top of page

Privacy and Information Management Policy

Purpose

This purpose of this policy and procedure is to outline the duties of employees to collect, use, protect and disclose private data in accordance with the legislation on privacy. This policy should be read in combination with the Records and Information Management Policy and Procedure.

 
Scope

This policy and procedure applies to all Axcess Disability employees.  A reference to “employees” or “staff” includes permanent, fixed-term, temporary and casual employees, directors, contractors, volunteers and other representatives acting on behalf of Axcess Disability in any capacity.

The protections included in this Policy apply to all private and health data of employees and Participants.

 
Statement

Axcess Disability protects the privacy of everyone, including the privacy of their Participants and employees. All persons (or their legal agents) are entitled to decide who has access to their private data.

Axcess Disability collects, uses and discloses data in accordance with appropriate state/territory laws and Federal Privacy Act.

Axcess Disability shall obtain only the data needed for the secure and efficient provision of the service. It will only use collected data for the purpose it has been gathered and properly secure it.

All employees are liable for preserving Participants, other employees and the organisations privacy and confidentiality.

 
Photos and Videos

Photos, videos and other recordings are a form of personal information. Employees must respect people’s choices about being photographed or videoed and only use images of people when informed consent has been obtained. This includes being aware of cultural sensitivities and the need for some images to be treated with special care. The approved use of such images applies to authorised employees only.

 
Client Information Collection and Consent

Axcess Disability will only ask for private data required to: 

  • Assess the eligibility of a prospective client for a service

  • Provide a secure and responsive service

  • Monitor the services supplied

  • Fulfil government non-identification and statistical data demands.

 

Personal client data that Axcess Disability collects involves but is not restricted to:

  • Participants and their parents and guardians contact details.

  • Emergency contact details and individuals authorised to collect Participants.

  • Health status of Participants and medical documents.

  • Records of immunisation.

  • Records of medicines.

  • Reports of incidents.

  • Arrangements for custody.

  • Permit/Forms of consent.

  • Intake of service delivery, evaluation, review of data.

  • Records of development, plans, portfolios and observations.

 

Before gathering private data from Participants or their agents, employees must clarify:

  • That Axcess Disability only collects private data needed for the secure and efficient delivery of services

  • That private data kept safely is used only for the purpose of obtaining it;

  • What data is needed;

  • Why the data is being gathered and how it will be stored and used;

  • Occasions when it may be necessary to disclose the data and to whom or where the data may be revealed; 

  • The right of the Client to refuse to disclose the data;

  • The rights of the Client to supply, access, update and use private data and to give and withdraw their permission; and 

  • The implications (if any) if all or part of the necessary data is not supplied.

 

Axcess Disability refers to their Privacy Policy on the Participant’s NDIS Service agreement:

  • The NDIS Service Agreement includes Consent to Collect and Share Information agreement.

  • These consents are discussed with the participant and /or their decision maker in a way they can understand prior to the commencement of service.

  • Persons contacting Axcess Disability with an enquiry do not need to provide personal details. However, once a decision is made to progress to utilising Axcess Disability’s services, personal and sensitive information will need to be collected.

  • Axcess Disability may need to share pertinent participant information with other service providers when determining support plans. Information is only shared in order to provide the best service possible and is only shared with those people whose Professional Codes of Ethics include privacy and confidentiality. Permission to share information is sought from the participant prior to the delivery of services and as required at other points of intervention as / if required.

  • Personal information is not disclosed to third parties outside of Axcess Disability, other than for a purpose made known to the participant and to which they have consented, or unless required by law.

  • Participants are informed there may be circumstances when the law requires Axcess Disability to share information without their consent.

 

Participants and their representatives or families are responsible for:

  • Provide precise data when required;

  • Completing and returning consent forms in a timely way;

  • Being delicate and respectful to others who do not wish to be photographed or videotaped;

  • Being sensitive and respectful of other people's privacy in the use and disposal of photographs and videos.

 
NDIS Audits

Axcess Disability fulfils the criteria of the 2018 National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guidelines whereby Participants are automatically included in NDIS Practice Standards audits. A NDIS Approved Quality Auditor may contact Participants at any moment for an interview or for their client file and plans to be reviewed. 

Participants who do not wish to engage in audits may notify Axcess Disability Head Office. Their choice will be respected and recorded in their client file. Axcess Disability shall notify its Approved Quality Auditor of Participants who have refused to participate in the audit upon commencement of any audit process.

 
Employees Information Collection and Consent

Employee information that Axcess Disability collects includes, but is not limited to:

  • Details about professional registration

  • Forms of tax returns

  • Details of superannuation

  • Payroll information

  • Contracts for employment/engagement 

  • Personal information and proof of identity documentation

  • Details of emergency contact 

  • Medical details

  • NDIS Worker Screening Checks, Police Checks and Working with Children Checks 

  • Qualifications

  • First aid, CPR, anaphylaxis and other certificates 

  • Personal resumes 

  • Forms of permission

 

Where applicable, forms used to collect the above information will also obtain the consent of the employee member to collect, store, access, use, disclose and dispose of their personal information.

 
Storage, Archiving and disposal

  • Participant information collected is kept in an individual participant record.

  • Each participant record has a unique identification number

  • A participant record includes:

    • personal information

    • clinical notes

    • investigations

    • correspondence from other healthcare providers

    • photographs

    • video footage.

  • Participant information is maintained in a secure cloud-based electronic storage system. Other security related procedures such as user access passwords, multi-factorial authentication also assist with the protection of information.

  • Paper records are kept in locked cabinets within a secure building.

  • Participant information is stored for seven years post the date of last discharge. In the case of participants aged under 18 years, information is kept until their 25th birthday and 7 years post discharge.

  • Participant related information, or any papers identifying a participant are destroyed by shredding and deleting from the computer and all databases.

  • User access to all computers and mobile devices holding participant information is managed by passwords and automatic inactive logouts.

  • All staff must not undertake any of the following actions without the express approval of HR/CEO:

    • Photocopy any confidential document, form or record.

    • Copy any confidential or financial computer data to any other computer, USB or cloud-based storage system.

    • Convey any confidential data to any unauthorised worker or to any other person(s)

 
Access

Personal information of the employee must only be accessed by authorised Axcess Disability head office employees, who can access the data only if it is necessary to fulfil their responsibilities.

Employees may only access the private data of Participants if it is necessary to carry out their responsibilities.

Employees and Participants have the right to:

  • Request access to private data Axcess Disability holds about them, without offering a reason to request access;

  • Access this data; and

  • Make corrections if they think the data is not precise, complete or up-to-date.

All requests for Client access or correction must be addressed to the employee responsible for maintaining the personal information of the Client.

An application for access or correction may be rejected in whole or in portion where: 

  • The application is frivolous or vexatious;

  • It would have an unfair effect on the privacy of other persons; 

  • It would pose a severe danger to any person's life or health; or 

  • It would bias any investigation conducted by Axcess Disability or any other individual.

  • It may be the topic of investigations.

Any applications for Client access or correction denied by the Managing Director must be approved and recorded in the Client's file.

Any employees who are denied access or correction demands must be endorsed by the Managing Director and recorded in the file of the Employee.

 
Disclosure

Personal data of the client or employee may only be revealed: 

  • For emergency medical therapy;

  • To external organisations with the permission of the person [or of the child Participants, parents or guardians]; 

  • With the written consent of the authorised person;

  • To fulfil parliamentary responsibilities such as compulsory reporting when needed by legislation.

If an employee is in a position where they think they need to reveal data about a Client or other employee that they would not normally disclose, they must consult the HR team before disclosing the data.

 
Notifiable Data Breaches

Under the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) Scheme is a federal scheme. Organisations are needed to report certain infringements of information to those affected by the infringement, as well as the Australian Information Commissioner. A violation of data occurs when private information retained by organizations is lost or unauthorized access to it. A data breach may happen as a result of malicious action, human error, or management or security system failure.

 Examples of data breaches include: 

  • Loss or robbery of devices (such as phones, laptops and storage systems) or paper documents containing private data

  • Unauthorised access by an employee to private information 

  • Inadvertent disclosure of private information owing to' human mistake,' such as an email sent to the incorrect individual

  • Disclosure of private data to a scammer as a consequence of insufficient processes for verifying identity

Besides the harm caused to individuals who are the topic of information breaches, such an event can also cause reputational and economic damage to Axcess Disability.

The Data Breach Preparation and Response — A Guide to Managing Data Breaches under the Privacy Act 1988 (Cth), released by the Office of the Australian Information Commissioner (OAIC), provides further details on the NDB Scheme.

 
Identifying a Notifiable Data Breach

A Notifiable Data Breach, occurs when:

  • Access to or disclosure of private data is unauthorized or data is lost in conditions in which unauthorized access or disclosure is likely to happen;

  • Disclosure or loss is likely to cause severe damage to any of the persons concerned by the data. Serious harm may involve severe physical, psychological, emotional, economic or reputational damage in the context of an information violation; and

  • Axcess Disability was unable to avoid the probable danger of severe harm through remedial action.

All possible or actual breaches of information must be reported to the Managing Director who will determine the reaction of Axcess Disability and whether the violation must be recorded under the NDB Scheme.

If Axcess Disability reacts rapidly to mitigate a data breach and is therefore unlikely to cause severe damage, it is not regarded to be a notifiable data breach.

 
Responding to a Data Breach

If the Managing Director suspects that, under the NDB Scheme, a data breach is notifiable, they must create an evaluation to determine whether this is the case.

If the Managing Director considers the data breach to be notifiable under the NDB Scheme, they must notify the notify the breach as quickly as practicable to all affected people.

All incidents of information violation (whether notifiable or not) must be addressed in accordance with the Data Breach Response Plan and registered in the Incident Register, where appropriate, with relevant actions tracked in its Continuous Improvement Register.

Where a violation incident has occurred the reaction will be based on the following steps: 

  1. contain data infringement;

  2. assess information breach and related hazards; 

  3. notify people and the Australian Information Commissioner; and

  4. Prevent future infringements.

 
Other Reporting Requirements

The Managing Director must immediately notify the NDIS Commission and if they become conscious of an infringement or possible infringement of privacy law.

Infringements of data may also cause reporting commitments outside the Privacy Act 1988, such as: 

  • The financial services provider of Axcess Disability

  • The police or other law enforcement agencies

  • The Australian Securities and Investment Commission (ASIC)

  • Australian Tax Office (ATO)

  • Government Departments of the Federal, State or Territory

  • Professional and regulatory associations

  • Providers of insurance

​

How Do You Contact Us?

To access your personal information, make a complaint, or request any changes to your personal information, please contact us at:

Email: management@axcessdisability.com.au
Phone: 0488 551 331
Mail: PO Box 3177 Grose Vale NSW 2753

bottom of page