Privacy Policy

 

 

Purpose

 

Iris Aged Care is subject to various Local, State and Commonwealth legislative requirements in relation to how it collects, stores, provides access to, uses and discloses personal information.

 

This policy outlines Iris Aged Care’s obligations and expectations regarding the management of personal information in accordance with relevant privacy laws and funded program requirements. Iris Aged Care is committed to protecting privacy and complying with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

​

​

 

Roles and responsibilities

 

The Board and Managing Director
The Board and Managing Director have overarching responsibilities to ensure the organisation and its staff operate within all relevant Local, State and Commonwealth Government laws, funding provider requirements and organisational policies and procedures.

 

All Staff
Are responsible for:

• Handling personal information in accordance with this privacy management policy and abiding by all organisational policies and procedures

• Notifying the Managing Director immediately of any actual or suspected privacy breaches

​

 

 

Policy

Iris Aged Care collects and administers a range of personal information for the purposes of providing home care services. The organisation is committed to protecting the privacy of personal information it collects, stores, provides access to, uses and discloses.
Personal information collected is limited to that required for providing required services including meeting funded partners contracts.
Privacy and confidentiality is maintained through processes described in policies and procedures. The confidentiality of complaints is maintained as per the principles of the Privacy Act.

 

 

Privacy and confidentiality (clients)

 

Principles for the Collection of Client Information
Iris Aged Care is committed to the principles outlined in the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012[1]. We have in place procedures that ensure compliance with the legislation including the protection of sensitive information including health information.

​

We use the OAIC documents, Protecting Customer’s Personal Information[2] and the Guide to Health Privacy[3], as guides to our privacy plan and processes.

​

Privacy Plan
Iris Aged Care policies, processes and procedures to ensure the privacy of clients is shown below. The key guidelines for respecting client privacy and confidentiality are:

•  We have clear lines of accountability for privacy management. The Board has approved the Privacy Policy, and the Managing Director has day to day responsibility for privacy and for reporting on any issues including breaches. Managers are responsible for ensuring our policies, processes and procedures are implemented and followed and report on any issues in their reports to the Managing Director. Staff with any privacy issues or queries can approach their immediate supervisor or the relevant Manager

• Management, staff and volunteers are provided with initial and ongoing training and information and periodic reviews of the information on the rights of clients to privacy and confidentiality and the processes to support this. Training is provided to staff and volunteers as needed and when new staff/volunteers commence employment. The OAIC Guide to Health Privacy is available to all staff and is utilised as a reference for the Managing Director and Managers in the management of privacy

• The Client Information Handbook outlines our approach to maintaining privacy and confidentiality of client information. Clients are provided with a copy of the Client Handbook on commencing with Iris Aged Care and whenever the information substantially changes. The information in the Client Handbook including our privacy policy is explained to clients during the service commencement meeting and at any consent collection process

• We only collect information about clients that is relevant to the provision of support, and we explain to clients why we collect the information and what we use it for. Information collected can include contact details, family details, medical history, health care provider details, financial information, assessments, clinical notes, medications, Medicare/healthcare fund details, specialist reports, test results and referral information

• We ensure a three-point identification check is conducted when making face-to-face and telephone contact with new clients including validating their name, address, and date of birth. We seek support from carers and family (who are also identified) if the client cannot self-identify. We use other identifying information (e.g. from referral information, such as Medicare number, pension, and other documentation) to validate identification

• We take steps to correct information where appropriate and regularly review client information with the client or their representative to ensure it is accurate and up to date

• Clients can ask to see the information that we keep about them and are supported to access this information subject to the Grounds for Refusing Access specified in the Privacy Act 1988

• Clients are supported by us should they have a complaint or dispute regarding our privacy policy or the management of their personal information

• All information relating to clients is confidential and is not disclosed to any other person or organisation without the client’s consent except in cases of serious threat to the client where they are not able to consent

• Except with the written consent of the person, personal information is not disclosed to any other person other than:

  • for a purpose connected with the provision of aged care services to the client by us; or

  • for a purpose connected with the provision of aged care services to the client by another approved provider; or

  • for a purpose for which the personal information was given by or on behalf of the Client; or

  • for the purpose of complying with an obligation under the Aged Care Act 1997, the Aged Care (Transitional Provisions) Act 1997 or any of the principles

• The provision of information to people outside the service is only authorised by the Managing Director

• When providing client information to external funded partners or other approved external bodies, client personal information that does not need to be collected is de-identified by the Care Manager, Coordinators or Registered Nurse staff prior to provision

• We do not discuss clients or their support with people not directly involved in supporting them

• Reviews are always conducted in private with the client and the relevant team member unless the Client consents to their carer, advocate or another person being present

• During client assessments and reviews the relevant team member asks the client about any privacy requirements they have such as their preference for a male or female worker. These are noted on their assessment form and on the support plan

• Any discussions between staff about clients are held in a private space

• Any references to individual clients in meeting minutes refer to the client by initials only or another unique identifier, such as their client number

• Any paper client files are stored in secured filing cabinets and archived in our secure archives area. Electronic information is securely stored on our server and securely backed up

• We confidentially destroy any personal information held about our clients when it is no longer necessary to provide support

• We have a comprehensive data breach response plan to be implemented in the event of a data breach

• Our Privacy Plan and policies, processes and procedures are reviewed and updated through our regulatory compliance and continuous improvement processes including the review of Policies and Procedures over a three-year period and ongoing audits of all processes.

 

Confidentiality of Complaints and Disputes
As far as possible, the fact that a Client has lodged a complaint and the details of that complaint are kept confidential amongst staff directly concerned with its resolution. Similarly, information on disputes between a Client and a staff member or a Client and a carer is kept confidential. The Client’s permission is obtained prior to any information being given to other parties whom it may be desirable to involve in the resolution of the complaint or dispute.

 

Clients Right to Access Information
Clients of Iris Aged Care have a right to read any personal information kept about them. A request from a client (or their advocate) to access information is referred to the relevant team member who confirms the request with the Managing Director and then arranges for the client to view their information within 30 days of the request.

 

Information is provided in a format accessible by the client. The client can nominate a representative to access their records held by us. The team member is available to assist the client in understanding the information and to explain terminology or other assistance.

On advice from our legal representative, access to a client’s record may be denied subject to the Grounds for Refusing Access specified in the Privacy Act 1988. This is discussed with the client/advocate should this situation arise.

 

Management of Client Information
The kinds of records kept include:

• Agreements

• Information provided by funding partner (Department of Health and Aged Care, My Aged Care)

• Assessments of clients

• Individual care and support plans

• Medical records, progress notes, consent forms and other care and clinical records

• Schedules of fees and charges

• Client statement and accounts

• Records relating to clients’ entry, discharge and leave arrangements

• Up‑to‑date records of the name and contact details of at least one representative of each client; and the name and contact details of any other representative of a client;

 

How records are kept
All client information and files are recorded on the Client Management System “LOOKOUT” (password protected) however a paper file may be required for some documentation for example the in-home client file.

 

Client information is stored electronically in LOOKOUT. The Care Manager, Coordinators, Registered Nurses, Rostering Team and Finance Team are responsible for ensuring client data entry is completed (accurately) with the Managing Director having overarching responsibilities. Staff record all client information including care plans, service information and progress notes in LOOKOUT as well as in the client’s home notes as necessary. Financial records related to HCP budgets are maintained in LOOKOUT with approved staff access. Information is restricted by passwords to relevant staff. Iris Aged Care financial records are held in Quickbooks with Managing Director having overarching responsibilities and access by the Accountant and Company Directors.

 

Paper office files may be kept on occasion, for example confidential investigation / complaint and these are stored in a secure locked cabinet in the Managing Director’s Office and only accessible by the Managing Director. Clients who have in-home services may also have an in-home file that includes information such as care and support plan, communication diary and medication signing forms. Information on the services delivered to Clients is recorded directly into LOOKOUT by staff.

 

​

​

Privacy and Confidentiality (staff)

​

Employee information required for rostering and required registrations are kept electronically in LOOKOUT with password security for staff whose roles require them to have access. The Managing Director is responsible for ensuring only currently appropriately qualified and credentialed staff are rostered to provide care and services. Access to employee files is limited to Managing Director and Company Director.

 

Employees are entitled to see their file at any suitable time arranged with the Coordinator or Manager as appropriate. Employee paper files are secured in a locked filing cabinet and employee information contained within electronic systems are password protected. Office staff only have access to employee files necessary to perform their job role.

 

Iris Aged Care will take reasonable steps to keep any information about an Employee’s situation confidential. Employers can disclose information if it’s required by the law or is necessary to protect the life, health and safety of the employee or another person.

 

Iris Aged Care understands information about an employee’s experience of family and domestic violence is sensitive and if information is mishandled it could have adverse consequences. We will work with the Employee to discuss and agree on how this information will be handled. [4]

 

 

 

Minutes of meetings

Minutes of meetings are maintained on the organisations intranet and are only accessed by staff whose position is entitled to be in these meetings and to read the information contained in the minutes. Client information is de-identified.

 

 

 

Archive management

 
The Administration Team is responsible for archive management. Archived files (paper) are stored in the archive storeroom. Archives are sorted by year and category. All electronic files are electronically archived, and systems are backed up daily. Iris Aged Care keep all records for seven years. Records are securely destroyed after this time.

 

 

 

Information technology and cyber security [5]

 

Our information technology systems ensure we can meet the needs of Iris Aged Care, ensure the protection of Client, staff and organisation information and support the collection of service delivery data and reporting obligations.

 

Cyber security
Strategies to ensure the safety of Iris Aged Care data include:

• We only utilise cloud storage physically based in Australia (data sovereignty).

• All data is synchronised to the cloud and is only accessible to the system administrators and consultants that we engage.

• Cameras, alarms and other Internet-of-Things devices are not connected to our data server.

• We utilise a Unified Threat Management firewall (UTM)

• All computers are password protected and set to lock after 30 minutes of non-use to prevent unauthorised access.

• We employ a user access policy where users are only granted access to data that they need to do their job. Access to data is further restricted by the assignment of usage levels including administrator, user and read only.

• Service delivery staff only have access to the data of Clients they are working with or likely to work with. Access is limited to information directly related to their work such as the support plan and notes.

• A backup cycle to removable disk, with an off-site copy, is maintained as another level of safety in the event of data loss on the server and the cloud.

• All server equipment is maintained in a secure room that is locked when physical access to equipment is not required.

• A mobile device manager is utilised to manage all access to our data by staff using mobile phones/devices. This includes remote wipe and remote delete functions for use in the event of loss of the device.

• Data cannot be copied to a laptop without the permission of the Managing Director.  Preferred access is remote login to the server as this is controlled.

• Complex passwords are created randomly by the system administrators only and are changed yearly or whenever a staff person leaves Iris Aged Care. Under no circumstances are staff permitted to disclose their password to any other person.

• Two factor authentication is utilsed wherever feasible

• Only the Managing Director can add new data folders to the shared drive of the server.

• An anti-virus program including anti anti-ransomware is maintained on every device connected to the server.

• All internet access is logged and is auditable.

• No programs, external data or utilities can be installed onto any workstation or other device without the permission

• All systems software is maintained up to date.

• Our IT Consultant reviews our system and our data breach procedures at least annually and whenever a data breach related to IT occurs

• All staff receive information on our IT system requirements and training on responding to data breaches on commencement with the service.

 

Internet and Email
Staff are only to use the organisations email system to send emails for this business. Personal emails are not allowed on Iris Aged Care email system. All emails are filed in the appropriate folders. Emails documenting service feedback and information relevant to the operation of Iris Aged Care are forwarded to the relevant staff person.

Internet access is restricted to work related purposes and is monitored and audited. Pornographic, sex related, spam or other junk email is deleted without viewing it. Under no circumstances are staff to respond to it. Staff are required to report to management immediately.

 

Government Portals
Iris Aged Care uses secure Government portals to manage transactions and provide information as required under contractual arrangements for reporting and other purposes. Only authorised staff, where their job role requires them to use portals are provided access (password protected). Managing Director is the organisational administrator for all Government portals, reporting to the Board, if there are any concerns about unauthorised access. Managing Director has overarching responsibilities, reporting to the Board.

 

Social media
We are aware that social media (social networking sites (Facebook, Twitter etc.), video and photo sharing sites, blogs, forums, discussion boards and websites) promote communication and information sharing. Staff who work in Iris Aged Care are required to ensure the privacy and confidentiality of the organisation’s information and the privacy and confidentiality of Client and other staff information and must not access inappropriate information or share any information related to their work through social media sites.

Client written consent is required before any photographs, names or other information are published to social media. Staff are required to seek clarification from the Managing Director if in doubt about what is information related to their work.

 

Data breach
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure or is lost. Data breaches include:

• Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information

• Unauthorised access to personal information by an employee

• Inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person

• Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures. [6]

 

Notifiable data breaches
Under the Notifiable Data Breaches (NDB) scheme Iris Aged Care is required to notify any individual whose data is breached and the Australian Information Commissioner of data breaches where:

• There is unauthorised access to, or disclosure of personal information held by Iris Aged Care(or information is lost in circumstances where unauthorised access or disclosure is likely to occur).

• This is likely to result in serious harm to any of the individuals to whom the information relates.

• Iris Aged Care has been unable to prevent the likely risk of serious harm with remedial action.

 

(Available on request - See Figure: OAIC Data Breach Action Plan for Health Service Providers)[7]

 

Iris Aged Care also reports the breach, when it is relevant to do so, to other organisations such as:

• Police or law enforcement bodies

• The Australian Securities & Investments Commission (ASIC)

• The Australian Prudential Regulation Authority (APRA)

• The Australian Taxation Office (ATO)

• The Australian Transaction Reports and Analysis Centre (AUSTRAC)

• The Australian Cyber Security Centre (ACSC)

• The Australian Digital Health Agency (ADHA)

• The Department of Health and Aged Care

• Department of Veteran Affairs

• State or Territory Privacy and Information Commissioners

• Professional associations and regulatory bodies

• Insurance providers

 

Managing data breaches
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure or is lost. Data breaches include:

• Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information

• Unauthorised access to personal information by an employee

• Inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person

• Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures. [8]

 

Data Breach Response Plan
Key Roles

• The Board

  • Responsible for ensuring the security of Iris Aged Care data

  • Are advised of all data breaches and actions taken to resolve and to prevent future breaches

  • Approve the procedures for security of data and responding to data breaches.

• The Managing Director

  • Receives reports of data breaches

  • Investigates the breach if appropriate

  • Takes any immediate necessary action to contain or resolve the breach

  • Identify and implement additional action required

  • Determine if the breach must be reported to the Commissioner under the Notifiable Data Breaches (NDB) scheme

  • Determine if it is likely that any person’s data is at risk of being viewed or utilised by others and advising the affected persons

  • Consider on an ongoing basis how to improve the protection of data

  • Testing of the data breach response plan.

• Staff

  • All staff are responsible for minimising the chances of a data breach occurring

  • Staff are required to take particular care of any documents or devices, such as phones or laptops, that connect to or contain information related to Clients or Iris Aged Care

  • In the event that a device or document is lost it must be reported immediately it is known to be lost, to the Managing Director

  • In the event of, or threat of (phising or a virus) unlawful access to data on the computer system the Director is advised immediately, the system is immediately isolated and our computer consultant is requested to immediately attend, deal with the access or threat, identify the extent of the breach, how it occurred and how to prevent it in the future.

 

Data Breach Report
Data breaches are reported using an Adverse Event Report with a Data Breach Report attached.

 

Procedure for Dealing with a Data Breach
In the event of a data breach or suspected breach the steps below apply as appropriate to the breach and to Figure: OAIC Data Breach Action Plan for Health Service Providers.

• Immediately advise Manager of the breach and complete an Adverse Event Report with an attached Data Breach Report

• Manager is to immediately advise the Managing Director of the breach and Adverse Event Report is updated

• Managing Director notifies the Board

• Managing Director determines if any immediate action can be taken to contain or resolve the data breach (e.g. delete mobile phone, advise Police) and implements the action. The Adverse Event Report is updated.

• Managing Director advises the IT Consultant or designated system administrator of the breach or potential breach and of any immediate action required including securing  electronic systems or bringing them offline whilst investigation is underway. The Adverse Event Report is updated.

• Review of data breach includes:

  • What was the breach

  • The number of people affected by the breach or suspected breach

  • If breach or suspected breach affected clients under Government funded programs and if so, what specific reporting including timeframes is to be actioned

  • Whether there is a risk of serious harm to affected individuals now or in the future

  • Whether the data breach or suspected data breach may indicate a systemic problem with our practices or procedures

  • Other issues relevant to the circumstances, such as the value of the data or issues of reputational risk.[9]

• Investigation includes:

  • how the breach occurred

  • what information was breached

  • how the breach can be ameliorated and how to prevent future breaches.

• If the breach must be reported to the Commissioner under the Notifiable Data Breaches (NDB) scheme. This is determined on the factors noted above in Notifiable Data Breaches[10] and in consideration of OAIC Data Breach Action Plan for Health Service Providers. The Managing Director lodges the report and updates the Adverse Event Report.

• The Managing Director determines if the breach must be reported to any other authorities including agencies identified in the Data Breach Action plan and other funding partners including Department of Health and Aged Care (Commonwealth funded aged care) and lodges the report/s.

• If the Managing Director determines that it is likely that any person’s data is at risk of being viewed or utilised by others, they ensure that the person/s are advised of the type of data breached, action taken, potential consequences and what we have done to ensure it does not occur again. Advice may be written, verbal or face to face or a combination, depending on the breach and consequences.

• In the event of unlawful access to data on the IT system, the Managing Director ensures the system is immediately isolated, and the IT consultant is requested to immediately attend and identify the extent of the breach, recover lost information if possible, secure the system, determine how the breach occurred and how to prevent it in the future.

• The Data Breach Report is updated by the Managing Director and processed and closed out. The Improvement Committee reviews the data breach and the appropriateness of the response and considers if any improvements can be made to the data breach process.

 

Ongoing testing of different scenarios of data breaches is carried out regularly as part of our risk management process. This may involve staff and our IT Consultant.   

 

Training

All staff and management receive training on organisational policies, procedures and practices including privacy, confidentiality, and our data breach response plan in their initial orientation and through ongoing updates on breaches and how to respond to them.

​

​