The Buttery and Privacy
The Australian Privacy Principles
The Australian Government introduced new legislation, effective 12 March 2014, which further protects the privacy of individuals. These principles replace the National Privacy Principles that came into force on 21 December 2001. You can find out more about these principles by calling the Office of the Australian Information Commissioner on 1300 36 39 92 or through their website at http://www.oaic.gov.au/.
The Buttery respects and upholds everyone’s right to privacy protection under the Australian Privacy Principles in regulating how we collect, use, disclose and hold personal information. We have a detailed policy and set of procedures to ensure that only authorised staff have access to personal information and that it remains confidential and is only used for appropriate purposes and in accordance with this notice.
1.2.7 Resident, Donor and Client Privacy and Confidentiality
The Buttery takes resident and client privacy and confidentiality very seriously and will comply with all laws, related guidelines and relevant professional standards that apply to how the organisation goes about collecting, using, storing and disclosing/releasing information about clients. There are currently a myriad of acts, regulations and legal guidelines relating to the collection, use, storage and disclosure of information, including client information in the health care context… These include: the Commonwealth Privacy Act 1988; the Commonwealth Privacy Amendment (Private Sector) Act 2000; the Commonwealth Guidelines on Privacy in the Private Health Sector 2001; the NSW Privacy and Personal Information Protection Act 1998; and the NSW Health Records and Information Privacy Act 2002. In addition, each Buttery Service’s funding and performance agreement, as well as various professional codes and standards, may also impose requirements relating to privacy and confidentiality.
Buttery residents and clients tend to be marginalised from mainstream society and they tend to be inexperienced in dealing with organisations. It can be difficult to know what their expectations are about privacy and what they understand about how information is handled. The fact that they are receiving a service is often a sensitive matter for them. Therefore, all resident and client information should be treated as sensitive, regardless of its nature and the reason it is collected, and clear, explicit reasons should be given for why information is needed and how it is handled.
Buttery clients access its services completely voluntarily. However, consent to receive a service does not, of itself, carry a consent to collect and handle information. In practice, consent to receive a service and consent to collect and handle information often occur at the same time, but they are separate, distinct authorities given by an individual.
The key elements of consent are that: it must be given voluntarily; it must be informed (i.e. individuals must know what they are consenting to); and individuals must have the capacity to give and communicate their consent. A distinction is made between express consent and implied consent. Express consent refers to consent that is clearly and unmistakably stated, whether in writing, orally, or in another form where consent is clearly given (e.g. nodding the head). Implied consent is less obvious, but involves consent being given as the result of, or in conjunction with, a particular act. For example, the collection of a urine sample would imply consent to passing necessary information to the testing agency and receiving the results. Similarly, a request for an emergency contact would imply consent to contact that person in an emergency. Wherever practical and reasonable, Buttery services should rely on express consent, coupled with clear and open communication with clients as to why information is needed and how it will be handled.
There are degrees of sensitivity of information and varying expectations of residents/clients regarding privacy and confidentiality of information. All information about residents/clients, whether given by them or collected from third parties, is considered to be personal information and is protected by privacy legislation. Information directly relating to assessment and treatment is categorised as “Health Information” in the legislation and is regarded as a particular kind of personal information that must be collected and handled with great care.
The need for privacy and confidentiality of resident/client information places an obligation on all Buttery staff and volunteers to ensure information is not used in a way that is contrary to the interests of the person or organisation that provided it. All staff and volunteers are expected to know their obligations in respect of privacy and confidentiality and are required to sign a Confidentiality Agreement for Staff and Volunteers of The Buttery. People from outside the organisation, such as students, researchers and reviewers should also sign a confidentiality agreement where access to identifying client information is part of their role.
The principles set out below relating to privacy and confidentiality of information apply to all Buttery services (references to residents/clients also include potential residents/clients assessed for a service):
- policies and practices for privacy and information handling should be transparent, documented and made available to anyone who requests them.
- policies and practices for privacy and information handling should be clearly communicated to clients before a service is offered. This may be through an information sheet or pamphlet. Residents/clients should be given an opportunity to discuss and clarify the policies and practices before being required to give consent.
- Buttery services must keep records of its residents/clients in order to provide a service. Resident/client consent to collect and handle information must be clearly expressed and should also carry a clear understanding that records will be kept. Where a client requests that no records be kept, the service must be declined.
- it is not practical for Buttery services to be provided completely anonymously to individual clients. Information to be collected will include some identifying information about the client. Where it is practical and lawful or culturally appropriate, clients may be given the option of using an alias (i.e. a name given to the service which is different to their usual name). Where an alias is used, all other information necessary for assessment, treatment, evaluations and statistical data should still be given correctly. Generally, it will not be administratively practical for clients to use an alias where we have some ongoing involvement in their personal affairs (e.g. liaising with Centrelink) and/or where there is a degree of information exchange and cross-referral with other agencies and services (e.g. medical professionals, Probation and Parole, MERIT).
- the only information about resident/clients collected and handled by a Buttery service will be information necessary to assess the need for a service, to provide the service and to evaluate the service. Wherever practical, information about a client should be collected from that client. Information should be as non-intrusive and objective as possible, yet relevant and up-to-date.
- where The Buttery is required by its funding bodies and some government agencies to collect information for data bases compiled by Drug & Alcohol and Gambling Organisations, Buttery staff must ensure that this information is compiled and released in a way that it cannot be used to identify individuals.
- a resident/client has the right to withhold information for privacy reasons. However, where the withholding of information compromises our capacity to make an assessment or provide a service, the service may be refused or withdrawn.
- any personal, identifying information about a resident/client will not be collected without the consent of that resident/client. Collection of information from third parties that is particularly sensitive requires the express consent of the client, given in writing wherever possible. The only exception is where information is needed to deal with a serious and imminent threat to the life or health of a client, and they are unable to give their consent. In all cases of information collection, clients should be made aware of what information is collected, why it is collected and how it is used.
- personal, identifying information about a resident/client may not be released or disclosed outside a Buttery service without consent. Information that is particularly sensitive may not be released or disclosed without the express, written consent of that client. The only exception is where there is an over-riding legal obligation to disclose information (e.g. mandatory reporting of crimes, where a court orders information to be released, where there is a serious and imminent threat to the client’s life or health and they are unable to give their consent).
- sharing identifying information about a resident/client within a service is necessary where there is a multi-disciplinary team approach. Boundaries for information sharing within a team should be established and be subject to applicable professional codes and standards. These should be clear to team members and residents/clients. Residents/clients should reject a service if they do not agree to this approach.
- an authorisation or agreement by a resident/client to act on his/her behalf with another agency or service (e.g. Centrelink, referral to other treatment services) should be given in writing. This carries an implied consent by the client to share information with that agency or service. However, information to be shared should be limited by need and the client should be clear about what information is to be shared.
- consent for information collection and handling in the course of participating in a residential program (e.g. name, address, birthdate, Medicare number, drug screen and pathology results, data statistics, financial matters) should be given expressly. That is, voluntary participation in a program should also carry an express consent for The Buttery to take on certain responsibilities for administering a resident/client’s affairs.
- residents and clients have the right to access information about them that is collected and held, and to request corrections to that information. Access will normally be given within 14 days of the request, unless the client agrees to a longer wait. Access can be denied where it may give rise to a serious threat to the life or health of the client or another person associated with the client. A decision to deny access should be made by the CEO or relevant Program Manager. Access should only occur in the presence of a qualified staff member, to help the client understand the information and ensure corrections are made where appropriate. Residents/clients may request a copy of any information, but care must be taken to ensure the copy does not include any identifying information about other persons.
- in the course of assessing and treating residents/clients, personal information about family members and significant others may be given by the resident or client. These individuals also have a right to privacy and confidentiality of their personal information. Personal, identifying information held about them will not be used in a way that is contrary to their interests.
- from time to time The Buttery conducts reviews, evaluations and audits of its record keeping, administration and service delivery for quality control purposes and to ensure that records meet required standards for health record keeping. Resident/client consent must be granted before researchers and evaluators are given permission to access sensitive, identifying information, and staff should ensure that sensitive information contained in case notes are not be read by any auditor or reviewer external to the Buttery Service under review. In addition, all third party reviewers are required to sign the Confidentiality Agreement for Staff and Volunteers of The Buttery before commencing the review.
- The Buttery may only release a resident or client’s confidential information, including whether or not they are or have been a resident or client, where:
- the resident/client has consented in writing to the release of the information. Such consent may be restricted to specific information only.
- a court of law has subpoenaed a resident/client’s file or has subpoenaed a staff member to give evidence at a trial or court proceeding.
- a particular law imposes an obligation to report information received.
- note also that residents in residential programs should be made aware that information given “in confidence” which involves a breach of the program’s rules is not considered confidential. Staff have an obligation to discuss such information with other staff and bring it to the attention of the residential community if the client is unwilling to do so.
1.2.8 Staff Privacy and Confidentiality
Buttery staff, volunteers, Foundation Committee members and Board members are also entitled to privacy and confidentiality regarding their personal, identifying information. Each staff member will have a personnel file, which is to be kept securely in the Finance Office. Access to personnel files will occur on a “needs only” basis. Authorised access is limited to the CEO, appropriate Program Manager and Administration staff. Personal, identifying information about staff will only be collected, held and disclosed with their knowledge and consent and will be confined to information relating to their employment only.
Buttery staff who seek a service from the organisation (whether former or current staff), are also protected by the same privacy and confidentiality obligations that apply for other residents and clients. Information collected and used for the purpose of assessment and providing a service to a staff member must not constitute part of their employee record. Personal information about persons applying unsuccessfully for a position in the organisation is also subject to privacy and confidentiality.
Website and Privacy and Confidentiality
The Buttery is committed to protecting the privacy of web users and using technology that will give users a safe and powerful online experience. This Statement of Privacy applies to The Buttery Website and governs data collection and usage. By using The Buttery Website you consent to the data practices described in this statement.
Collection of your Personal Information
Like all website providers, The Buttery collects personally identifiable information, such as your e-mail address, name, home or work address or telephone number. The Buttery may also collect anonymous demographic information, which is not unique to you, such as your postcode, age, gender, preferences, interests and favourites.
There is also information about your computer hardware and software that may be collected automatically by The Buttery. This information can include: your IP address, browser type, domain names, access times and referring Web site addresses. This information is used by The Buttery for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of The Buttery Web site.
Please keep in mind that if you directly disclose personally identifiable information or personally sensitive data through The Buttery public message boards, this information may be collected and used by others. Note: The Buttery does not read any of your private online communications.
The Buttery encourages you to review the privacy statements of Web sites you choose to link to from The Buttery so that you can understand how those Web sites collect, use and share your information. The Buttery is not responsible for the privacy statements or other content on Web sites outside of the The Buttery Web site.
Use of your Personal Information
The Buttery collects and uses your personal information to operate The Buttery Web site and deliver the services you have requested. The Buttery also uses your personally identifiable information to inform you of other products or services available from The Buttery and its affiliates. The Buttery may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.
The Buttery does not sell, rent or lease its customer lists to third parties. The Buttery does not use or disclose sensitive personal information, such as race, religion, or political affiliations, under any circumstances.
The Buttery keeps track of the Web sites and pages our customers visit within The Buttery, in order to determine what The Buttery services are the most popular. This data is used to deliver customized content and advertising within The Buttery to customers whose behaviour indicates that they are interested in a particular subject area.
The Buttery Web sites will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on The Buttery or the site; (b) protect and defend the rights or property of The Buttery; and, (c) act under exigent circumstances to protect the personal safety of users of The Buttery, or the public.
The Buttery Web site uses “cookies” to help you personalise your online experience. A cookie is a text file that is placed on your hard disk by a Web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize The Buttery pages, or register with The Buttery site or services, a cookie helps The Buttery to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same The Buttery Web site, the information you previously provided can be retrieved, so you can easily use the The Buttery features that you customized.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the The Buttery services or Web sites you visit.
Security of your Personal Information
The Buttery secures your personal information from unauthorized access, use or disclosure. The Buttery secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When personal information (such as a credit card number) is transmitted to other Web sites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
Changes to this Statement
The Buttery will occasionally update this Statement of Privacy to reflect company and customer feedback. The Buttery encourages you to periodically review this Statement to be informed of how The Buttery is protecting your information.
The Buttery welcomes your comments regarding this Statement of Privacy. If you believe that The Buttery has not adhered to this Statement, please contact The Buttery We will use all reasonable efforts to promptly determine and remedy the problem.