Privacy Management Plan Policy

1. Introduction

Aftercare has created this Privacy Management Plan in accordance with the Privacy and Personal Information Protection Act 1998 (PPIP Act).

This Plan outlines:

  • Aftercare’s policies and practices for complying with the PPIP Act and the Health Records and Information Privacy Act 2002 (HRIP Act)
  • How Aftercare will make staff aware of these policies and practices
  • Aftercares procedures for dealing with privacy internal reviews under Part 5 of the PPIP Act
  • Other relevant matters relating to the protection of the personal and health information that the organisation holds (section 33 of the PPIP Act)

A copy of this Plan will be provided to the Privacy Commissioner as soon as practicable after it is prepared and whenever the plan is amended. It is also available on the Aftercare website.

2. Responsibility

The Executive Director, People & Culture Manager will be responsible for the ongoing review of the Privacy Management Plan with support from Aftercare’s Continuous Quality Improvement committee.

3. Guiding Principles

3.1 How We Manage Personal and Health Information

The Privacy Act 1988 defines personal information as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Aftercare will only solicit sensitive information where consent is given by the individual.

The types of personal information held by Aftercare could include, but are not limited to, name, age, sex, address, contact details, background information, health information, support systems and details of family and friends. Aftercare will only use this information as part of its primary function such as providing a service, complaints handling, recruitment.

Information can be given to Aftercare by third parties or directly from the individual. Any personal or health information which is received and is not necessary for the primary functions of Aftercare’s functions will be de-identified discarded or kept in accordance with Australian Privacy Principles (APP’s) 5-13 and the Health Privacy Principles (HPP’s) under the HRIP Act.

Aftercare will take reasonable steps either to notify or to make aware to the individual that personal information has been received.

Aftercare takes reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure including locked filing cabinets and password protected systems. Some of these reasonable steps include workplace policies, ICT security and governance.

Aftercare is obligated to destroy or de-identify personal information in certain circumstances. Personal information obtained by Aftercare is not sent overseas.

Where a correction needs to be made to an individual’s personal identity, Aftercare will take reasonable steps to correct the personal information to ensure that it is accurate, up-to-date, complete, relevant and not misleading.

1.2  How to Access and Amend Personal and Health Information

When personal and/or health information is given to Aftercare by an individual, Aftercare relies on individuals to give accurate information and to advise of any changes to their personal information. Clients and stakeholders of Aftercare may access their personal information by written request.

Aftercare will provide this information within 30 days of receiving such notice unless:

  • the request is made vexatiously
  • Aftercare feels that the release of the information would be harmful to the individual or to the public
  • releasing the information would give impact on the privacy of others
  • it would be unlawful
  • the information relates to existing or anticipated legal proceedings between Aftercare and the individual, and would not be accessible by the process of discovery in those proceedings

Aftercare will also refuse the release of personal and/or health information if:

  • the request would reveal the intentions of Aftercare in relation to negotiations with the individual in such a way as to prejudice those negotiations;
  • denying access is required or authorised by or under an Australian law or a court/tribunal order;
  • Aftercare has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to Aftercare’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body or if giving access would reveal evaluative information generated within Aftercare in connection with a commercially sensitive decision-making process.

1.3  Review Rights and Complaints

A person who is aggrieved by the conduct of Aftercare is entitled to a review of that conduct by Aftercare. An application for review must be in writing, addressed to Aftercare, specify an address to which the notice may be sent and be lodged at an Aftercare office within 6 months of the time the applicant first became aware of the misconduct.

The application will be dealt with by an individual within Aftercare who is directed by Aftercare to deal with the situation. This person will not be involved in the matter, will be an employee of Aftercare and will be someone who is qualified to deal with such matters. The allocated staff member will consider all materials submitted by the applicant, the Privacy Commissioner and be completed as soon as practicable.

However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for an administrative review of the conduct concerned.

Following the completion of the review, Aftercare will:

  • take no further action on the matter; or
  • make a formal apology to the applicant; or
  • take action that Aftercare sees as appropriate; or
  • provide undertakings that the conduct will not occur again and implement administrative measures to ensure that the conduct will not occur again.

Aftercare will not pay monetary compensation under subsection (7) if the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, or if the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.

As soon as practicable (or in any event within 14 days) after the completion of the review, Aftercare will notify the applicant in writing of:

  • the findings of the review (and the reasons for those findings); and
  • the action proposed to be taken by Aftercare (and the reasons for taking that action); and
  • the right of the person to have those findings, and Aftercare’s proposed action, administratively reviewed by the Tribunal.