Client Privacy Policy
1. Introduction
This policy outlines Wayss commitment to privacy and its approach to the responsible handling of personal, sensitive and health information in all its forms, consistent with relevant legislation for all people who use any Wayss services.
2. Policy
Wayss respects clients’ right to privacy and the right to have any information about them held securely and in confidence, where possible. Wayss will foster a positive and respectful privacy culture which supports a relationship of trust between clients, staff, volunteers, and other agencies.
Wayss will comply with Privacy and Data Protection Act 2014 (Vic), the Victorian Information Privacy Principles (IPP), the Health Records Act 2001 (Vic), the Victorian Health Privacy Principles (HPP) and any other relevant laws, including laws that may impact on privacy requirements such as information sharing schemes for domestic violence and child safety.
Wayss adopts a privacy by design approach, proactively incorporating privacy requirements, ensuring compliance with law, and enabling continuous improvement of privacy practices.
3. Scope
This policy applies to all Wayss staff and volunteers with respect to personal, sensitive and health information about any individual accessing Wayss services (clients and tenants) and covers information provided to Wayss, and information about individuals obtained from other sources.
4. Policy Principles
4.1. Collection
Wayss will only collect information
- which is necessary to provide its services
- when the individual has consented to provide it
- when required by law or contractual arrangements with government funding bodies
- where the information can assist Wayss in improving its service delivery to clients
Wayss uses unique identifiers as required by the Australian Institute of Health and Welfare (AIHW), where client information is stored on the Specialist Homelessness Information Platform (SHIP).
Client data will be used, in an aggregated and de-identified way by AIHW.
Client data may be stored on other government platforms relevant to specific funded programs.
Where requested Wayss can provide clients with information about:
- what personal information is collected
- why it is collected
- how it will be used
- how it will be stored • how long it will be kept
- with whom it will be shared
Collection may be inclusive of sensitive information including diverse sex characteristics, gender identities and sexual orientations. This information will only be collected in private settings where the client agrees. Wayss staff and volunteers will use the name, gender and pronouns that clients have nominated, not their previous name, gender or pronoun.
4.2. Consent
Wayss will comply with any obligations that require client consent. Information may be collected from other sources and where practical, clients will be advised if information held by Wayss, relating to them, has been collected from other sources.
4.3.Use
Wayss uses personal, health and sensitive information to deliver and continually improve services to clients and comply with regulatory and contractual obligations. Wayss will use client information for the primary purpose for which it was collected, a related secondary purpose that clients may reasonably expect, such as referrals to other service providers (with the exception of sensitive information), as required by law, or with client permission or consent.
4.4.Disclosure
Client information will not be released or shared without the informed consent of the client unless the disclosure of the information is mandatory or there is a serious risk to health and safety. Where a client consents to the release of information, this must be given in writing unless it is impractical, or the situation is urgent in which case Wayss will note verbal consent. Wayss staff have a responsibility to ensure that prior to giving consent, the client has access to accurate information about the intended purpose for releasing the information.
Wayss is required through its reporting requirements to provide the Department of Health and Human Services (DHHS) information in relation to incidents involving clients for example safety and wellbeing issues, physical conflicts, violence, or verbal abuse. In this situation, clients and other individuals about whom information is being collected will be advised that the purpose of the collection of information is to report about and investigate an incident and that it will only be used for that purpose.
Any personal information disclosed to DHHS, child protection agencies, Victoria Police or Community Corrections in relation to the incident must directly relate to the specific circumstance and be necessary for the purpose of reporting and investigation of the incident and any actions taken.
4.5. Transfer of client information
Where information is required to be transferred, Wayss will take reasonable steps to ensure it will not be held, used or disclosed by the recipient of the information inconsistent with the Information Privacy Principles and the Health Records Act 2001.
Wayss will send a copy of this policy to the requesting body and ask for written confirmation of adherence prior to transferring the client information, unless Wayss is compelled to provide the information (for example by a regulator or a solicitor with authority).
In rare situations where written consent from a client is not practicable, the date, time, and method by which verbal consent is given must be recorded, signed, and witnessed in case notes.
4.6. Information accuracy and access
Wayss will take reasonable steps to ensure that all information collected is accurate, complete, and up to date at the time of use or disclosure. If, Wayss becomes aware that information was inaccurate, incomplete, or out of date and the information has been transferred, Wayss will advise the recipient organisation and seek to provide correct information. On request, Wayss will provide clients with access to personal information and health information collected about them and allow clients to update and amend information they have previously provided. Wayss will also grant access to a person named by a client with written authority.
Information collected by Wayss may be redacted before being released or accessed, if it poses a risk to the privacy, safety, or security of others. Clients will be provided with information about how to access their personal and health information and if required, staff will support the client in making a request for access.
Clients may be granted restricted access to some information, as provided for by legislation, where:
- Providing access would pose a serious and imminent threat to life or health
- Providing access would have an unreasonable impact on the privacy of others
- The request for access is frivolous or vexatious
- The information relates to existing legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings
- Providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice the negotiations
- Providing access would be unlawful
- Denying access is required or authorised by or under law
- Providing access would be likely to prejudice an investigation of possible unlawful activity
- it relates to the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law
- it relates to the enforcement of laws for the confiscation of the proceeds of crime
- it relates to the protection of public revenue
- it relates to the prevention, detection, investigation or remedying of seriously improper conduct
- it relates to the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders by or for a law enforcement agency
If access is restricted, the client will be informed of the reason for this.
4.7. Information Security
Wayss holds information in many different formats and will take all reasonable steps to protect information from misuse, loss, unauthorised access, modification, or disclosure.
4.8. Communication
Wayss will make this policy available by:
- Publishing it on the Wayss website
- Displaying notices, posters and brochures at reception or waiting rooms
- Providing verbal information to clients at the point of contact Staff will ensure clients can access the Wayss privacy policy through one or more of the above means.
5. Responsibilities
5.1. Staff and Volunteers
Privacy is everyone’s responsibility, and all staff and volunteers have an obligation to manage the personal information collected, accessed, used, re-used, or disclosed during their engagement with Wayss in accordance with this policy.
5.2.Managers
Managers are required to ensure that privacy principles and practices are implemented and suspected, or actual breaches of this policy are reported. Managers must ensure staff are informed of this policy as part of their induction and during ongoing performance processes.
5.3. Privacy Officer
The Privacy Officer is appointed by the CEO and is responsible for:
- Reviewing the Privacy Policy
- Conducting privacy impact assessments
- Providing privacy training, other education programs and advice
- Monitoring compliance with this policy and reporting on privacy complaints and breaches
- Investigating privacy breaches, incidents, or complaints
- Providing a central contact point about Privacy for Wayss
6. Complaints
Where a client believes Wayss has acted in contravention of this policy, or feels their privacy has been breached, they can make a complaint in accordance with the Client Complaints Policy and Procedure. Wayss will support them in accessing this complaints process if required. An individual may complain to the Privacy Commissioner or Health Services Commissioner about Wayss management of privacy and where Wayss has received notification of complaints to these bodies, the Chief Executive Officer will respond in a timely manner.
7. Review
This policy will be reviewed every two years, or sooner if there are legislative changes or Wayss receives feedback about service delivery that may impact on this policy.
8. Definitions
Client Information
In the context of this policy refers to personal and health information.
Personal Information
Personal information is information or an observation that is recorded in any form and about an individual whose identity is apparent or can reasonably be ascertained from the information or observation. This can include letters, sounds, images, videos and numbers and combinations of them.
Health Information
Health information means information or an observation about:
- The physical or mental health (at any time) of an individual.
- A disability (at any time) of an individual.
- An individual’s expressed wishes about the future provision of health services.
- A health service provided, or to be provided, to an individual that is also personal information.
- Other personal information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of their descendants.
LGBTIQ Information
LGBTIQ information means information about a client’s gender identity, sexual orientation, or intersex status
Religion/ Spirituality
Information about a client’s beliefs include their religious affiliation and their spiritual identification
9. Related Policies and Resources
- DHHS Standards
- Code of Conduct
- Client Feedback Policy
- Client Privacy Procedures
- Service Delivery Framework
- Child Protection Reporting Procedures
