Prestige Inhome Care specialises in providing dedicated Registered Nurses and professional carers committed to helping people stay in their own home and live as happily and normally as they can. We strive to provide the highest possible standard of care: professional, reliable and all with a friendly smile.
Prestige Inhome Care is committed to protecting all personal information and ensuring that the handling of Personal Information provided by job seekers, staff, clients, volunteers and others with whom we deal complies with Australian Privacy laws.
This includes Australian Privacy Principles (APPs) outlined in the Privacy Act 1988 (Commonwealth) (Privacy Act) and any applicable state or territory legislation.
This policy outlines how we collect, use, disclose, store and manage personal information in accordance with these Australian Privacy Laws.
Prestige will manage all personal information in accordance with Australian Privacy laws including (but not limited to):
- Privacy Act 1988 (Cth), and APPS
- Privacy and Data Protection Act 2014 (Vic)
- Freedom of Information Act 1982
- Health Records Act 2001 (Vic), including the Health Privacy Principles
- Charter of Human Rights and Responsibilities Act 2006 (Vic)
- Information Privacy Act 2000 (Vic)
- SPAM Act 2003 (Cth)
- Surveillance Devices Act 1999 (Vic)
Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in material form or not.
- Information or an opinion about:
- The health or a disability at any time of an individual;
- An individual’s expressed wishes about the future provision of health services to him/her; or
- A health service provided or to be provided to an individual that is also Personal Information; OR
- Other Personal Information collected to provide, or in providing a health service;
- Other Personal Information about an individual collected in connection with the donation, or intended donation by the individual of his/her body parts, organs or body substances; or
- Genetic information about an individual in a form that is or could be predictive of the health of the individual or a genetic relative of the individual.
A subset of personal information and refers to information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions or membership of a political association;
- membership of a professional or trade association or a trade union;
- religious beliefs or affiliations;
- philosophical beliefs;
- sexual preferences or practices; or
- criminal record.
Unsolicited Information is all Personal Information received from an individual that Prestige does not actively seek to collect.
An Employee Record is a record of Personal Information relating to the employment of a member of staff. Examples of Personal Information relating to the employment of the staff member may include:
- The engagement, training, disciplining or resignation of the employee;
- The terms and conditions of employment of the staff member;
- The employee’s personal and emergency contact details;
- The employee’s performance or conduct;
- The employee’s criminal record status as obtained through a National police check or working with children check;
1. Collection of Information
Prestige will only collect personal information that is necessary to deliver our services and conduct the business activities that support this.
The type of information that we collect includes, but is not limited to:
- Your name, address and contact details (e.g. Phone and email);
- Job applications and subsequent employee information;
- Work performance information;
- Payment details (e.g. Credit Card or bank account details);
- Information obtained from reference and background checks;
- Criminal record checks sought in the recruitment process or on a regular basis in order to comply with legislation;
- Client’s current medical history, past history and relevant Health Information including Treating Practitioners’ name and contact details; and
- Advance Care Directive
Personal and financial information may be collected by an authorised Prestige employee. Personal health and medical information is collected to facilitate appropriate care of the client. Financial information is collected to enable fees and charges to be assessed in accordance with the Community Care Principles.
Personal Information and Health Information may be collected directly from the client, his or her relatives and other authorised personnel such as a Power of Attorney, General Practitioner, an Aged Care Assessment Service or hospital through observations and assessments undertaken as part of the care process, or through another third party referral service where you have consented to that service providing your information to us.
All employees have been screened and have signed a confidentiality agreement, which ensures Personal Information to which they may become exposed to through the course of their employment, remains confidential.
Some individuals may not want to provide information to Prestige Inhome Care. The information Prestige requests is relevant to providing them with the care and services they need. If the individual chooses not to provide some or all of the information Prestige requests, Prestige may as a result be unable to provide them with the care and services they require. In the case of employees, certain information is required in order for them to be employed or continue to be employed at Prestige Inhome Care. One example of this is the Police Records Check which Prestige requires on employment and every three years thereafter. While an employee may choose not to provide this information, legislation states that Prestige cannot employ individuals without a valid police record check.
Prestige collects information through a variety of ways including:
- Electronic or face to face interactions;
- Through our website;
- Requests for information;
- From third party referral services; and
- Through provision of services.
2. Use & Disclosure of Information
Generally, we will only use and disclose Personal Information for purposes consistent with the reason this information was collected or for a directly related purpose, unless we have the individual’s express or implied consent to use or disclose it for a different purpose.
2.1 Communication and marketing
We may use personal information to communicate with individuals through emails, newsletters or direct marketing, in accordance with Privacy legislation and the Privacy Act, unless the individual has previously requested that we do not do so. All such communication will provide the option to opt out or unsubscribe. A request to opt out or unsubscribe can also be sent directly to firstname.lastname@example.org or 1300 10 30 10.
2.2 Employee information
We may use or disclose personal information collected from employees or prospective employees, with consent, to:
- obtain references from former employers or give references to potential employers;
- verify qualifications with educational or vocational organisations;
- conduct background and criminal records checks (provided that the organisation complies with privacy laws).
- Personal information limited to the employee’s name may be shared with clients and their family members/guardians for the purposes of service provision;
- Personal information may be shared within organisational departments for the purpose of service provision, performance management and general operations;
- Personal information may be shared as part of mandatory inspections or investigations by the ATO, Fair Work, WorkSafe/SafeWork, police, government departments (e.g. DHHS), Commissions or their delegates.
When dealing with employee personal information, Prestige will endeavour to:
- Limit the collection of information
- Provide notice to individuals about the potential collection, use and disclosure of personal information
- Keep employee’s personal information accurate, complete and up to date
- Keep employee’s personal information secure
- Provide employees access to their personal information
2.3 Disclosure to third party service providers
We may disclose client Personal Information to third party contractors and service providers that help us to operate our business and to deliver services to clients, such as, without limitation, IT service providers, Allied Health providers, payment system operators, financial institutions, debt collectors, couriers, mailing houses, accountants, solicitors, business advisors and referral services (including to enable the referral service to verify whether a client was referred to us by that service).
When Prestige provides Personal Information to companies who perform services on our behalf, we require those companies to protect Personal Information as diligently as we do. Strict contractual and other quality assurance measures are used to ensure Personal Information is protected.
2.4 Disclosure to relatives and guardians
There are certain instances where Prestige may need to share or disclose an individual’s Personal Health Information to a person who is responsible for the individual (i.e. a parent, child, sibling, relative, guardian or power of attorney). We may do so, in accordance with Health Privacy Principle 2, if:
- the individual is incapable of giving consent or communicating consent;
- Prestige Management or Coordination staff are satisfied that the disclosure is necessary to provide appropriate care or treatment, is made for compassionate reasons or for the purposes of undertaking a quality review of our services; or
- the disclosure is not contrary to any wish previously expressed by the individual which the organisation is aware of, or of which the organisation could reasonably be expected to be aware, and the disclosure is limited to the extent reasonable and necessary for providing care or treatment.
A client’s confidential information will never be disclosed to other clients, unauthorised personnel or personal relations of the client or employee or any other person in the community.
2.5 Disclosures required or permitted by law
In some circumstances we are authorised or required by law to disclose certain personal information. For example:
- disclosure to various government departments and agencies such as the Australian Taxation Office, Centrelink, Child Support Agency, or disclosure to courts under subpoena; and
- disclosure permitted under Health Privacy Principle 2, where Prestige:
- reasonably believes that disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety;
- has reason to suspect unlawful activity and uses or discloses the Personal Information as part of our investigation of the matter or in reporting our concerns to the relevant authorities; or
- reasonably believes that the use or disclosure is reasonably necessary to allow an enforcement body to enforce laws, protect the public revenue, prevent seriously improper conduct or prepare or conduct legal proceedings.
3. Data Security
Prestige does not store any of your confidential material overseas or in “the cloud”.
Prestige will take reasonable steps to protect Personal Information that we hold from misuse, interference, loss or unauthorised access or disclosure.
Employee records are all computerised with access limited to appropriate staff. Electronic records of employees and clients are held on a password protected secure database. Any paper files are kept securely in a locked cabinet until a time that they are scanned to the computer. Once actioned, documents are then either shredded or put in locked confidential waste bin that is destroyed by an authorised business.
We will retain records of information for a period of seven years after the last occasion on which a service was provided to the client/by the employee. Records of services provided to children will be retained until the child turns twenty-five. (As per Prestige’s Records Management Policy.)
Personal and Health Information may also be held within a client’s home as part of their health care record. While every effort will be made by Prestige to ensure this is only accessed by employees in order to provide appropriate care, it is acknowledged that access by others is possible and is outside of the control of Prestige.
4. Access to Personal Information
Individuals may request access to their own Personal Information kept by Prestige Inhome Care. Where reasonable and practical to do so, and in accordance with the provisions of the Privacy Act and Health Records Act, Prestige will provide access to an individual’s personal information.
There may be instances where we cannot grant you access to the Personal Information or Health Information we hold. For example, we will refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.
If you believe that the personal information we hold about you is incorrect, incomplete or inaccurate, then you can request us to amend it. We will consider if the information requires amendment. If we do not agree that there are grounds for amendment, then we will add a note to the personal information stating that you disagree with it.
In the event access to the records requires a significant allocation of resources, we may charge a resasonable administration fee to cover these costs. Corrections or updates to information supplied by clients or their representatives will be actioned as a priority.
In all cases, Prestige must be satisfied access to/or changes to information are authorised by the individual in question.
5. Disclosure of personal information overseas
Prestige does not disclose personal information overseas.
When we collect Personal Information directly from an individual, we will take all reasonable steps to ensure that they are aware of the collection of their Personal Information.
If information is collected from a 3rd party, reasonable steps will be taken to notify the individual or otherwise ensure that the individual is aware that the information will, or may, be passed on to us.
7. Data Breaches
Under the Notifiable Data Breaches Scheme (Part IIIC of the Privacy Act 1988), Prestige have an obligation to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about an ‘eligible data breach’ which is likely to cause serious harm to any of the individuals to whom the information relates.
An ‘eligible data breach’ occurs if all three of the below criteria are met:
- there is unauthorised access to, or unauthorised disclosure of, personal information, or loss of personal information that Prestige holds.
- this is likely to result in ‘serious harm’ to one or more individuals (‘serious harm’ may include serious physical, psychological, emotional, financial or reputational harm);
- Prestige has not been able to prevent the likely risk of serious harm with remedial action.
Examples of a data breach could include, but are not limited to:
- loss of a computer or data storage device containing personal information
- unauthorised access to personal information as a result of a hacking attack or data breach
- employees or contractors accessing or disclosing personal information outside the bounds of their employment
- emailing, sending or simply providing personal information to the incorrect people
Certain personal information is more likely to cause an individual harm if compromised e.g.
- sensitive information such as information about an individual’s health.
- documents commonly used for identity fraud including Medicare card, driver’s licence & passport
- financial information e.g. credit or debit card numbers,
- a combination of types of personal information, rather than a single piece of information, allows more to be known about the individuals.
In the event of a data breach, Prestige will:
- identify if an eligible data breach has occurred;
- investigate suspected security incidents to determine if an eligible data breach has occurred so that it can be reported;
- assess the risk of serious harm to affected individuals if personal information is disclosed or lost;
- notify affected individuals and the OAIC;
- review any contracts with third parties who hold personal information on behalf of the entity and ensure that adequate contractual provisions are in place to manage compliance with the notification regime
- Complete a IIIR form as soon as practicable to ensure a record is maintained of how the breach or suspected breach was managed.
7.1 Data Breach Notification Obligations
- In the event of an eligible data breach, Prestige is required to notify the Office of the Australian Information Commissioner (OAIC) using the online Notifiable Data Breach Statement Form and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe that there has been an eligible data breach.
- In the event the eligible data breach involves personal information pertaining to NDIS participants, this will also need to be reported to DHHS as a privacy incident. Refer to Incident Reporting and Investigation procedure.
- If Prestige has taken remedial actions and steps to address any potential harm to individuals to whom the information relates before any serious harm is caused, there is no mandatory obligation to report the data breach. A IIIR form should be completed as documented evidence of the remedial actions and steps taken to mitigate any serious harm.
8. Privacy Online
8.1 Online data collection and use
When a Prestige website is accessed, anonymous technical information may be collected about user activities on the website. This may include information such as the type of browser used to access the website, the date of the visit, time spent on the site and the pages visited.
This information is used by Prestige to make decisions about maintaining and improving websites and online services. This information remains anonymous and is not linked in any way to personal identification details.
Web users can choose if and how a cookie will be accepted by configuring preferences and options in their browser. For example, the user can set their browser to notify when they receive a cookie or to reject cookies. However, if the user decides not to display cookies, then they may not be able to gain access to all the content and facilities of the website
9. Making a Complaint (Grievance Procedure)
Privacy Law is regulated by the Australian Information Commissioner. Further information about privacy legislation can be obtained from the Office of the Australian Information Commissioner website at www.oaic.gov.au
Prestige takes all complaints seriously. Anyone who wishes to make a complaint about the way Prestige Inhome Care has managed their Personal Information may make that complaint verbally or in writing by setting out the details of the complaint to any of the following:
- Prestige Inhome Care Privacy Officer, General Manager Operations
Phone: 03 8587 7900
- Prestige Inhome Care, CEO
Phone: 03 8587 7900
- Alternatively, complaints may also be referred to:
Office of the Australian Information Commissioner.
– By phone: 1300 363 992
– In writing to Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
10. Review and Improvement
Prestige may update this policy from time to time to reflect changes in legislation or internal process improvements. An up to date copy of this policy will be maintained on the Prestige website at all times. www.prestigeinhomecare.com.au/about-us/privacy-policy