At Caring Bridges, we are dedicated to upholding the privacy and confidentiality of our participants, staff, and all sensitive information. This policy outlines our responsibilities and procedures concerning the collection, use, and disclosure of personal information while ensuring compliance with relevant privacy laws, including the Privacy Act 1988, and state-specific regulations in New South Wales, such as the Health Records and Information Privacy Act 2002 (NSW).

Responsibilities and Compliance

Our Directors are entrusted with the responsibility of ensuring Caring Bridges’ adherence to privacy laws. This entails the development, implementation, and regular review of processes that encompass:

The purpose and methods behind the collection, use, and disclosure of personal information.
The types of personal information collected, their sources, and who has access to them.
Risk management regarding information collection, storage, access, use, disclosure, and disposal.
Procedures for obtaining consent, withdrawing consent, and updating personal information.
Measures for safeguarding and managing personal information, including addressing privacy queries and complaints.
Protocols for updates, destruction, or erasure of information.
Staff Responsibilities

Our staff members bear the responsibility of complying with this policy, including safeguarding the confidentiality of personal information. Staff must handle personal information related to participants, fellow staff, and stakeholders in alignment with confidentiality provisions specified in their employment or engagement contracts.

Staff are mandated to undergo induction, incorporating training on privacy, confidentiality, and information management. Monitoring of staff’s knowledge and application of these processes is a continuous process, with formal assessments occurring during annual Performance Reviews and regular supervision/mentoring meetings. Additional training is provided as deemed necessary.

The Caring Bridges’ Privacy Statement must be prominently displayed at our premises, with access information featured in the Participant Handbook and on our website. A complete copy of this policy and procedure will be provided upon request.

Photos and Videos

Staff must respect the preferences of individuals concerning photography or video recording and ensure appropriate use of these images, taking into consideration cultural sensitivities and specific care requirements.

Information Collection and Consent

Personal information is only requested from participants when necessary for the following purposes:

Assessing potential participants’ eligibility for services.
Providing safe and responsive services.
Monitoring service provisions.
Fulfilling government requirements for non-identifying and statistical information.
Personal participant information collected may encompass, but is not confined to:

Contact details for participants, representatives, or family members.
Details for emergency contacts and authorized individuals.
Health status and medical records.
Medication records.
Service delivery information.
Assessments, reviews, and service delivery records.
External agency information.
Feedback, complaints, and incident reports.
Consent forms.
Prior to collecting personal information, staff must elucidate:

The necessity of gathering only essential personal information.
How the information will be employed, stored, and secured.
Circumstances under which information may be shared and with whom.
Participants’ right to decline providing information.
Participants’ entitlements concerning their personal information.
Ramifications of not providing requested information.
Participants and their families must be furnished with Caring Bridges’ Privacy Statement and informed about the availability of a full copy of this policy and procedure upon request. Staff must deliver privacy information in a format suitable for individual communication needs, including different languages, Easy English, or verbal explanations. Assistance in accessing interpreters or advocates should be provided as required.

After conveying the information, staff must:

Confirm that the information has been provided and explained.
Obtain consent from participants or their legal representatives for the collection, storage, access, use, disclosure, and disposal of their personal information.
Participants and their representatives or families are responsible for:

Providing accurate information when requested.
Timely completion and submission of Consent Forms.
Respecting the choices of individuals who opt not to be photographed or videoed.
Showing sensitivity and respect for the privacy of other individuals in photographs and videos, both when using and disposing of them.
NDIS Audits

Caring Bridges complies with the National Disability Insurance Scheme (NDIS) guidelines, and participants are automatically included in audits against NDIS Practice Standards. Participants may be contacted by an NDIS Approved Quality Auditor for interviews or file reviews. Participants can opt-out of the audit process by informing any staff member, with this decision documented in their participant file.

Staff Information Collection and Consent

Personal staff information collected may include, but is not restricted to:

Tax declaration forms.
Superannuation details.
Payroll details.
Employment/engagement contracts.
Personal details.
Emergency contact details.
Medical details.
NDIS Worker Screening Checks, Police Checks, and Working with Children Checks.
Qualifications and certifications.
Forms utilized for collecting this information also secure staff members’ consent for the collection, storage, access, use, disclosure, and disposal of their personal information.

Storage and Access

Caring Bridges adheres to the Records and Information Management Policy and Procedure for the secure storage and protection of personal information.

Access to staff personal information is confined to Leadership and Management Team members, exclusively when essential for their duties. Staff may access participants’ personal information solely when required for their responsibilities.

Both staff and participants retain the right to:

Request access to personal information held by Caring Bridges.
Access this information.
Make corrections to information deemed inaccurate, incomplete, or outdated.
All requests for access or correction should be directed to the relevant staff member responsible for the information. Caring Bridges aims to respond to such requests within two working days, either by granting access, correcting information, or providing explanations for any delays.

Access or correction requests may be partially or wholly denied under specific conditions, including:

If the request is frivolous or vexatious.
If it unreasonably affects the privacy of others.
If it poses a serious threat to life or health.
If it could jeopardize ongoing investigations.
Denied requests require approval from senior management and must be documented accordingly.

Disclosure

Personal information may be disclosed solely for:

Emergency medical treatment.
To external agencies with the individual’s or, for child participants, parent or guardian’s permission.
With written consent from an authorized individual.
When mandated by law or legislative obligations, such as mandatory reporting.
Staff members must consult a senior management team member before disclosing information that would not typically be disclosed.

International Disclosure

Caring Bridges must take reasonable steps to ensure that overseas recipients of personal information adhere to the Australian Privacy Principles (APPs) under the Privacy Act 1988 before disclosing personal information internationally. The responsibility for conducting these investigations lies with the Quality Safeguards and Compliance Manager. This requirement may not apply if the overseas recipient is governed by laws or schemes that provide substantially similar protection as the APPs.

Reporting

Notifiable Data Breaches Scheme

Caring Bridges adheres to the Notifiable Data Breaches (NDB) Scheme established under the Privacy Act 1988. This scheme necessitates organizations to report specific data breaches to affected individuals and the Australian Information Commissioner.

Data breaches can occur due to malicious actions, human errors, or failures in information management or security systems. Examples include:

Loss or theft of devices or paper records containing personal information.
Unauthorized access to personal information.
Inadvertent disclosure due to human error.
Disclosure to scammers due to inadequate identity verification.
The response to data breaches, whether notifiable or not, follows Caring Bridges’ Data Breach Response Plan and is recorded in the Incident Register. The Director assesses potential notifiable breaches and promptly informs affected individuals.

In a notifiable breach:

Affected individuals are promptly notified.
Data breach incidents are contained.
Risks are assessed.
The Australian Information Commissioner is informed.
Measures are implemented to prevent future breaches.
Please refer to Caring Bridges’ Data Breach Response Plan for further details.