Privacy policy

Policy Statement

The Privacy Policy applies to an agency’s activities in collecting, referring and receiving client information.  The policy functions in the Human Services Network (HSNet) and documents and supports their business processes.  The principles support good practice in client service and casework.

Introduction

Caseworkers and other professionals working with clients will use the HSNet Service Directory to perform rapid effective searches and locate appropriate social and community services.

The Service Directory enables workers to identify which agencies can make, send and receive eReferrals.  The eReferral component provides a standard for collecting initial client information and making an electronic referral between service providers.

Effective service delivery is driven by the needs of clients and the community, rather than those of the system or those who practice in it.

Respecting client’s right to privacy is fundamental to a system that seeks to be transparent and effective.

HSNet operates on trust between service providers, as well as service providers and service users. The protection of privacy at all levels builds and develops trust.

Workers in systems that value trust, operate more effectively generally with improved outcome for clients.

Scope of the HSNet Privacy Policy

The HSNet Privacy Policy applies to an agency’s activities in collecting, referring and receiving client information using HSNet and its tools.

The policy applies from the moment an agency identifies a request to refer the client on to another human service agency or non government organisation and continues until the receiving agency accepts the client’s information.

It does not cover any other information that an agency collects or holds on its clients, or what may happen to the information once it is received by the agency.

Any other use of the client’s information must be covered by an agency’s own privacy policies.

The Policy includes a ‘Statement of Privacy Principles’ detailing how personal information is to be collected and handled when making, sending and receiving eReferrals.

Overview of the HSNet Privacy Policy

The HSNet Privacy Policy operates within current privacy legislation at the State and Australian Government Level.  Agencies using HSNet are obliged to comply with requirements set out in this policy when they use the system.

To assist agencies to work within this policy, Principles have been developed to guide day-to-day management of information in the HSNet system, as follows:

  1. The agency will only collect personal information that is relevant to the function of the agency and the provision of the agency’s services (a,b,c).
  2. Clients of the agency are informed about why personal information is collected and to whom or what agency it is to be disclosed (a,b,c).
  3. The agency takes all steps to ensure that client information is accurate, current and complete (a,b,c).
  4. The agency has security safeguards that protect client records from loss, unauthorised access, misuse, modification, disclosure and procedures that ensure appropriate disposal of client information (a,b,c).
  5. Clients of the agency are told how they can get access to their records containing personal information (a,b,c).
  6. The agency has a policy covering:
    • the nature and purpose of client record keeping.
    • how long client records are kept.
    • who has access to client records.
    • how clients can get access to their own records (a).
  7. Clients of the agency are entitled to have access to their records (a,b,c).
  8. Clients of the agency are able to correct any information held by the agency that is incorrect, incomplete or misleading(a,b,c).
  9. Client information is not used by the agency for any other purpose except with client consent unless necessary to prevent harm to life or health (a,b,c).
  10. Client information is not disclosed by the agency to another person or agency without consent unless necessary to prevent harm to life or health (a,b,c).
  11. The agency does not use the same client identifying numbers or codes that are used by other agencies (a).
  12. The agency only uses client identifying numbers or codes if necessary for the efficient functioning of the agency (c).
  13. Clients of the agency have the option of not identifying themselves, or of denying consent for exchange of information (a,c).
  14. Sensitive information, such as health records, is collected by the agency with client consent unless necessary to prevent harm to life or health (a).
  15. The agency takes reasonable steps to de–identify health information before it is disclosed for data collection or research purposes (a).
  16. Information is collected directly from the client by the agency unless the client is a minor, under guardianship or has given consent for someone else to provide the information such as the parent (a,b,c).
  17. Health information collected by the agency can only be included in a system to link health records with consent (c).

Legislative sources

The privacy principles have been designed to meet the requirements of three major pieces of legislation as they apply to a range of government and non–government human services agencies.  These laws are the:

  1. Privacy Act 1988 (Commonwealth)
    Privacy Amendment (Private Sector) Act 2000 (Commonwealth) - Technically this is considered to be the same piece of legislation as the Privacy Act 1988 (Commonwealth).
  2. Privacy and Personal Information Protection Act 1998 (NSW).
  3. Health Records and Information Privacy Act 2002 (NSW).

Privacy legislation and principles apply to all agencies

The Policy does not introduce any new principles. It is consistent with the principles of Federal and State privacy legislation already applying to agencies.

Privacy and Personal Information Protection Act 1998 (PPIPA) governs personal information held by public sector agencies in NSW.

Health Records and Information Privacy Act 2002 (HRIPA) governs personal health information held by public sector agencies, private sector organisations and non-government organisations in NSW.

Privacy Act 1988 (Commonwealth) governs personal information held by private sector organisations and non-government organisations throughout Australia.

Requirements for government agencies

NSW government agencies are bound by the Privacy and Personal Information Protection Act 1998.  All organisations in NSW (including public sector agencies, private sector organisations, and non government organisations (NGOs) are also bound by the Health Records and Information Privacy Act 2002 in relation to personal health information, and are required to have adequate policy procedures in place to comply with the Act.

NSW government human service agencies will use their Privacy Management Plans and privacy policies, the management of all personal health and information collected under HSNet.

Commonwealth Government agencies are bound by the Information Protection Principles in the Privacy Act 1988 (Commonwealth).

All Agencies taking part in HSNet will be bound by this Privacy Policy.

Other legislation

Agencies using HSNet and its tools will also continue to comply with other relevant legislation and codes of practice including, but not limited to:

  • State Records Act (NSW) 1998.
  • Guardianship Act (NSW) 1987.
  • Government Information (Public Access) Act 2009.
  • Children and Young People (Care and Protection) Act (NSW) 1998.
  • Part 13A of the Crimes (Domestic and Personal Violence) Act 2007.

Obtaining the client’s consent

Clients, or their legally recognised representative, must provide informed consent to their personal information being collected, disclosed or exchanged between agencies for the purpose of activating a referral and providing multi-agency support to the client.

The process of obtaining informed consent for sharing of information about a client will be consistent with agencies’ existing policies and business processes.

What is informed consent?

Consent can be gained either in writing or verbally, but there should always be a record of the consent.

Where the client is unable or unwilling to provide written consent, their verbal consent is valid as long as it is recorded.

For consent to be valid:

  • the client must be legally competent, that is, able to understand the nature and consequences of the proposed use/disclosure of the information.
  • it must be freely given.
  • it must be informed – the client must be told:
    •  why their consent is requested;
    • the agency(s) to which the information will be provided;
    • how the information will be used;
    • any consequences for the client if the information is not provided (referral may not be possible);
    • that they have the ability to access the information or to correct it at any time;
    • contact details of the referring and receiving agencies.

Substitute consent

If a worker reasonably believes a client is not capable of giving valid consent, they have a legal responsibility to seek and obtain consent from a substitute decision maker. This could be either the public guardian or a ‘person responsible’.

If a guardian with the function of consenting has not yet been appointed, the ‘person responsible’ will be:

  • a spouse (or defacto) who has a close and continuing relationship with the person.

or

  • the primary carer or person who arranges care on a regular basis and is unpaid.

or

  • a parent, sibling or other relative or close friend.

If in doubt seek advice from the Office of the Public Guardian.

Exceptions to the rule

Informed consent is not required in limited circumstances where the disclosure is:

  • reasonably necessary to prevent a serious or imminent threat to life or health, or
  • required by law (for example, where child protection is involved).

In these cases the exchange of information will be governed by the Code of Practice setting the parameters for the exemption, or other legislative provisions.

How to deal with complaints about privacy breaches

Complaints in relation to a privacy breach can be made via the HSNet Consumer Relations Policy, or to the agency making the referral for management through their local complaints handling processes.

Associated enabling principles and procedures

Client service and casework practice

Client service and casework practice is complemented by HSNet, which provides tools (ServiceLink and the eReferral component) to enhance such practice.

Standards of client service and casework practice are defined by individual agencies participating in HSNet and set out in Codes of Practice for their employees, where appropriate.

Timeliness

Participating agencies will ensure that client referrals to appropriate services occur in a timely and consistent manner.  Response to the referral may differ from agency to agency and will be determined by business rules in each participating agency.

At the least agencies will respond to a referral within 14 days of receipt of referral.

The making and receipt of a referral does not commit the referral agency to the provision of services to the client.

Response and feedback

Each participating receiving agency will provide advice on the outcome of client referrals to the referring agency.

Information management

Each participating agency will be responsible for the protection, storage, analysis and dissemination of the client data in accordance with the HSNet Information Management policy.

Security

Participating agencies are to ensure that all client referrals using the electronic client referral tool are secure and operate according to the HSNet Information Management Policy.

Business Processes

The HSNet eReferral Procedures have been developed to guide staff in the application of this policy. 

Definitions

Agency - a general description of departments, organisations and other service providers, which may be government or non-government.

Appeal - part of a complaints procedure that gives a consumer the right to ask for a decision made by an agency to be reviewed, when the consumer feels the decision is unfair.

Assessment - involves a more detailed inquiry into the clients needs, following the intake process.  The assessor will analyse and interpret information obtained at the point of referral.

Authorised eReferral Agency - an agency outlet that is authorised to make, send or receive eReferrals.

Authorised eReferral User - a person nominated by the eReferral agency to make, send or receive referrals electronically. An agency may have one or many authorised users. To be an authorised user the person must also be a member of HSNet.

Client - a person, including a carer, who receives or seeks a service from an agency. Clients may also be referred to as customers.

Complaint - may be made by a client, staff employed by an agency or an agency who is dissatisfied about an agency’s service connected with HSNet. It relates to any part of the program with which they have dealt with.

Intake or Screening - the process by which an agency obtains information from a person to help determine whether they are eligible to receive services, and what support or assistance they may need.

Personal information - information held by an agency about a client that could identify that person.

Referral - a request, to which the client consents, from one agency to another for that client to be assessed for a service.

Receiving Agency - an agency service outlet which receives a referral from a referring agency service outlet.

Referring Agency - an agency, which initiates a referral to a receiving agency.

eReferral Consent - permission given by a client or their representative to collect and disclose personal information for the purpose of an electronic referral to another agency.  Permission does not include subsequent referrals by other agencies without client consent.