Privacy, Dignity & Confidentiality Policy

Policy Statement

Dignity of people receiving services from Brain Injury SA is maintained through the respect contained in all communication, information collection and storage undertaken by BISA and in placement of the individual in the driving seat of all decision making regarding their service provision. In support of maintaining and protecting the dignity of all its participants, BISA has identified the following values to which all staff and volunteers commit in their service provision:

• Empathy – we work humbly alongside our participants with appreciation of their viewpoint and their ownership of their lives
• Respect – we listen to understand, give value to the choices of participants and create dignity in the provision and receipt of assistance
• Empowerment – we engage our participants in addressing the needs they define, encouraging, supporting and growing their confidence to drive the changes they seek
• Transparency/Accountability – we are committed to creating trust in our service provision through honesty, transparency and inclusion in decision making and integrity in our practices
• Drive – we strive to work efficiently with clarity on objectives, and positive impact for our participants
• Collaboration – we recognise that working together and with others achieves more than working alone

Brain Injury SA collects and administers a range of personal information for the purposes of service provision. Brain Injury SA has legal and ethical responsibilities in relation to obtaining, recording, storing, releasing and disposing of private information of the people who access the service. Brain Injury SA is committed to protecting the privacy of personal information it collects, holds and administers in line with legislative requirements and out of respect for the individual involved.

Implementation

---

Applicable regulation

Directive: BISA is required under the Privacy Act of 1988 to manage personal information regarding individuals according to the Australian Privacy Principles. It is recognised that much of the information held by BISA regarding individuals would be regarded as sensitive under the Australian Privacy Principles and therefore requiring a higher standard of control in its management.

---

Privacy principles

Directive: The privacy principles address issues of information:

Collection

• use and disclosure
• quality and security
• openness
• access and correction
• identifiers
• anonymity
• cross border(beyond Australia) data flow
• sensitive information.

Guidance in applying the Australian Privacy Principles to information management is given to staff through this policy and the Privacy and Confidentiality Procedure. Organisational compliance with the legislative requirements is undertaken through staff training and internal auditing processes.

---

Information Collected

Directive: BISA may request a range of information from service participants to ensure we offer the best possible service. The types of personal information collected and it depends on the requirements of each program. Personal information is any information that can be used to identify a person, and will generally include:

• name and date of birth
• contact details, including name, address, telephone number and email address
• financial information, if the person is paying for a product or service
• employment information
• health information, including, physical or mental health, disabilities or health services received

We do not collect or disclose any sensitive information, such as information about political opinions or membership, religious or philosophical beliefs, trade association or union membership, sexual orientation or practices or criminal record, unless:

• the individual has consented (e.g.: DCSI clearance), or details are required to provide effective service to customers, or
• it is necessary to prevent a serious and imminent threat to the life or health of a person, or
• it is required or permitted by law (e.g.: mandatory notification of a child at risk, court subpoena)

---

Information Collection

Directive: Personal information is collected directly from the participant, where reasonable and practicable to do so. In addition to collecting personal information directly, we may also obtain personal information from family members, guardians and carers, or other third parties such as medical specialists, hospitals and rehabilitation services only with the written or express consent of the participant. This information will only be collected in order to ensure we provide the safest and most effective service to the participant.

We will take all reasonable steps to ensure that personal information which we collect, use or disclose is accurate, complete, relevant and up to date.

---

Information Storage and security

Directive: Information is stored in hard copy files which are kept in locked filing cabinets. Increasingly, information is stored electronically in a secure network drive which is password protected. No one outside of Brain Injury SA has access to this information. Any staff who have access to Brain Injury SA’s files have relevant and prescribed security clearances and sign confidentiality agreements with the organisation. All staff are trained on privacy and confidentiality and are aware of their obligations.

---

Information Usage

Directive: Information is sought for the following reasons:

• To provide a quality service
• To understand the individual needs of each participant
• To promote safety of the individual and staff
• As required by funding agreements
• To keep legal records of the services provided to participants

---

Information Disclosure

Directive: BISA is required to release non – identifying information about clients (without identifying them by full name or address), to governments and other funding bodies to enable statistics about disability services and their clients to be compiled and in line with any government contractual obligations.

Other contracts such as individual service agreements under NDIS will require that personal information is shared in order for the participant’s funding to be utilised.

The collection and use of personal information will be explained to participants when they commence a service with Brain Injury SA.

---

Information Access for Participants

Directive: Participants have the right to view the information kept on their personal record and may request this by contacting the Chief Executive Officer. The individual’s identity will need to be verified before an access request can proceed. Access is generally allowed except in limited circumstances where we are required or permitted by law to refuse access (including where a treating medical practitioner agrees that access would prejudice the individual’s physical or mental health or put another person at harm). Requested and available information will be provided within four weeks of the request.

A reasonable fee may be charged for providing access to cover photocopying and administrative expenses. Access may be provided by hard copy or by providing individuals with the opportunity to view their electronic file.

---

Notifiable data breaches

Directive: BISA as an organisation holds obligations under the Notifiable Data Breaches (NDB) scheme in Australia. The scheme mandates that BISA notify all individuals whose personal information is involved in a data breach, if the breach is likely to result in serious harm to them. This is defined as an “eligible” data breach. A data breach has occurred when there is unauthorised access, disclosure, or loss of personal information.

Under the NDB scheme, notification must include recommendations about the steps individuals should take in response to the breach and requires the Australian Information Commissioner (Commissioner) be notified of eligible data breaches.

BISA responds to an eligible data breach through the Mandatory Data Breach Notification procedure (PR IT2.2) and its supporting policy (IT2 Mandatory Data Breach Management), outlining action to be taken.

---

Privacy complaints

Directive: Complaints regarding the handling of personal information are dealt with under Brain Injury SA’s Complaints Policy and Procedure which outlines the process for addressing complaints within the organisation. It also includes the opportunity for referrals to external complaints bodies as an additional avenue if the complaint cannot be resolved internally.

Unresolved matters regarding privacy issues will be referred to the Privacy Commissioner (Commonwealth Government Office of the Privacy Commissioner) via telephone on 1300 363 992 or via the website www.privacy.gov.au.

---

Information Sharing Guidelines for Promoting safety and wellbeing (ISG)

Directive: Information Sharing Guidelines outline the process for sharing information without consent in limited circumstances where doing so will:

• divert a person from offending or harming themselves
• protect a person or groups of people from potential harm, abuse or neglect
• protect service providers in situations of danger
• help service providers more effectively address risks to safety and wellbeing
• alert other service providers to an individual’s need for assistance

The state government has authorised the ISG, directing that the guidelines be implemented throughout the public sector and by relevant non-government organisations. By sharing information and collaborating in the planning and delivery of services, efforts to keep vulnerable people safe from harm can happen earlier and more effectively.

---

Reference

Legislation:

• Privacy Act 1988
• Information Privacy Act 2009
• Volunteers Protection Act (2001)

Guidelines:

• Information Sharing Guidelines for promoting safety and wellbeing – Department of the Premier and Cabinet 2013

Policy:

• POL IT2 Mandatory Data Breach Management

Procedures:

• PR CS2.1 Maintaining Privacy, Dignity and Confidentiality Procedure
• PR IT2.2 Mandatory Data Breach Notification Procedure

Forms:

• FOR CS2.1.1 Consent
• FOR CS2.1.2 Authorisation to Obtain or Exchange Information

Resource Sheets:

• Nil Currently