1. PURPOSE

 

To ensure The Counselling Collaborative (and its related entities) meet its commitment to the protection of personal information, health information, sensitive information and its obligations under law (including the Privacy Act 1988 (Cth)) and for the purposes of compliance – to create a clearly expressed up-to-date policy compliant with the Australian Privacy Principles (APP’s).

 

  1. SCOPE

This policy applies to all personal, health or sensitive information collected or used by The Counselling Collaborative.

 

2.1 Definitions

 

Word/Term Definition
Act Means the Privacy Act 1988 (Cth)
APP The Australian Privacy Principles as set out under Schedule 1 to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

 

APP privacy policy Means this policy relating to the management of personal information by The Counselling Collaborative as required under APP 1.3.

 

authorised representative Means an authorised representative is defined under the Health Records and Information Privacy Act 2002 (NSW) as:

a. Guardian

b. Attorneys under Enduring Power of Attorney

c. Agents under the Medical Treatment Act 1988

d. Administrators under the Guardianship and Administration Act 1986

e. Parents (in the case of a child without capacity) or a person with parental responsibility for the individual

f. A person otherwise empowered to act or make decisions in the best interest of the person

 

de-identified information Means information which is anonymous or with identifying characteristics completely removed. De-identification requires removal of all information from which one could reasonably ascertain the identity of an individual. This not only includes obvious identifiers such as name, address and date of birth.

 

data breach Means when personal information is accessed or released without authorisation, or is lost.

 

eligible data breach Means

 

(a)  both of the following conditions are satisfied:

 

(i)  there is unauthorised access to, or unauthorised disclosure of, the information;

 

(ii)  a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or

 

(b)  the information is lost in circumstances where:

 

(i)  unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and

 

(ii)  assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;

 

then:

 

(c)  the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and

 

(d)  an individual covered by subparagraph (a)(ii) or (b)(ii) is at risk from the eligible data breach.

 

The Counselling Collaborative ABN:
NDB scheme Notifiable Data Breaches scheme
OAIC Office of the Australian Information Commissioner
Personal Information Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

a. whether the information or opinion is true or not; and

b. whether the information or opinion is recorded in a material form or not.

This may include:

i. the individual’s name, address or telephone number;

ii. an identifying number, symbol or other particular assigned to the individual;

iii. the individual’s fingerprints, blood type or inheritable characteristics;

iv. information about the individual’s educational, financial, or employment status or history;

v. the opinions of a person about the individual; and

vi. the individual’s personal views or opinions.

Sensitive Information Means:

a)  information or an opinion about an individual’s:

i. racial or ethnic origin; or

ii. political opinions; or

iii. membership of a political association; or

iv. religious beliefs or affiliations; or

v. philosophical beliefs; or

vi. membership of a professional or trade association; or

vii. membership of a trade union; or

viii. sexual orientation or practices; or

ix. criminal record;

That is also personal information; or

b)  health information about an individual

serious harm Is not defined under the Act but the OAIC advises:

 

“Under the NDB scheme, agencies and organisations must promptly notify you if a data breach is likely to result in ‘serious harm’. This could be serious financial harm, or harm to your mental or physical well-being.

 

Examples of serious harm include:

A likely risk of physical harm, such as by an abusive ex-partner;

Identity theft, which can affect an individual’s finances and credit report;

Serious psychological harm;

 

 

  1. LEGISLATIVE CONTEXT

  2. Effective from the 01/01/2017, The Counselling Collaborative has adopted all of the amendments to the Privacy Act 1988 (Cth)set out under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) including the recently introduced 13 Australian Privacy Principles which apply to all APP entities and the NDB scheme which commenced on 22 February 2018 including The Counselling Collaborative.

 

  1. POLICY

 

  1. The Counselling Collaborative regards the protection of privacy as central to the operation and general conduct of the organisation’s affairs. The Counselling Collaborative. will ensure compliance with regulatory requirements in relation to the collection, recording, use, secure storage, amendment, release/disclosure and destruction of personal information.

 

  1. The Counselling Collaborative recognises and promotes the rights of our employees, volunteers, clients and customers to have their personal information protected in accordance with legislative requirements.

 

  1. The Counselling Collaborative, its employees, contractors and all persons notified that this policy applies to them, are legally obliged to protect the personal information of clients and customers.

 

  1. The Counselling Collaborative appoints a member (or members) of staff to act as the Privacy Officer(s) for the whole of the organisation. The Privacy Officer(s) can be contacted via email: admin@thecounsellingclinic.com
  2. The key obligations as set out in the Australian Privacy Principles (APP’s) that impact on The Counselling Collaborative day-to-day operations are summarised below.  This policy and the Privacy Statement represent high level summaries of The Counselling Collaborative’s privacy obligations and further meet The Counselling Collaborative obligations under law.

 

Summary of Australian Privacy Principles and the Obligations of MSL.

Consideration of personal information privacy
APP 1

 

Open and transparent management of personal information

· The Counselling Collaborative is committed to the open and transparent management of personal information

· This Policy and the Privacy Statement will be made available, free of charge upon individual request.  If a person or body requests a copy of this APP privacy policy, then The Counselling Collaborative will take such steps as are reasonable in the circumstances to give the person or body a copy in the format that they request.

· Under APP 1.4, there is an obligation that the APP privacy policy must contain the following information:

a. the kinds of personal information that The Counselling Collaborative collects and holds;

b.  how The Counselling Collaborative collects and holds personal information;

c.  the purposes for which The Counselling Collaborative collects, holds, uses and discloses personal information;

d.  how an individual may access personal information about the individual that is held by The Counselling Collaborative and seek the correction of such information;

e. how an individual may complain about a breach of the APP’s, or a registered APP code (if any) that binds The Counselling Collaborative, and how The Coliniunselling Cc will deal with such a complaint;

f. whether The Counselling Collaborative is likely to disclose personal information to overseas recipients;

g. if The Counselling Collaborative is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

· The Terms and Conditions Documents form an express part of this APP privacy policy and provide information relating to The Counselling Collaborative’s obligations under APP 1.4 paragraphs (a) to (f).

· Where an individual is concerned about a potential or actual breach of the APP’s they have a right to lodge a complaint. All complaints will be received, managed and resolved in accordance with the The Counselling Collaborative Complaints, Feedback & Compliments Policy.

o All complaints in relation to Privacy are referred directly to the Privacy Officer(s).

· All enquiries in relation to The Counselling Collaborative management of personal information are referred directly to the Privacy Officer(s), via admin@thecounsellingclinic.com

· A data breach or possible breach is therefore also considered an Incident and requires reporting via the The Counselling Collaborative Incident, Near Miss and Hazard Reporting Form and within 24 hours of occurrence – to support timely investigation, mitigation and external reporting requirements.

 

APP 2

Anonymity and pseudonymity

· Clients and Customers have the option to engage with The Counselling Collaborative anonymously or under a pseudonym.

· The Counselling Collaborative acknowledges that it may be impracticable to provide the full extent of its services to a person engaging anonymously.

 

Collection of personal information
APP 3:

Collection of solicited personal information

· The Counselling Collaborative will only collect personal information if:

o it is necessary for one or more of The Counselling Collaborative’s business activities or services

o it is collected by lawful and fair means

o consent to information collection is provided

· The Counselling Collaborative will only collect personal information from the individual concerned, or seek the individuals consent to collect information from another person on their behalf.

 

APP 4:

Dealing with unsolicited personal information

· Where The Counselling Collaborative receives unsolicited personal information, it will within a reasonable time of receipt determine whether or not it would have collected the information under APP 3 if The Counselling Collaborative.  had solicited the information.

· If The Counselling Collaborative determines that it would not have collected the unsolicited personal information and the information is not contained in a Commonwealth record, it will as soon as practicable either de-identify or destroy the information, if lawful to do so, unless the information can be managed otherwise in accordance with APP3.

· The Privacy Officer(s) provides advice and direction regarding the destruction or de-identification of unsolicited personal information.

 

APP 5:

Notification of the collection of personal information

· The Counselling Collaborative will ensure a Client/Customer is notified as soon as practicable about:

o  the types of personal information that is being collected by The Counselling Collaborative

o  the purpose for which information is being collected by The Counselling Collaborative

o  which information is likely to be disclosed to other parties, and for what purpose, including any overseas recipients if relevant

o  how Clients and Customers can access and/or seek to amend the personal information held by The Counselling Collaborative.

o  how to lodge a complaint about a potential/actual breach

o and otherwise comply with the notice obligations under APP 5

· Where The Counselling Collaborative has collected personal information from someone other than the individual, The Counselling Collaborative will take reasonable steps to notify the individual of the collection.

 

Dealing with personal information
APP 6:

Use and disclosure of personal information

· The Counselling Collaborative will only use and disclose personal information for the particular purpose (primary purpose) for which it was collected or a related purpose where the Client/Customer would reasonably expect the use or disclosure of personal information

· The Counselling Collaborative will not use or disclose personal information for another purpose (secondary purpose) unless consent is provided by the individual.

· The Counselling Collaborative may use or disclose personal information without the individual’s consent in exceptional circumstances, as set out under APP 6 including:

o the individual would reasonably expect use/disclosure of the information for the secondary purpose and the secondary purpose is:

i) if the information is sensitive information – directly related to the primary purpose; or

ii)   if the information is not sensitive information – related to the primary purpose (APP 6.2(a))

o use/disclosure is required by Australian law or a court/tribunal order (APP 6.2 (b))

o is necessary to prevent a threat to a person’s health or safety (APP 6.2(c))

o use/disclosure is necessary to prevent a threat to a person’s health or safety (APP 6.2(c))

o use/disclosure is reasonably necessary in relation to a legal claim (APP 6.2 (c))

o use/disclosure is required during dealings with law enforcement agencies or government bodies

· The Privacy Officer(s) provides advice and direction regarding the use/disclosure of personal information without consent

· The Privacy Statement sets out how personal information is used and disclosed.

 

APP 7:

Direct marketing

· The Counselling Collaborative will not use personal information that it holds for the purpose of direct marketing in accordance with APP 7.1

· Despite APP 7.1, The Counselling Collaborative may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

(a)  The Counselling Collaborative collected the information from the individual; and

(b)  the individual would reasonably expect the organisation to use or disclose the information for that purpose; and

(c)  The Counselling Collaborative provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and

(d)  the individual has not made such a request to The Counselling Collaborative

· Despite subclause APP 7.1, The Counselling Collaborative may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:

a. The Counselling Collaborative collected the information from:

i.  the individual and the individual would not reasonably expect The Counselling Collaborative to use or disclose the information for that purpose; or

ii. someone other than the individual; and

b. either:

i. the individual has consented to the use or disclosure of the information for that purpose; or

ii. it is impracticable to obtain that consent; and

c.  The Counselling Collaborative provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and

d. in each direct marketing communication with the individual:

i.  The Counselling Collaborative includes a prominent statement that the individual may make such a request or

ii. The Counselling Collaborative otherwise draws the individual’s attention to the fact that the individual may make such a request; and

e. the individual has not made such a request to The Counselling Collaborative

· Despite APP 7.1 The Counselling Collaborative may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.

 

APP 8:

Cross-border disclosures

· The Counselling Collaborative is unlikely to disclose information to overseas recipients during the course of day to day operations

· The Counselling Collaborative will take reasonable steps to ensure that any potential overseas recipient of personal information is aware of the APP’s and does not breach the requirements of the APP’s

· All requests for personal information to be disclosed to an overseas recipient should be referred to the The Counselling Collaborative Privacy Officer(s) for advice and management

 

APP 9:

Adoption, use or disclosure of government related identifiers

· The Counselling Collaborative will not adopt, use or disclose a government related identifier (number, letter, symbol) of an individual unless the use or disclosure of the identifier is reasonably necessary in order for The Counselling Collaborative to provide service, or required by a court/tribunal or as otherwise required under APP 9.2
Integrity of personal information
APP 10:

Quality of personal information

· The Counselling Collaborative will take reasonable steps to ensure the personal information it collects, is accurate, up to date and complete

· The Counselling Collaborative will take reasonable steps to ensure that the personal information that it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant

 

APP 11:

Security of personal information

· The Counselling Collaborative will take all reasonable steps to ensure that the personal information it holds is protected from misuse, loss, interference and unauthorised access, modification or disclosure. This includes but is not limited to:

o Use of Data Loss Prevention services to protect against files with personal information being accidentally shared.

o Engagement of an external IT Security organisation to perform independent security and penetration testing on our corporate network and websites.

· The Counselling Collaborative will destroy or permanently de-identify personal information when it is no longer required for use or disclosure, and where The Counselling Collaborative is not required to retain the information in accordance with Australian law

· The Counselling Collaborative will ensure compliance with archiving requirements as stipulated in various State and Territory based Health Record Management legislation

 

Access to, and correction, of personal information
APP 12:

Access to personal information

· The Counselling Collaborative will allow individuals access to their personal information, at that individuals request, unless The Counselling Collaborative deems that a valid exception to access applies (as per APP 12.3), this includes:

o giving access poses a serious threat to the life, health or safety of any person

o the information relates to existing or anticipated legal proceedings between MSL and the individual, and would not be accessible by the process of discovery in those proceedings

o giving access is unlawful, or denying access is required by Australia law or a court/tribunal order

o giving access would have an unreasonable impact on the privacy of other individuals

· All requests for access to personal information must be referred to the Privacy Officer. A request is required in writing and accompanied by a signed Consent to share confidential information form.

· All requests will be responded to in a reasonable time and where possible, access will be given in the manner requested by the individual

· The Counselling Collaborative may charge the individual for giving access to the information (e.g. printing costs) however this charge will not be excessive nor will it apply to the making of the request

· Where requests for access are refused, The Counselling Collaborative will provide written notification of the reasons for refusal and refer the applicant to the Complaints, Feedback & Compliments Policy.

 

APP 13:

Correction of personal information

· The Counselling Collaborative will take reasonable steps to correct personal information where an individual requests The Counselling Collaborative to correct the information or The Counselling Collaborative identifies that the information held is inaccurate, out of date, incomplete, irrelevant or misleading

· The Counselling Collaborative will accept requests from individuals to correct that individual’s personal information in accordance with its obligations under APP 13.

o All requests for correction of personal information must be referred to the Privacy Officer

· No charges will be incurred by the individual for the correction of personal information

· Where requests for correction of personal information are refused, The Counselling Collaborative will provide written notification of the reasons for refusal and refer the applicant to the Complaints, Feedback & Compliments Policy.

 

 

The Counselling Collaborative’s

PRIVACY PROCEDURE

 

 

PROCEDURE  Responsibility
1. Key Responsibilities  
1.1 All Employees, Agents, Contractors, Consultants and Volunteers

 

As privacy is a key priority in the management of The Counselling Collaborative operations and service delivery, you:

a) Must comply with this Policy, and any relevant supporting Policy and Procedure documents, at all times

b) Attend and complete Privacy training or education opportunities as identified and agreed to by your Manager including the annual Incident and Privacy Management Webinar

c) Have an obligation to raise with your Manager any lack of understanding or confusion in relation to privacy issues affecting The Counselling Collaborative.

d) Must not engage in behaviour either directly or indirectly, or fail to report behaviour by others, that may breach this Policy

e) Must promptly raise any issues or suspected breaches of this Policy with your Manager or the The Counselling Collaborative Privacy Officer(s).

All Team Members
1.2 All Managers

 

All Managers must be fully aware of this policy and all relevant supporting Procedures and demonstrate a strong commitment to privacy compliance by:

a) Identifying any privacy compliance risks and implementing appropriate controls to manage those risks.

b) Ensuring all staff are fully informed of the Privacy Policy and Privacy Statement

c) Undertaking more in-depth privacy training and education (where required)

d) Dealing with privacy issues or breaches as or when they arise and notifying the Privacy Officer of any breaches or suspected breaches.

 

Managers
2 Breach of the Privacy Policy and Incident Reporting  
2.1 Any identified breach, possible breach or ‘near miss’ of the Privacy Policy must be notified to the Privacy Officer(s) and relevant General Manager.

 

· Under service agreement clause 17.3(i), funded organisations must immediately notify the department when becoming aware of a breach or possible breach of the organisation’s obligations – via the Notifiable Data Breaches cheme (NDBS) managed by the OAIC.

 

· Where there is an eligible data breach there is an obligation on The Counselling Collaborative to notify all individuals whose personal information is involved in a data breach that is likely to result in serious harm.  This notification must include recommendations about the steps individuals should take in response to the breach.  This must be done as soon as practicable.

 

· In addition and as a separate obligation, The Counselling Collaborative must notify the OAIC of any eligible data breaches by using a form located at https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB

This must be done as soon as practicable and in any event within 30 days of the data breach.

· If it is not possible to notify the individual(s) concerned of an eligible data breach then The Counselling Collaborative must:

o publish a copy of the statement on its website; and

o take reasonable steps to publicise the contents of its statement.

(The OAIC would expect such a statement to be accessible for at least 6 months.)

 

· The content of any statement by way of a notification to individuals must contain the following information:

o the identity and contact details of the entity

o a description of the eligible data breach that the entity has reasonable grounds to believe has happened

o the kind, or kinds, of information concerned

o recommendations about the steps that individuals should take in response to the eligible data breach

DHHS, have defined the following for funded- agencies:

Breach or Possible Breach – an action or omission that results in loss, theft, misuse or unauthorised disclosure of personal information, or has the potential to do so.

• Near Miss – are situations where a breach would have occurred without intervention. This includes situations where a privacy incident has occurred without any actual disclosure of personal information

• Where a complaint has been made that a privacy breach has occurred, which then needs to be investigated (or allegation of privacy breach).

 

 

An Incident, Near Miss and Feedback Reporting Form must be completed as per the Incident, Near Miss and Hazard Management System Policy, and submitted to incidents@thecounsellingclinic.com, followed by the Investigation of the Incident, Near Miss or Hazard Report Form to enable prompt investigation and mitigation by the Senior Manager in conjunction with the Operations Team and to meet external reporting requirements.

 

 

Additional External reporting requirements for Privacy breaches are required according to state and federal requirements including the DHHS Privacy Incident Report Form https://dhhs.vic.gov.au/user-guide-funded-agency-staff-members-privacy-incident-report-form

 

All staff in conjunction with Operations Team
2.2 Failure to comply with this Policy may result in disciplinary action.  In addition, you may be exposed to personal liability if you are grossly negligent or engage in wilful misconduct.

 

All staff
3 Other Mandatory reporting  
3.1 The Counselling Collaborative teams are required to:

· Report de-identifiable information to Government agencies in order to secure continued funding; and

· Report identifiable information in accordance with organisational procedures regarding Vulnerable People

 

All Team Members

 

  1. SUPPORTING DOCUMENTATION
Policies or Forms (reviewed at same time as policy review undertaken) Location
Complaints Form (Customers) Intranet
Privacy Statement Intranet
Consent to Release Confidential Information Intranet
Terms and Conditions documents (fundraising and services activities) Intranet
Welcome Pack Intranet
Complaint, Feedback and Compliment Policy Intranet
Incident, Near Miss and Hazard Policy Intranet
Incident, Near Miss and Hazard Reporting Form Intranet
Investigation of the Incident, Near Miss and Hazard Report From Intranet
Risk Management Policy Intranet
Managing Customer Data Policy Intranet
Records Management Policy Intranet

 

  1. KNOWLEDGE MANAGEMENT
Staff Group Level of knowledge required Training source
All new staff (including Volunteers) Staff induction and orientation programs includes training about Privacy requirements and Incident reporting.

 

The Privacy Policy and the Code of Conduct Policy is acknowledged by the new staff member and filed in the Employee file as per the Policy Acknowledgement Form

Induction slides are updated by Operations Manager and Team.
All staff Completion of Incident and Privacy Management Webinar annually

 

Induction slides are updated by Operations Manager and Team.

 

  1. COMPLIANCE MEASUREMENT
Measure Target Frequency Tool Responsibility
Breaches of the APP’s from each business unit 0 Annual Incident register trend analysis report Executive
All new staff (including Volunteers) will be orientated to Privacy requirements 100% On-going New staff report cross referenced with the Policy Acknowledgement Form Operations
Completion of Incident and Privacy Management training 100% Annually HR staff report cross referenced with completion Operations