Privacy and Consent Policy

HUON REGIONAL CARE – PRIVACY AND CONSENT POLICY

Quality of care and life is a feeling of safety, well-being, independence and maintaining connection with community. Trained and skilled staff understand, listen, notice changes, and ensure dignity through choice and respect.

Purpose

Huon Regional Care is committed to protecting the privacy of personal information which the organisation collects, holds and administers, including that of employees and consumers. Personal information is information which directly or indirectly identifies a person.

We operate under a philosophy that respects the individual worth and dignity of all people. As such, personal privacy is regarded as a fundamental right and we are committed to protecting the privacy of personal information. We acknowledge our special position of trust in providing personal, intimate, social and medical care to its residents in residential care and clients in their own homes. All people working with and for us are required to be familiar with and are required to comply with the obligations of this policy.

The aim of this policy is to protect the rights consumers and employees in respect to privacy, confidentiality, consent and release of information.

Authorisation

This policy is approved by the Board and issued under the authority of the Chief Executive Officer (CEO). The Board may authorise amendments to this policy at any time.

Scope

This policy applies to the Board, all employees (including part-time, full-time and casual), contractors, volunteers and agency staff. This policy includes any consumer or family member who may be privy to information related to the delivery of services.

Definitions

Policy statement

Huon Regional Care (HRC) collects and manages personal information for the purposes of providing services to and on behalf of consumers. The organisation is committed to protecting the privacy of personal information it collects, holds and manages.

We collect personal information for the following purposes:

• residents and clients: to be able to identify the individual, their health information and medical requirements in order to meet their individual needs and in order to apply for government funding
• family members: to be able to identify any attorneys under powers of attorney or guardians under guardianship appointments and as a point of contact;
• staff and potential employees: for the purposes of their employment or potential employment; and

We generally collect the following kinds of information:

• personal identification and contact information provided by individuals, including name, date of birth, gender, address, telephone number(s), email address, next of kin details, government related identifiers (eg. Medicare or Department of Veteran’s Affairs number, Tax File Number)
• health and sensitive information in the event that an individual enters our care or accesses our services;
• information for human resources, finance and general entity administration purposes; and
• information that is obtained in the course of an individual’s interaction with our website.

HRC recognises the essential right of individuals to have their information managed as they would reasonably expect – protected on one-hand and accessible to them on the other. These privacy values are reflected in, and supported by, our core values and organisational ethos.

The Board, employees and service contractors are bound by the Privacy Act 1988 including the Privacy Legislation Amendment Act, and by relevant state legislation. These impose specific obligations when it comes to handling information. The Privacy Act 1988 has no set time-limit and therefore obligations under this policy and the legislation endure after the Directorship or employee relationship ceases.

Board members, employees and service contractors must sign an acknowledgement of these confidentiality and privacy provisions upon entry to the organisation or when first assuming the position of Director. Signed confirmation of acceptance will be retained by the organisation.

The policy is structured on the National Privacy Principles of the Privacy Act 1988 (Cth) and the Personal Information Protection Principles in Schedule 1 of the Personal Information Protection Act 2004 (Tas).

Any person for whom we hold information has a right to have access to that information at any reasonable time.

Huon Regional Care recognises the growing use of artificial intelligence in organisations and determines its position on the use of this technology and its application to the organisation through a separate and distinct policy.

Privacy Principles

Collection and consent

HRC may request and store sensitive information for personnel records but will ensure they are meet legislative requirements for collecting, storing and usage. Information will not be disclosed to a third party without consent and unless it is necessary for the carrying out of duties.

We generally collect personal information directly from you in writing, by telephone, face to face communications, email or via our website, if you:

• enter our care as a resident
• acquire any other services from us
• provide details through our website
• seek employment

Consumer records must be maintained in accordance with professional standards and legal requirements. Client records are kept, providing a history of contact with a consumer and to assist with the employee to:

• Track a consumer’s clinical care, progress and health outcomes over time
• Fulfill requirements for professional accountability in care planning and management
• Enable continuity of care of the consumer
• Recall consumer information over time
• Prepare reports, if required

Therefore, we will:

• Only collect information that is necessary for the performance and primary functions of the organisation
• Take all reasonable steps to ensure that information is collected by lawful and for means and not in an intrusive manner
• Inform consumers of their rights under this policy with respect to accessing information, why it is collected, to which persons or organisations their information may be disclosed to, and any law or consequences relating to the collection of that information
• Inform consumers that their client records may be reviewed by relevant regulatory bodies as part of their monitoring activities if they have provided their consent, excluding sensitive information, such as counselling notes. Information will be viewed only to check that our organisation has followed policy and procedures and that systems are in place
• Advise the information provider how their data is accessible to them and in what formats at the time it is collected
• Obtain informed consent from those from who information is collected, being sure to clearly explain the purpose for and management of the information
• Take all reasonable steps to ensure that consumers are informed verbally and/or in writing of their right to confidentiality and the limitations of this right before receiving a service

Use and disclosure

We use the information to:

• provide an aged care service to you
• enable allied health care providers, medical practitioners and external health agencies (such as the ambulance service, hospitals, government and regulatory bodies) to carry out the purposes for which the information was collected to provide care and services to you
• enable us to obtain the correct level of government funding in relation to your care
• identify and inform you of any other services that may be of interest to you
• inform family members and representatives of any changes in your condition
• fulfil any legal requirements
• achieve other purposes permitted or referred to under any terms and conditions you enter into or otherwise agree to with respect to our services

We will:

• Not use or disclose personal information for any secondary purpose unless that purpose relates to providing services within the functions of the organisation and the individual would reasonably expect HRC to provide the information. When information is used for a secondary purpose, such as a referral for the purposes of providing care, such as to a Geriatrician, then a written note of the use or disclosure will be recorded
• Never release identifiable personal information without informed and expressed consent, with the exception of obligations under the Privacy Act 1988 to protect the safety of the information provider or another related to them
• Ensure that any statistical information about consumers which is made public will not identify individuals unless written consent has first been obtained from the client
• Enable anyone to unsubscribe from communications upon request

HRC recognises that there are legal limits to confidentiality vis-à-vis disclosure and under certain circumstances, client files and workers may be subpoenaed by a Court of Law, search warrant or summons, or written requests from a body with regulatory authority to make the request.

In cases where an employee believes a consumer have been abused or are at risk of injury or harm an exception to client confidentiality will arise. Employees in consultation with the Chief Executive Officer, will provide relevant information to the authorised government agency or representative in-line with appropriate legislation.

Data quality

We will:

• Take all reasonable steps to ensure information is accurate, complete and up-to-date
• Only record data that demonstrably relates to the provision of care or reporting requirements
• Retain data in compliance with legislation

Data security

We will:

• Securely safeguard data and store against misuse, loss, unauthorised access and modification and only on databases or data warehouses in Australia
• Take all reasonable steps to ensure that the personal information we hold is protected against misuse, loss, unauthorised access, modification or disclosure. We have confidentiality rules for our staff, contractors and third party organisations.
• Immediately advise the Office of the Australian Information Commissioner and consumers of any data breaches in accordance with the organisation’s legal obligations
• De-identify personal information that is not needed for the purpose that it was originally collected
• Records will remain for a period of seven years to align with the Archive Act 1983 or other period as stipulated by Government Regulations. After seven years the file will be deidentified and archived.

Openness

We will:

• Provide a copy of this policy to whomever requests it
• Make this information freely available in relevant publications and on the organisation’s website
• Give stakeholders the option of remaining anonymous when completing evaluation forms or opinion surveys

Access and correction

We will:

• Take all reasonable steps to ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, misleading or out-of-date, only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose of providing care and support
• Provide access in accordance with the relevant legislation under which access is sought as this varies between Commonwealth and Tasmanian Acts (as a Personal Information Custodian)
• Assist consumers to understand and interpret information from their files where it may be of a sensitive or distressing nature, or where the consumer may experience difficulty understanding the information due to issues such as language, education or intellectual impairment
• Deny access to information if the request is reasonably considered to fall within Clause 6.1 of the Australian National Privacy Principles, but will consider the utilisation of an intermediary if warranted
• Delete all identifying information upon a proper request by anyone about whom data is held

Identifiers

HRC will not adopt an identifier from another organisation or the Australian, Tasmanian or local government and use it as its own, nor will it disclose identifiers used to provide services to consumers, unless this is required for the provision of care, such as a Medicare number.

Transborder data flows

HRC will take all reasonable steps to ensure the transfer of data outside Australia does not occur.

Sensitive information

HRC will only collect or share sensitive information if it is:

• Required or permitted by law
• Reasonably required for the provision of services within the functions of the organisation
• Necessary to prevent or lessen a serious or imminent threat to the life or health of an individual
• Directly related to members of the organisation

Consent shall be obtained from any individual that provides the information, except those where the law provides for collection.

Roles and responsibilities

Breach of policy

Conformance with this policy is mandatory and a breach is considered a serious offence.

A proven breach shall result in disciplinary action that may range from a written warning to summary dismissal.

An employee or Director with knowledge of a breach has a duty of care to immediately report it to the Chief Executive Officer.

Failure to take reasonable steps to report it will result in disciplinary action for that employee.

Make a Complaint

If you believe a breach of this policy has occurred, it will be taken seriously. Please direct your complaint to the Privacy Officer, who is our Chief Executive Officer.

The Privacy Officer will investigate your complaint. You will have your complaint acknowledged, be included in the investigation and be informed of the outcome.

If you are unhappy with the outcome of your complaint to us or the way your complaint was considered, you may raise your concern with the Office of the Australian Information Commissioner (OAIC):

Further information about the OAIC can be found here.

Last updated July 2025