Privacy policy

KITE CENTRE PRIVACY AND INFORMATION MANAGEMENT POLICY
POLICY
The KITE Centre will comply with:
● The Privacy Act 1988 and the Privacy Amendment Act 2012 to protect the privacy of individuals’ 
personal information; and
● NSW Health Records and Information Privacy Act 2020.
This includes having in place systems governing the appropriate collection, use, storage and 
disclosure of personal information, access to and correction and disposal of that information.
OUTCOME
Compliance with legislative requirements governing privacy of personal information.
All KITE Centre clients are satisfied that their personal information is kept private and only used for 
the intended purpose.
BACKGROUND
The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the handling of personal 
information about individuals by private sector organisations. Amendments were made to this 
legislation in 2012 (the Privacy Amendment Act 2012 which updates the Australian Privacy Principles 
- APP) and came into effect in March 2014. The amendment requires an organisation to explicitly 
state how they will adhere to the APP and inform their clients on how their privacy will be protected. 
The APP covers the collection, use, storage and disclosure of personal information, access to and 
correction of that information. The APP are summarised in Appendix 1 of this document.
The NSW Health Records and Information Privacy Act 2002 governs how long personal health 
information must be kept.
DEFINITIONS
'Personal information' means information (or an opinion) we hold (whether written or not) from which a 
person’s identity is either clear or can be reasonably determined.
‘Sensitive information’ is a particular type of personal information - such as health, race, sexual 
orientation or religious information.
PROCEDURE
Ensuring all KITE Centre Staff Understand Privacy and Confidentiality Requirements
● The Director of the KITE Centre will review their Privacy Policy annually and ensure that the team 
understand their responsibility to protect the privacy of individuals' personal information; and
● All Staff will undergo training related to Privacy and Confidentiality Requirements at the time of 
induction and each then annually.Managing Privacy of Client Information Storage
● Client information collected is kept in an individual client record;
● Each client record has a unique identification number;
● A client records includes but is not limited to: personal information • clinical notes • investigations • 
correspondence from other healthcare providers • photographs • video footage • Assessment 
notes or tools;
● A firewall is used in the KITE Centre computer system as a means of protecting information 
stored on the computer. Other security related procedures such as user access passwords also 
assist with the protection of information;
● Paper records are kept in locked, fireproof cabinets;
● Client information is stored for seven (7) years post the date of last discharge. In the case of 
clients aged under 18 years, information is kept until their 25th birthday and seven (7) years post 
discharge;
● Client related information or any papers identifying a client are destroyed by shredding and 
deleting from the computer and all databases; and
● User access to all computers and mobile devices holding client information is managed by 
passwords and automatic inactive logouts.
Managing Privacy and Confidentiality Requirements of Clients
● The KITE Centre refers to their Privacy Policy on the participant’s NDIS Service Agreement;
● The NDIS Service Agreement includes five (5) Consents:
- Consent for sharing Information;
- Consent for receiving Services;
- Consent for photography;
- Consent to participate in Client Satisfaction Surveys; and
- Consent to participate in Quality Management Activities.
These consents are discussed with the participant and/or their decision maker in a way they can 
understand prior to the commencement of service.
● Persons contacting the KITE Centre with an enquiry do not need to provide personal details. 
However, once a decision is made to progress to utilising Kite Centre services, personal and 
sensitive information will need to be collected;
● The KITE Centre may need to share pertinent client information with other professional therapists 
at the time of case conferencing or when determining care plans. Information is only shared in 
order to provide the best service possible and is only shared with those people whose 
Professional Codes of Ethics include privacy and confidentiality. Permission to share information 
is sought from the client prior to the delivery of services and as required at other points of 
intervention as / if required;
● Personal information is not disclosed to third parties outside of the KITE Centre, other than for a 
purpose made known to the client and to which they have consented, or unless required by law; 
and
● Clients are informed there may be circumstances when the law requires KITE Centre to share 
information without their consent.Keeping Accurate Client Information
● Clients are informed of the need to provide us with up to date, accurate and complete information.
● The KITE Centre staff update information on the client record at the time of reviews or when they 
become aware of change in information.
● Therapy and support coordination staff at the KITE Centre update the client record as soon as 
practical after the delivery of services to ensure information is accurate and correct.
Using Client Information for Other Purposes
● Under no circumstances will KITE Centre use personal details for purposes other than stated 
above, unless specific written consent is given by the client or their representative.
Client Access to Their Information
● Clients have the right to access the personal information KITE Centre holds about them. To do 
this, clients must contact the Director the KITE Centre and make a request.
Management of a Privacy Complaint
● If a person has a complaint regarding the way in which their personal information is being handled 
by the KITE Centre, in the first instance they are to contact the Director. The complaint will be 
dealt with as per the Incidents and Complaints Policy. If the parties are unable to reach a 
satisfactory solution through negotiation, the person may request an independent person (such as 
the Office of the Australian Privacy Commissioner) investigate the complaint.The KITE Centre will
provide every cooperation with this process.
References
● 'Guidelines on Privacy in the Private Health Sector', Office of the Australian Information 
Commissioner http://www.oaic.gov.au/privacy/privacy-topics/health-for-individuals/private-healthsector-access-to-health-information#own
● https://www.legislation.nsw.gov.au/#/view/act/2002/71/part4/div2/sec25
Reviewed 7 October 2020Appendix 1: Summary of the 13 Australian Privacy Principles
APP 1 — Open and transparent management of personal information
Ensures that APP entities manage personal information in an open and transparent way. This 
includes having a clearly expressed and up to date APP privacy policy.
APP 2 — Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a 
pseudonym. Limited exceptions apply.
APP 3 — Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher 
standards to the collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
APP 5 — Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify 
an individual of certain matters.
APP 6 — Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it 
holds.
APP 7 — Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain 
conditions are met.
APP 8 — Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed 
overseas.
APP 9 — Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of 
an individual as its own identifier or use or disclose a government related identifier of an individual.
APP 10 — Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, 
up to date and complete. An entity must also take reasonable steps to ensure the personal 
information it uses or discloses is accurate, up to date, complete and relevant, having regard to the 
purpose of the use or disclosure.
APP 11 — Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, 
interference and loss, and from unauthorised access, modification or disclosure. An entity has 
obligations to destroy or de-identify personal information in certain circumstances.
APP 12 — Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal 
information held about them by the entity. This includes a requirement to provide access unless a 
specific exception applies.
APP 13 — Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information of individuals