Privacy and Confidentiality Policy

Privacy and Confidentiality Policy - Data

Myassista believes in being everyone’s family support and treating everyone as individuals, ensuring their unique needs and services are only shared with staff and the individuals concerned in providing the relevant care and services.

Myassista will respect and protect the rights of our client’s privacy through collecting, storing and using the information about each individual and their needs by paying attention to the particular information collected, who it is shared with and how it is stored for use and reference.

Myassista is subject to a range of legislative measures including but not limited to the Disability Services Act 2006 and will follow the guidelines of the Australian Privacy Principles in our information management practices. Specifically, we will

  • Meet our legal and ethical obligations as a service provider and employer in the protection of their privacy
  • Provide clients with information which allows them to understand their rights regarding privacy
  • Provide staff and management with the relevant training concerning the collection, use and storage of client’s personal information
  • Dispose of client information safely and in accordance with government requirements
  • Protect staff and client’s information against loss, unauthorized access, use or or sharing.

In adherence to the Australian Privacy Principals Myassista will follow the procedures below.

AAP 1 Open and Transparent management of personal information

Myassista will collect a range of information to enable us to provide services which meet the client’s needs via a range of collection methods such as electronically, copies of documents and submission of personal details on forms. This information may include, but is not limited to:

  • Contact details
  • Date of birth
  • Government issued numbers
  • Contact numbers for family members, medical representatives
  • Medical conditions

Client records containing personal information will only be used by staff directly involved in the service provision to that client. Information about the client will only be made available to other parties with the consent of the client and/or their representative or in the event of an emergency or required or authorized by law.

 

Clients may access their personal information at any time by requesting via written correspondence allowing 2 days notice. A client can update their personal information at any time to ensure correct information is held for accuracy of communication and provision of services.

If a client believes Myassista has breached their rights with the management of personal information, they can advise the management who will review the complaint as a matter of urgency. Immediate actions and investigation will commence to determine the root cause and develop procedures to minimize this occurrence happening again.

APP2 Anonymity and pseudonymity

Should a client wish to remain anonymous, this will be possible in the provision of complaints and feedback for the betterment of procedures. However, to provide services to clients who are seeking funding from government agencies, anonymity will not be possible unless directed by the related government agency.

Pseudonymity will be possible only when directed by the client if they are a fee for service client and not seeking funding from government agencies.

APP3 Collection of solicited personal information

Myassista will collect a range of information to enable us to provide services which meet the client’s needs once the client has agreed to provide this sensitive information by signing the service agreement. This may include, but is not limited to:

  • Contact details
  • Date of birth
  • Government issued numbers
  • Contact numbers for family members, medical representatives
  • Medical conditions

Client records containing personal information will only be used by staff directly involved in the service provision to that client. Information about the client will only be made available to other parties with the consent of the client and/or their representative or in the event of an emergency, or required or authorized by law.

APP4 Dealing with unsolicited personal information

If Myassista receives information regarding the client which has not been solicited by the client directly with their permission, the use of this information will not be used until/unless the client has notified us this is suitable and applicable in the provision of services to meet their needs.

If the client advises this is not required, the unsolicited information will be destroyed.

APP5 Notification of the collection of personal information

Documents requesting the personal information of clients will advise them of the purpose for seeking this information, how the information will be stored, used and disposed of to ensure their rights are met as per the Australian Privacy Principals. This may include Service agreements, invoices and Service Plans provided by government agencies.

APP6 Use of disclosure of personal information

Myassista will not use client information for any purpose other than the provision of services (primary purpose) as agreed between us and the client. We will not disclose information about the client to other parties without consent of the client and/or their representative or in the event of an emergency or required or authorized by law.

Myassista is required to disclose relevant personal information to a government agency for those clients receiving funding to assist in the payment for the services provided. This information is stated in the disclosure of information on the service agreement provided to all participants.

APP7 Direct marketing

Myassista will not use client information for any purpose other than the provision of services (primary purpose) as agreed between us and the client. We will not disclose information about the client to other parties without consent of the client and/or their representative or in the event of an emergency or required or authorized by law.

Myassista will contact current and previous clients regarding further services using the details provided in the initial sourcing of information. Should a client advise or request to not be contacted using this information, Myassista will cease to use these details and stop contacting them within 24 hours of notification.

APP8 Cross border disclosure of personal information

Myassista will not use client information for any purpose other than the provision of services (primary purpose) as agreed between us and the client. We will not disclose information about the client to other parties without consent of the client and/or their representative or in the event of an emergency or required or authorized by law.

APP9 Adoption, use or disclosure of government related identifiers

Myassista works with a range of clients, both fee for service and those who have a government identifier. Those clients who seek government financial assistance will be asked to provide their identifier for the primary purpose of providing services in alignment with the clients plans and overall funding scheme. The government identifier will be only be used as per the requirements for seeking payment as required and agreed to from the service agreement.

The identifier will be used to access information provided to the government explaining the client’s personal health and particulars in relation to the services to be provided by Myassista with permission provided by the signed service agreement.

 

APP 10 to 13
Quality of personal information
Security of personal information
Access to personal information
Correction of personal information

Myassista will ask all clients to provide information which is as accurate as possible to allow for the effective management of services. Client information will be stored in individual folders and on the intranet which is only accessible by the staff who are required to understand the specifics to serve the client as best as possible.

Clients may access their personal information at any time by requesting via written correspondence allowing 2 days notice. A client can update their personal information at any time to ensure correct information is held for accuracy of communication and provision of services.

If a client wishes to access their personal information and there may be a cause not to grant access based on the following points, this will be communicated via written format of the outcome and reasons behind this decision.

  1. Myassista reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
  2. giving access would have an unreasonable impact on the privacy of other individuals; or
  3. the request for access is frivolous or vexatious; or
  4. the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or
  5. giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
  6. giving access would be unlawful; or
  7. denying access is required or authorised by or under an Australian law or a court/tribunal order; or
  8. both of the following apply:
  9. the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in;
  10. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
    1. giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
    2. giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process

Once a client has a completed service agreement and no longer wishes to receive services from

Myassista, the client’s information will be retained in a secure location for 7 years and then destroyed.

Accidental or unauthorized disclosure of personal information

Should Myassista identify an accidental or unauthorized disclosure of personal information, this will be addressed quickly and taken seriously. Each breach will be dealt with on a case by case basis, with an understanding of the risks posed by the breach and the actions that would be most effective in reducing or removing risks.

Generally, the following steps will be taken:

Step 1: Contain

Once discovery or suspected data breach has occurred, immediate action will be taken to limit the breach. For example, stopping the unauthorised practice, recovering the records, stopping/shutting down the system breached, or revoke or change computer access or address weakness in the physical or electronic security.

The following questions may be asked:

  • How did the data breach occur?
  • Is the personal information still being shared, disclosed, or lost without authorisation?
  • Who has access to the personal information?
  • What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?

If Myassista believes we have an eligible data breach under the Notifiable Data Breach Scheme, we will commence assessment obligations. We may also believe the data breach is an eligible data breach, requiring Myassista to notify individuals as soon as practicable.

Step 2: Assess

Myassista will act quickly to complete an assessment of the data breach to understand potential risks as a result of the breach. This assessment will be conducted within 30 days from notification of suspected breach.

Myassista will gather and evaluate as much information about the data breach as possible. This will provide a complete picture of the data breach, to understand the potential harm to affected individuals, and identify and take all appropriate steps to limit the impact of a data breach.

Myassista will consider:

  • the type or types of personal information involved in the data breach
  • the circumstances of the data breach, including its cause and extent
  • the nature of the harm to affected individuals, and if this harm can be removed through remedial action

 

Step 3: Notify

Myassista Senior Management will determine if and when notification of the data breach is required. This will be considered on a case by base basis to ensure unnecessary anxiety to stakeholders.

Myassista will consider:

  • Our obligations under the Notifiable Data Breach Myassista is required to notify individuals and the Commissioner about data breaches that are likely to result in serious harm to clients.
  • who else other than affected individuals, and the Commissioner, should be For example, the Police, the Department of Communities, Disability Services and Seniors etc.
  • how notification should occur, including:
    • what information is provided in the notification (such as changing passwords, or being alert to possible scams)
    • how the notification will be provided to individuals
    • who is responsible for notifying individuals and creating the notification, ensuring appropriate levels of sensitivity and compassion to minimize potential harm or increased anxiety.

Myassista will aim to minimise or remove harm to affected individuals, while protecting the interests of the business.

Step 4: Review

 Once steps 1 to 3 have been completed, Myassista will review and learn from the data breach incident to improve our personal information handling practices.

Our steps may include:

  • a security review including a root cause analysis of the data breach
  • a prevention plan to prevent similar incidents in future
  • audits to ensure the prevention plan is implemented
  • a review of policies and procedures and changes to reflect the lessons learned from the review
  • changes to employee selection and training practices
  • a review of service delivery partners that were involved in the breach

Staff will be trained in any changes to relevant policies and procedures to ensure a quick response to a data breach.

Privacy and Confidentiality Policy – Personal Impact

Myassista contributes to the community services sector and as such supports a range of people who may be vulnerable, disabled and may not be able to speak up or out as easily as others. For this reason we have high expectations of behaviour for staff completing their role.

Professional boundaries when working with a client

It is an expectation all staff will treat each client with respect, honesty and as a human being. All interactions will be completed with fairness, dignity and without any intention of harm. Staff will treat everyone regardless of their abilities with care.

Staff will not

  • compromise the privacy of an individual, by disclosing any information relating to services provided, personal limitations or behaviours to another individual without prior
  • intentionally treat the individual with disrespect – use derogative language or name calling
  • use their relationship to enforce a position of power on an individual
  • display any inappropriate behaviour to an This may include, but is not limited to:
    • asking the person on a date
    • displaying your genitals to the person
    • coercing, by pressuring or tricking, a person to engage in sexual behaviours or acts
    • making sexual or erotic comments to the person – in person or by text message, email or social media message (as well as written comments, this includes images and audio)
    • making sexually suggestive comments or jokes
    • intentionally staring at a person in a way that makes them feel uncomfortable
    • making comments about a person’s sexuality or appearance
    • making requests of a sexual nature, including to remove clothing, for sexually explicit photographs, videos or for sexual activities

What may be an appropriate conversation around a participant’s sexual support or family

planning needs?

People with disability have a right to sexual expression as well as to develop and maintain sexual relationships. As part of this, they need access to information and support to assist them to make informed and positive choices about sex, sexuality, relationships and reproductive health and wellbeing, as well as exercise their rights in regard to privacy.

To avoid any potential misunderstanding regarding questions being asked, it is recommended to speak with the supervisor for guidance on best handling this situation. Options for answering these questions may be using fact sheets from Family planning centres and education facilities may assist in providing information in a suitable format.

Difference between inappropriate touching and appropriate touching

A client may have need of a support worker to touch them to complete personal hygiene tasks. When doing so it is an expectation permission is sought and an explanation of what is required to be completed and how this will occur is required prior to any touching. Without consent and/or permission this should not happen. This can be described as appropriate touching.

 

Inappropriate touching may include:

  1. touching any part of a person’s body in a sexual way
  2. touching a person in a way they do not wish to be touched
  3. touching any part of a person’s body in a manner which may be suggestive

 

What if I think there is an inappropriate relationship?

If staff or clients believe they have witnessed a situation, or you have an individual confide regarding a suspected inappropriate relationship, this should be reported to the Manager as soon as possible.

There are some professions where prohibitions on close personal, physical or emotional relationships are also contained in the professional standards or code of conduct applying to the relevant profession. Staff found not to have complied with a professional code or standard regarding sexual misconduct while providing NDIS supports and services may be regarded as breaching the NDIS Code of Conduct.

This may impact on continued employment with Myassista and as a registered professional.

Myassista expects all staff to follow the procedures for Incident Management and Reportable incidents. There will be no victimisation of any staff or client in these situations, as the safety of all is the desired outcome.

Scroll to Top