TCH Care Privacy Policy Statement

This policy is designed to ensure TCH Care complies with the Victorian Health Records Act, Privacy Act and Disability Act and Federal Privacy Legislation in practice with its legal obligations and fulfil its duty of care to participants, staff, and community.

Authorities and Responsibilities

The Chief Executive Officer of TCH Care has oversite responsibilities of ensuring that all employees of TCH Care understand and comply with their obligations of protecting and maintaining participant privacy.

Collection of Personal Information

At the first interview, participants will be notified of the type of information is being collected about them, how their privacy will be protected, and their rights in relation to this data. Information sharing is part of legislative requirements. Participants must give informed consent prior to any information sharing between our organisation and organisations. The participant is offered to opt-out of any NDIS information sharing during audits.

TCH Care is committed to protecting and upholding the participants right to privacy and dignity as we collect, store and handle information about them, their needs and the services provided to them.

TCH Caree will ensure that each participant understands, and agrees to, what personal information will be collected and informed of the reason for the collection. The participant will be informed and asked to provide informed consent prior to the information being collected, recorded, material in an audio and / or visual format.

TCH Care will advise each participant of privacy policies using the language, mode of communication and terms that the participant is most likely to understand. (Easy Read documents are made available to all participants).  TCH Care will ensure that it will:

• Only collect and store personal information that is necessary for the functioning of the organisation and its activities.
• Use fair and lawful ways to collect personal information.
• Collect personal information only with an informed consent from the individual participant.
• Ensure that people know of the type of personal information being held, the purpose of keeping the information and the method it is collected, used, disclosed, and who will have access to it.
• Ensure that personal information collected or disclosed is accurate, complete, and up to date.
• Inform participants that they can access to review their personal information or correct wrong information about themselves.
• Participants are provided with information about their rights regarding privacy and confidentiality.
• The participants and TCH Care personnel are provided with privacy, and confidentiality assured when they are being interviewed or discussing matters of a personal or sensitive nature.
• All staff, management and volunteers understand what is required in meeting these obligations.
• TCH Care will attempt to locate interpreters and will use easy-to-access materials.
• Destroy or permanently de-identify personal information no longer needed and/or after legal requirements for retaining documents have expired.
• Ensure that participants understand and agree with what personal information will be collected and why.
• Ensure participants are informed when any recordings occur in either audio and/or visual format.
• The participant’s involvement in any recording must be agreed to in writing.

Participant Records

Participant records will be kept confidential and only handled by staff directly engaged in the delivery of service to the participant. Information about participants may only be made available to other parties with an informed consent of the participant, or their advocate, guardian, or legal representative. A written agreement giving permission to the recording must be maintained in the participant’s file. All hard copy files of participant records will be kept securely in a locked filing cabinet, in the office space.

Informed Consent

During the onboarding of a participant, an informed consent must be obtained from a participant or a nominated support person/advocate/Support Coordinator when a participant is unable to give consent, before the collection of their personal information.

Informed Consent must be sought form a participant prior to their appearance on a photo or video footage that will be used for publication or general purposes by using a “Video and Photo Consent Form”.

Monitoring and Reviewing

TCH Care Management Team will review this policy and procedure at least annually. This process will include a review and evaluation of current practices and service delivery types, contemporary policy, and practice. The Incident Register will incorporate staff, participant, and stakeholder feedback. Feedback from service users, suggestions from, staff and best practice developments will be used to update this policy.

TCH Care Continuous Improvement Plan will be used to record and monitor progress of any improvements identified and where relevant feed into TCH service planning and delivery processes.

Management of Data Breach

TCH Care will ensure it meets legislative compliance requirements as a mandatory reporter of eligible data breaches to both the Office of the Australian Information Commissioner (OAIC) and any individuals who may be potentially affected by a data breach; to inform relevant authorities of any breach, and to limit and reduce risks to the business and ensure continuous improvement in maintenance of data held by our organisation.

All Staff are required to maintain the confidentiality of all data relating to participants and other Staff members. This policy relates to all personal data regarding both participants and team members.

TCH views data breaches as having serious consequences, so the organisation have robust systems and procedures in place to identify and respond effectively.

TCH will delegate relevant staff members with the knowledge and skills required to become a Response Team member.

Staff are required to inform the Director or their delegate of the potential, or suspected, data breach immediately. Within forty-eight (48) hours, the Director is to complete a Data Breach Process Form and ensure that, as a regulated entity, they notify the particular individuals and the Commissioner about eligible data breaches as soon as practicable (no later than thirty (30) days after becoming aware of the breach or suspected breach).

If a staff member becomes aware that there are reasonable grounds to believe that there has been an eligible data breach, TCH is required to promptly notify any individuals at risk of being affected by the data breach and the OAIC.

 TCH Care will undertake the following when an eligible data breach has occurred:

1. Prepare a statement that, at a minimum, contains:
   • TCH contact details:
     • If relevant, the identity and contact details of any entity that jointly or simultaneously holds the same information, in respect of which the eligible data breach has occurred, e.g., due to outsourcing, joint venture or shared services arrangements. If information of this sort is included in the statement, the other entity will not need to report the eligible data breach separately.
   • A description of the data breach.
   • The kinds of information concerned.
   • The steps it recommends individuals take to mitigate the harm that may arise from the breach (while the entity is expected to make reasonable efforts to identify and include recommendations, it is not expected to identify every recommendation possible following a breach).
2. Provide a copy of the prepared statement to the OAIC using online Notifiable Data Breach Form.
3. Undertake such steps, as are reasonable in the circumstances, to notify affected or at-risk individuals of the contents of the statement. Individuals will be notified by email, telephone, or post, depending on the situation; if direct notification is not practicable TCH will publish the statement on its website and take reasonable steps to publicize its contents.

This privacy policy statement conforms to the Federal Privacy Act (1988) and the Australian Privacy Principles, which govern the collection, use and storage of personal information. This policy will apply to all records, whether hard copy or electronic, containing personal information about individuals, and to interviews or discussions of a sensitive personal nature.