As a health and wellbeing service provider, Tree of Life Wellbeing Centre is required to collect a wide range of personal and sensitive information including; demographic information (e.g. name, address, date of birth), general health information, mental health information, sexual information, information about family members and/or associates, information about personal and social circumstances, financial information, legal information, education information, employment information and a wide range of information necessary for the purposes of providing that service. The handling of personal and sensitive information, which includes health information, is set out in the Australian Privacy Principles (APPs). This policy aims to ensure that information collected by the Tree of Life Wellbeing Centre adheres to those principles.
This Privacy and Confidentiality Policy applies to all staff and volunteers representing the Tree of Life Wellbeing Centre.
3.1. Collection of information
Only collect information necessary for and relevant to the client’s treatment.
Use fair and lawful ways, that are not unreasonably intrusive, to collect health information.
Collect health information directly from an individual if it is reasonable and practicable to do so.
Take reasonable steps to make an individual aware of why the information is being collected, who it may be disclosed to, how it can be accessed, etc.
Only collect health information with the express or implied consent of the individual concerned, unless collection is required by law or it is necessary to prevent a serious threat to the life or health of any person.
3.2. Use and disclosure of information
The Centre may use or disclose client information where use or disclosure is:
- for the primary purpose for which it was collected (e.g. provision of therapeutic care and treatment; health fund claims; NDIS)
- for a directly-related secondary purpose that would have been within the reasonable expectations of the client at the time (e.g. quality improvement activities)
- with the consent of the individual
- required or authorised by law
- necessary to prevent serious and imminent threat to an individual or to public health.
A ‘Release of Information’ form must be completed and signed by the client, unless there are legal limits to confidentiality that negate this requirement.
3.3. Limits to confidentiality
There are legal limits to confidentiality that must be adhered to when:
there is circumstance of immediate or grave danger to an individual (client, staff or other service user), such as when there is a reasonable belief that the individual is suicidal or homicidal
there is reasonable suspicion of serious criminal activity
there is recent or ongoing child abuse
there is recent or ongoing abuse of a dependent adult
there is reasonable suspicion of disease or conditions subject to mandatory reporting of public health issues.
3.4. Access to and correction of information
Clients have the right to access health information held about them, unless:
It would pose a serious threat to the life or health of any individual.
It would have an unreasonable impact on the privacy of others.
The request for access is frivolous or vexatious.
Denying access is required or authorised by law.
Access requests or related queries should be directed to the Privacy Officer (the business owner).
Access requests must be processed within 30 days and reasonable fees may be charged.
If a person requests a correction to their health information, the Centre must either make the correction, where appropriate, or add a note to the records with details of the request. Requests for correction shall be directed to the Privacy Officer (Business Owner).
3.5. Storage and maintenance of information
All staff must take reasonable steps to:
Ensure that the health information collected, used or disclosed is relevant, accurate, complete and up-to-date.
Protect the health information held at the Centre from misuse and loss, and from unauthorised access, modification or disclosure. This includes restricting physical access to offices, lockable filing cabinets, use of password protection, firewalls and secure databases for electronic data.
Destroy or permanently de-identify health information when it is no longer needed or required to be kept.
3.6. Destruction of information
Adult client records must be securely maintained for a period of seven (7) years. In the case of minors, their records must be kept for a period of seven (7) years after turning eighteen (18), i.e. until they turn twenty-five (25). At the conclusion of this period:
electronic records will be permanently deleted from all computer systems and external storage
physical documents will be double-shredded.
3.7. Other issues
Identifiers – Tree of Life Wellbeing Centre must not adopt Commonwealth identifiers, such as Medicare or DVA numbers, for its own identification systems.
Transfer outside of Australia – Tree of Life Wellbeing Centre will only transfer a person’s health information overseas when:
The individual has given consent.
The transfer is necessary for the fulfilment of a contract between the individual and the Tree of Life Wellbeing Centre.
It is believed that the information will be protected by a privacy scheme or legal provisions comparable to that which exists in this country.
4. Roles and Responsibilities
4.1. Privacy in relation to the business website
The business owner is responsible for ensuring that the website contains a Privacy Statement detailing the conditions of any collection of personal information from the public through their visit to the website.
4.2. Enquiries and complaints
Any enquiries or complaints from staff or clients regarding access to information or privacy of information must be referred to the Privacy Officer (the business owner).
5. Referenced Documents
Privacy Act (1988)
6. Policy version control
Version 1: July 2020 by Kathy Walker (next review date August 2022)