Commitment to Privacy
Group Homes Australia Pty Ltd (GHA/we or us) is strongly committed to protecting the right to privacy of every individual including its clients, team members and providers. GHA abides by the requirements of the Privacy Act 1988 (as amended in 2014) in relation to the collection and use of your personal information.
When you provide your personal information to us, we know that you expect us to protect it and keep it safe. This policy sets out how we collect, use, hold, disclose and safeguard your personal information. We are committed to ensuring that at all times your personal information remains private and protected.
This Privacy and Electronic Consent and Data Retention Policy sets out how we collect, hold, use and disclose your personal information.
The co-CEOs are designated privacy officers and are responsible for ensuring GHA complies with the requirements of the Privacy Principles as outlined in the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act), and, where applicable, the Privacy Act 1988 (Cth) (Privacy Act). GHA is also a provider under the National Disability Insurance Scheme (NDIS).
GHA is committed to developing, reviewing and implementing processes and practices that identify:
- how people can consent to their information being collected;
- what information GHA collects about individuals, and the source of the information;
- why and how GHA collects, uses and discloses the information;
- who will have access to the information; and
- risks in relation to the collection, storage, use, disclosure or disposal of and access to personal and health information collected by GHA.
The co-CEOs will, where required by the applicable legislation, notify the NDIS Commission, NSW Information and Privacy Commissioner and any relevant state government agency if they become aware of a breach or possible breach of privacy legislation.
Collection of Information
When collecting personal information, GHA is bound by the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles and any other laws that govern the handling of personal information.
GHA collects personal information about clients, team members and providers but this is limited to that which is necessary for us to undertake our services and activities. In general, this will be collected directly from the individual or their representative, but we also may obtain information from other sources.
GHA only collects personal information with informed consent and for purposes which are directly related to our functions or activities and only when it is necessary for or directly related to such purposes.
GHA uses the information we have collected from you within our company only. We do not sell it to third-party companies.
The Privacy Act describes how “personal information” and “sensitive information” is to be treated. The Aged Care Act 1997, the Australian Aged Care Quality Act 2013 and associated Principles set out rules for the treatment of “protected information”.
GHA reserves the right to make changes to this policy. You will need to ensure that the version you refer to on our website has been updated so that you are aware of the most recent version of this policy.
Please note that during the course of our relationship with you, we may tell you more about how we handle your personal information. When you receive this further information, please consider it carefully.
What types of your personal information do we collect and hold?
GHA collects and holds:
- Identification Information. This includes your name, email, address, contact details and date of birth and is needed to identify individuals.
- Financial information. Information required for making payment related decisions. For example, bank account information.
- Sensitive Personal Information. We collect sensitive personal information, which includes health information about the physical or mental health or disability of an individual.
How does GHA collect your personal information?
We collect your personal information:
- Directly from you. This occurs when you complete our application and when you talk to us in person or on the phone. We may record your interactions with us, including your telephone conversations with us and your use of our emails, wi-fi services and website.
- Electronically. This occurs through electronic records created when you use our website, tablet or mobile applications.
- Public information. We may also collect information about you that is publicly available, for example from public registers, social media or from third parties for example disability support services.
How does GHA hold personal information?
Much of the information we hold about you will be stored electronically in cloud or other types of networked or electronic storage centres. We use Salesforce, a cloud-based server with servers overseas, and we disclose to people that information does go offshore. Some information we hold about you will be stored in paper files.
Where required by applicable law, we will notify you, and the Office of the Australian Information Commissioner and/or other relevant regulatory authorities, of data breaches affecting your personal information.
If you are considering sending us any personal information through the Website or other electronic means, please be aware that the information may be insecure in transit, particularly where no encryption is used (e.g. email, standard HTTP).
Why does GHA collect personal information?
We collect, use and exchange your information so that we can:
- assess your eligibility for a service;
- provide a safe and responsive service;
- monitor the services provided; and
- fulfill contractual requirements to provide non- identifying data and statistical information to a funding body.
- administer our services;
- manage our relationship with you;
- comply with our legal obligations and assist government agencies.
We may also collect, use and exchange your information in other ways where permitted by law.
Who do we exchange your information with?
We may disclose personal information to:
- prevent or lessen a serious and imminent threat to the life or health of you or another person;
- to outside agencies with your or your representative’s permission;
- with written consent from a person with lawful authority; or
- when required by law, or to fulfill legislative obligations such as mandatory reporting.
We may also disclose such information as required by the Privacy Act or any other law.
Can you get access to and correct your information?
You can request access to the personal information we hold about you, and ask for corrections to be made, by contacting us using the contact details set out in this Privacy and Electronic Consent and Data Retention Policy. Please provide as much detail as you can about the particular information you seek, in order to help us locate it. If you find that the information we have is not up to date or is inaccurate, please advise us as soon as practicable so we can update our records and ensure we can continue to provide quality services to you.
Can we deny or limit your request for access?
We are not required to provide you access if we are unable to identify you and in certain circumstances we’re allowed to deny your request, or limit the access we provide. For example we might not provide you access to commercially sensitive information. Whatever the outcome, we will communicate our decision to you.
Group Homes Australia’s Privacy and Confidentiality and Records and Information Management Policies and Procedures will be formally reviewed at least annually. Formal reviews will be conducted by the Quality Committee.
Do we transfer your information overseas?
We may disclose your personal information to overseas recipients in order to provide our services and for administrative, data storage or other business management purposes.
Security and Destruction of Personal Information
Your Personal and Health Information is stored for a period of at least 7 years in a manner that reasonably protects it from misuse and loss and from unauthorized access, modification or disclosure.
When your Personal and Health Information is no longer needed for the purpose for which it was obtained, we will take reasonable steps to destroy or permanently de-identify it.
We will retain and dispose of your Personal and Health Information in accordance with the State Records Authority of New South Wales’ Functional Retention and Disposal Authority: FA306
- We receive and send documents electronically and sign documents electronically.
- We will send you notices and other documents by email and
- We may but are not obliged to send paper copies of notices and other documents;
- you should regularly check your nominated email address for notices.
Contact us about our privacy and information handling practices
If you are concerned about how your personal information is being handled or if you have a complaint about a breach by us of the Privacy Act, please contact our privacy officer at:
- directly with a team member, verbally;
- by email to: firstname.lastname@example.org;
- by phone on: 1300 015 406;
- in writing to: 201/308 Pacific Hwy, Crows Nest, NSW 2065.
Where you express any concerns that we have interfered with your privacy, we will respond to let you know when you can expect a further response. We aim to resolve your concerns in a fair and efficient manner. We refer you to our feedback policy for further information. Feedback is taken on board and followed up on, then it is discussed by the appropriate team (whether it be the team in the community/home, clinical team, home support team) to achieve the best outcome and document. This is then reviewed at the quality committee meeting to ensure the best learning and outcome for everyone involved. Complaints may also be referred by an applicant to the NDIS for resolution if dissatisfied with the internal review process.
If you still are dissatisfied about how Group Homes has dealt with personal information you may apply for an internal review. Requests for an internal review may concern conduct a person believes resulted in:
- Breaches in information protection procedure
- Breaches in the code
- Inappropriate disclosure by GHA of personal information.
Application for the internal review should be made in writing to the GHA privacy officer (GHA’s Co-CEO is the nominated Privacy officer). This application should be made within 6 months from the time the applicant became aware of the alleged infringing of conduct. Once an application for an internal review is received the review should be completed as soon as reasonably practicable.
In receiving an application and conducting an internal review under the Privacy Act, GHA shall:
- Nominate an investigation team within 2 weeks of receiving the compliant by the privacy officer.
The internal review team shall take the following steps in conducting the review:
- Assist the applicant as much as possible
- Interview relevant staff examine records and obtain any other pertinent information on the circumstances of the alleged breach.
- Seek advice from court and legal service or from Privacy Council as required.
- Determine whether a breach of the HRIP Act has occurred and, if so, what harm or damage it has caused to the applicant.
- Prepare a report and submit the finalised investigation report to the privacy officer setting out the relevant facts, the conclusions reached and recommendations for action to be taken to resolve the complaint.
If the review is not conducted with 60 days the applicant can seek a review of the conduct.
Once the review is completed the Privacy officer may decide to:
- Take no further action on the matter
- Recommend a formal apology to the applicant
- Take appropriate remedial action
- Provide an understanding that the conduct will not occur again
- Implement measures to prevent recurrence of the conduct.
The privacy officer will indicate outcomes to the applicants and ensure that they are aware of the right of appeal to the Administrative Decisions Tribunal.
If the outcome indicates a breach of the Privacy Act 1988 or HRIP Act has been committed the Group Homes Privacy Officer will refer the matter to the NSW Information and Privacy Commissioner.