILE AND INFORMATION CONSISTENCY
To ensure correct information and data collected from individuals is consistent across the board, Altius Group team members and contractors are trained and mentored as to keeping accurate file notes, effective individual interview techniques and observing individual behaviour and body language.
File reviews with the Line Manager will provide feedback to Altius Group team members and contractors as to how to effectively obtain and update important information from an individual and record this in a consistent manner whilst maintaining respect and confidentiality at all times.
Where Altius Group is satisfied personal information held is inaccurate, out of date, incomplete, irrelevant or misleading, or where an individual requests that Altius Group correct information, we will take reasonable steps to ensure that the information is accurate, up to date, complete, relevant and not misleading having regard to the purpose for which the information is held. Where, an individual requests that other entities using that information are notified of any correction of information, Altius Group will take reasonable steps to do so unless it is unlawful or impracticable to do so.
Where Altius Group refuses to correct the information, Altius Group will write to the individual to inform them of the reasons why to the extent reasonable to do so and the complaints process. Where an individual requests that a statement is associated with the information that the individual considers that the information is inaccurate, out of date, incomplete, irrelevant or misleading to make their view apparent to users of that information, Altius Group will take reasonable steps to do so.
6. PRIVACY ON OUR WEBSITES AND APPLICATIONS
This policy also applies to any personal information Altius Group collects via its websites, and applications, including mobile applications, in addition to personal information individuals provide to Altius Group directly, through completing request forms or registration forms.
Altius Group may contact an individual using the personal information provided in order to:
Keep the individual informed of latest trends within the workplace wellbeing sector and provide relevant workplace health information.
Provide information about upcoming events and other matters that may be of interest.
Send newsletters and updates on services and changes including relevant legislative requirements.
If If an individual receives any communications from Altius Group which they no longer wish to receive, they may request removal of their personal information from the mailing list by emailing firstname.lastname@example.org, allowing 14 days for this request to be processed..
7. MARKETING INFORMATION
In relation to employers, we may send promotional information about other services we believe may be of interest. However, should you not wish to receive such material, please inform our Marketing Manager by email: email@example.com and we will ensure you name is removed from our mailing list. Opt out procedures are also included on our marketing communications.
8. POLICY CHANGES
9. PRIVACY COMPLAINTS
Grievances concerning team member or individual privacy (including concerning potential breach of the Australian Privacy Principles) should be raised in the first instance with the team members' Line Manager. If this Line Manager is unable to resolve the matter, it may be referred to the Group Quality Manager by emailing firstname.lastname@example.org. We will inform the individual who will manage the complaint and we will endeavour to ensure the complaint is resolved to the individuals satisfaction.
Should the individual feel their complaint has not been resolved at this level, or after 30 days of making the initial complaint, they may then complain to the Office of the Australian Information Commissioner (www.oaic.gov.au) telephone 1300 363 992. Before investigating a complaint, the commissioners are legally required to be satisfied that you have first expressed your concern to us to afford us an opportunity to resolve the complaint directly, unless it is inappropriate for you to do so.
10. DATA BREACH RESPONSE
As per the Privacy Act 1988, Altius Group have an obligation to report privacy breaches. As a result of an amendment to the Privacy Act: Privacy Amendment (Notifiable Data Breaches) Act 2017, notification to the Office of the Australian Information Commissioner (OAIC) will be mandatory when a data breach could give rise to a 'real risk of serious harm' to the affected individuals.
Please refer to the Altius Group - Data Breach Policy and Procedures for a step by step guide to follow for reporting serious / notifiable data breaches to the OAIC and Altius Group.
Further information on this can be found at:
Information about the Australian Privacy Principles can be found at: https://www.oaic.gov.au/privacy/australian-privacy-principles/
Altius Group Complaint Management Procedure
Altius Group Document Retention and Destruction Policy
Altius Group Information Technology and Social Media Policy
Altius Group Cyber Security and Data Classification and Handling Standards