Actevate Privacy Policy and Data Breach Response Plan

1. Introduction

1.1. Actevate considers privacy as freedom from intrusion and public attention.

1.2. Confidentiality is the assurance that written and spoken information is protected from access and use by unauthorised persons. With respect to confidentiality, Actevate staff members are to refer to the Code of Conduct for Workplace Rehabilitation Providers and are to note that the disclosure or misuse of confidential information held on official records, including client files, is illegal.

2. Position Statement

2.1. Actevate recognises that each person has the right, in all aspects of their lives, to privacy and confidentiality and to be treated with dignity. The organisation is committed to protecting the privacy of clients' information and Actevate will ensure that collection, documentation and record keeping systems follow principles of best practice and adhere to Australian Privacy Principles. Actevate will only collect information that is necessary for the provision of services to each client and will keep records in a standardised, accurate, objective and efficient manner. All client information will be kept in accordance with legal requirements, ensuring that the privacy and confidentiality of personal information is maintained at all times. Actevate will make information kept about a client available for that individual or their substitute decision makers to access at any time.

3. Legislation

3.1. In compliance with the following legislation – Privacy Act 1988 (Cth), Health Records (Privacy and Access) Act 1997 (ACT), NSW Privacy and Personal Information Protection Act 1998 and the NSW Health Records and Information Privacy Act 2002 – our service adheres to the privacy principles as outlined in this policy.

4. Australian Privacy Principles

APP 1: Open and Transparent Management of Personal Information

This principle sets out how Actevate can use and disclose personal information. Health service providers need to be open about how they handle health information.

On first meeting with the client, staff/contractors of Actevate are to provide a copy of the Consent Form and Actevate Privacy Policy. Clients are to sign the Consent Form to indicate that they have consented to the referral to our service and that they have been informed about what information will be gathered about them during the assessment process and how that information will be utilised/stored.

Informing the person from whom information is collected

By providing the Privacy Policy and signing the Consent Form, Actevate will clarify with the client the accuracy of information received through the referral process and will make them aware:

  • That information is being collected and for which purposes
  • Of the intended recipients of the information
  • Whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided
  • Of the client's right of access to, and correction of the information
  • How records are kept – i.e., electronic database
  • That the client has the right to withhold information for privacy reasons (clarification that withholding information may impact service planning)
  • The only information held by Actevate about a client will be information necessary to assess the need for a service, and to provide the service. Information will be as objective as possible, yet relevant and up-to-date.

APP 2: Anonymity and Pseudonymity

For clients receiving services, Actevate is required to identify them to funding bodies (insurers). It is therefore unlawful and impractical for us to deal with clients who have not identified themselves.

Where it is lawful and practicable to do so, individuals may deal with us anonymously (e.g., when enquiring about our products and services generally).

APP 3: Collection of Solicited Personal Information

Actevate collects personal and sensitive information from people only if this information is necessary for the provision of our service, functions and activities and only if consented to by the person.

Actevate only collects information in accordance with permitted general and health situations in relation to our service delivery. Actevate will only collect information by lawful and fair means.

Purpose of Collecting Information

The purposes may include:

  • Prioritising and processing referrals
  • Providing information regarding appropriate services
  • Referring clients on to other services (with their permission)
  • Assessing clients' service needs, offering service, referral and equipment to meet those needs
  • Providing relevant agreed services to clients
  • Assessing WH&S status of client's homes/workplaces for service provision
  • Service provision
  • Continuity of care
  • Keeping client records
  • Sending out and processing client accounts
  • Meeting funding, legal and regulatory requirements
  • Quality measurement and management

Type of Information Collected and Held

Includes but is not limited to:

  • Name and contact details
  • Details of birth, language preference and cultural affiliations
  • Pre-injury earnings
  • Accommodation and living arrangements
  • Health and medication
  • Functional abilities
  • Quality of life issues
  • Referral requirements
  • Workplace details and contacts
  • Present and future service requirements
  • Outcomes

Documentation kept on the client's individual file includes but is not limited to:

  • Referral information
  • Health screening data
  • Physical assessment data
  • Assessment reports – Actevate and other
  • Assessment of ability to perform duties and tasks of daily living
  • SIRA Certificate of Capacity
  • WH&S risk assessment and risk management plan (if required)
  • Consent forms
  • Complaints
  • Reports/information from and to other health practitioners
  • Client progress notes

Staff, Contractors and Students

Actevate collects information from you which is necessary to properly manage and operate its business. This includes collecting personal information such as your name, address and contact details, professional experience, qualifications and past employers, and any other information which may be necessary to appropriately conduct its business.

Job Applicants and Students

Actevate collects information from you which is necessary to assess and engage job applicants. This includes collecting personal information such as your name, address and contact details, professional experience, qualifications, references and past employers, and any other information which is necessary to process your job application.

APP 4: Dealing with Unsolicited Personal Information

Actevate will advise clients of any information obtained or collected, including unsolicited personal or sensitive information. If the information received is not relevant to the provision of Actevate services, functions and activities it will either destroy or de-identify the information.

APP 5: Notification of the Collection of Personal Information

All Actevate clients will be advised during referral and assessment processes about what information we collect and for what purpose.

Actevate will not collect information from sources that the client has not consented to.

Sources of Information

We obtain personal information from the following:

  • The individual to whom the information relates
  • The parent or guardian if a person is under the age of 16 years or has an official guardian who is authorised to pass on such information
  • Other persons whom the individual has authorised to pass on the information
  • Other health or service providers whom the individual has authorised to pass on information to Actevate
  • Workplace representatives

APP 6: Use or Disclosure of Personal Information

The organisation does not disclose any of the above information to others without the client's or the client's authorised representative's consent.

Actevate does not disclose or release client information to any persons or entities outside of Australia.

Actevate releases or discloses personal information only as permitted by general and health situations and only as required under Australian legislation i.e., mandatory reporting, reporting as per government funding contracts.

Disclosure of Client Information

In certain circumstances, Actevate may obtain and release personal information from:

  1. A client's agent (insurer)
  2. An individual's representatives (e.g. authorised representatives or legal advisers)
  3. An individual's employer
  4. An individual's health service provider/treating health professional

We may also disclose information with the consent of the person responsible where:

  • The client to whom the information relates is deceased or physically or legally incapable of giving consent to the disclosure, or physically cannot communicate consent to the disclosure; and
  • The disclosure is not contrary to any wish (of which the organisation is aware) expressed by the client before that person became unable to give or communicate consent
  • Information is needed urgently for medical treatment or when disclosure is essential to protect a person from imminent harm. Even in these circumstances, the client, guardian or "person responsible" would, if possible, be asked permission to release confidential information.

These disclosures and others to third parties may be for:

  • Referrals and feedback to other service providers, including health professionals and community services providers
  • Client service provision by external contractors, e.g. cleaners, lawn mowing services
  • Workers compensation authorities

Actevate obtains some services from external service providers. Some clients' information may be provided to them on a confidential basis if the client gives his or her consent.

APP 7: Direct Marketing

Actevate does not collect a client's personal information for the purposes of marketing nor provide direct marketing communications to clients.

For stakeholders utilising services other than workplace rehabilitation services (e.g., pre-employment services, OH&S Training), Actevate will seek consent to use or disclose personal information for the purposes of informing individuals about:

  • Actevate products and services that may be of interest and suit their requirements
  • Promotions or other opportunities in which they may be interested

We assume we have consent to use service providers to assist us with marketing (e.g. mailing services or advertising agencies) unless we are told otherwise.

Actevate does provide newsletters to other scheme stakeholders (i.e. scheme agents, employers) quarterly. These do not contain client personal information and stakeholders can elect not to receive these communications.

APP 8: Cross Border Disclosure of Personal Information

As per APP 6 above.

APP 9: Adoption, Use or Disclosure of Government Related Identifiers

Actevate does not adopt, use or disclose government related identifiers.

APP 10: Quality of Personal Information

Actevate will take reasonable steps to ensure that your personal information which is collected, used or disclosed is accurate, complete and up to date.

APP 11: Security of Personal Information

Actevate ensures that it provides security and protection of client personal information from misuse, interference and loss and unauthorised access, modification or disclosure.

Storage

All personal information held by Actevate is stored securely in either hard copy or electronic form.

Data Security

Actevate strives to ensure the security, integrity and privacy of personal information, and will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Actevate reviews and updates (where necessary) its security measures considering current technologies.

To protect personal information, Actevate's electronic safeguards include:

  • Electronic client information is password protected – each user has his/her own security profile to access the Internet Technology infrastructure including the Case Manager® software. Access rights can be limited to read only, modify or full access.
  • Client information is not sent through unprotected emails
  • Access to client information is limited to authorised staff
  • Actevate servers (including Case Manager® application) are hosted by a third party company iTonCloud, who monitor, maintain and manage the IT infrastructure. All systems are backed up daily with media being sent off site once verification of a successful backup has been completed.

The organisation's procedural safeguards include:

  • All staff are trained in confidentiality and the Privacy Act
  • If an outside person enters the office, the staff member closes the computer screen if it shows personal client information
  • Meetings with visitors take place in the organisation's meeting rooms whenever possible
  • Meetings with clients will only be conducted in an area which allows sufficient privacy

Online Transfer of Information

While Actevate does all it can to protect the privacy of your personal information, no data transfer over the internet is 100% secure. When you share your personal information with Actevate via an online process, it is at your own risk.

There are ways you can help maintain the privacy of your personal information, including:

  • Always closing your browser when you have finished your user session
  • Always ensuring others cannot access your personal information and emails if you use a public computer
  • Never disclosing your username and password to third parties

Cookies

A 'cookie' is a small data file placed on your machine or device which lets Actevate identify and interact more effectively with your computer. Cookies are industry standard and are used by most websites. They allow Actevate to customise our website to the needs of our users. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. However, cookies may be necessary to provide you with some features of our online services via the Actevate website.

Links to Other Sites

Actevate may provide links to third party websites. These linked sites may not be under our control and Actevate is not responsible for the content or privacy practices employed by those websites. Before disclosing your personal information on any other website, we recommend that you carefully read the terms and conditions of use and privacy statement of the relevant website.

Notifiable Data Breach

The Privacy Act 1988 requires certain entities to notify individuals and the Commissioner about data breaches that are likely to cause serious harm.

In the event of a privacy data breach, Actevate commits to following all processes and obligations as recommended by the Office of the Australian Information Commissioner including:

  • Should Actevate experience a data breach, we will contain the breach where possible and take remedial action.
  • Where serious harm cannot be mitigated, Actevate will assess the breach for notification eligibility.
  • Actevate will notify individuals at risk of serious harm.
  • A statement will be provided to the Commissioner as soon as possible.

APP 12: Access to Personal Information

Clients have the right to access their own information held by Actevate. If a request to access personal information is made, Actevate will validate the identity of anyone making a request to access client information. This is to ensure that information is not passed to a person who is not authorised to receive it.

While Actevate aims to meet all requests for access to personal information, in a small number of cases and where permitted to do so by law, Actevate may not give access or may do so only under conditions.

Subject to applicable laws, Actevate may destroy records containing personal information when the record is no longer required by Actevate.

APP 13: Correction of Personal Information

If clients find that the personal information we hold on them is not correct, complete or up to date, the organisation will correct their records accordingly.

Length of Time Records Are Held

Client records are archived once the closure procedures have been completed. All information regarding clients will be destroyed seven years after clients cease to receive services or in the case of children when the client reaches age 25, whichever is the latest.

5. Data Breach Response Plan

A data breach occurs when there is unauthorised access to or disclosure of personal information, or loss of personal information. A data breach may be caused by human error, systems failure or malicious action. The consequences of a data breach may be serious for the individuals whose personal information is involved, for example through identity theft or financial fraud.

Compliance with the thirteen Australian Privacy Principles (APPs) as listed in the Privacy Act 1988 (Cth) will reduce the risk of a data breach. Actevate has a data breach response plan to facilitate a fast response in order to limit the impact of the breach on affected individuals.

Containment

  1. Record the date and time of the breach.
  2. Record the date and time the response plan is activated.
  3. Alert your direct manager and the Actevate General Manager.
  4. Contain the breach (e.g. take affected machines offline).

Evaluation

  1. Gather information: date, time, location and duration of breach.
  2. How the breach was discovered and by whom.
  3. Type of information compromised in the breach.
  4. What personally identifiable information was exposed.
  5. Names of potentially affected individuals/organisations.
  6. Carry out a risk assessment to evaluate extent of damage caused.

Notification

  1. Determine who needs to be notified and the timeframes.
  2. Notify affected individuals if there is a real risk of harm.

Prevention

  1. Review findings of investigations into the breach.
  2. Update Data Breach Response Plan as necessary.
  3. Update information security and data management policies.
  4. Revise staff training practices and knowledge of new policies.

6. Requests for Access to Records, Complaints and Record Updates

Individuals who wish to access their records, who believe that Actevate may have breached their privacy rights, or who wish to update personal information held by Actevate should contact:

The Director, Actevate

  • Phone: 1300 663 155 (Head office)
  • Mail: GPO Box 3408, Sydney NSW 2001
  • Email: admin@actevate.com.au
  • Web: https://www.actevate.com.au/page/contact-us

If we do not satisfactorily answer concerns, clients have the right to make a complaint to the Privacy Commissioner:

Office of the Privacy Commissioner

  • Mail: GPO Box 5218, Sydney NSW 1042
  • Phone: 1300 363 992

Cross Referencing & Further Reading: Consent Form | Code of Conduct for Workplace Rehabilitation Providers