In this document, the term “The Group” refers to the collective operations of Enhance Health Group Pty Ltd. The Group is committed to adhering to the following regulations and principles:
– Privacy Act 1988
– Privacy Amendment Act 2000
– Australian Privacy Principles (APP)
– Health Records and Information Privacy Act 2002 (NSW)
This policy is designed to support the Group in mitigating risks that could impact compliance with the requirements of our customers and certifying bodies, including:
– Disability Employment Services Grant Agreement
– Workforce Australia Services Deed of Standing Offer
– Quality Assurance Framework
– National Standards for Disability Services (NSDS)
– National Disability Insurance Scheme Practice Standards and Quality Indicators, Code of Conduct, and Provider Requirements, including the Compliance Framework
– ISO 9001:2015 Quality Management System Requirements
– ISO 27001:2013 Information Security Management Systems
– Heads of Workers Compensation Authority Principles of Practice
The Group takes its obligations under the Privacy Act seriously and makes every effort to comply with the Act in order to safeguard the privacy of the personal information we hold, some of which may be health-related.
In order to ensure that the services provided align with the clients’ current situation and needs, the Group may need to collect and record personal and/or sensitive information. This information is collected on behalf of our contracted obligations with customers and is subject to the restrictions imposed by the Privacy Act 1988 (Cth).
As per the terms of our funding agreements, the Group is obligated to comply with the Privacy Act when collecting, using, and disclosing personal information of employees, customers, clients, and related stakeholders.
Personal information is collected for the provision of employment, disability, therapy, and occupational rehabilitation services in order to:
– Determine eligibility or appropriateness of services
– Tailor services to clients’ needs
– Evaluate and monitor outcomes, programs, and services
– Facilitate resolution of complaints made by stakeholders
– Include client personal details in communications developed by Enhance Health Group relevant to the scope of services.
Personal information held by Enhance Health Group, including information provided by employees, contractors, clients, and participants, may be disclosed to national or state/territory-based tribunals, commissions, courts, regulatory agencies, Department of Education Skills and Employment (DESE), Exercise and Sports Science Australia (ESSA), Australian Health Practitioner Regulation Agency (AHPRA), health practitioners, and third-party service providers, including providers with overseas operations.
This policy applies to the collection, use, and disclosure of information concerning the following parties:
– Stakeholders involved in the services delivered by The Group
– Employees or potential employees of The Group
– Contractors working with The Group
– Customers and certification bodies associated with the services provided
The purpose of this policy is to affirm The Group’s commitment to complying with relevant legislation and customer contractual obligations regarding privacy. It outlines the methods adopted to ensure compliance.
Collection of Information
The Group will not collect personal and confidential information unless it serves a lawful purpose directly related to our organization’s function or activity and is necessary for that purpose.
Examples of Personal Information that may be collected include:
– Contact information (e.g., name, age, address, telephone numbers, email address)
– Employment information (e.g., work history, performance, workplace incidents, next of kin details)
– Financial information (e.g., bank account details for reimbursements)
– Sensitive information (e.g., medical history, criminal record, religious beliefs, health information)
– Commonwealth government identifiers (e.g., CRN, TFN, Participant ID, JSID)
Whenever reasonable and feasible, personal information is collected directly from the individuals themselves. Collection may occur for various purposes, including service delivery or internal use in relation to an employee’s role within The Group.
Examples of collection scenarios:
– Providing occupational rehabilitation, therapy, assessment, and/or employment services as per contracted agreements, referrals, and legislative requirements
– Requesting completion of registration forms for a service
– Responding to written or verbal information requests
– During the recruitment and selection process and throughout employment with The Group
On occasion, personal information may be obtained from other sources, such as:
– Employers to establish and deliver services
– Insurance agents for the purpose of delivering occupational rehabilitation services
– Community services providers to facilitate engagement in services aligned with The Group’s scope
– Medical practitioners providing services or assessing the fitness for work of The Group’s employees
In most cases, individuals receiving services from Enhance Health Group will be required to provide signed consent forms, affirming their approval for the collection, use, or disclosure of personal information (including third-party phone recordings). Written consent is usually preferred, but verbal consent may be accepted and documented in specific circumstances, provided written consent has already been obtained. Verbal consent should serve as a reaffirmation of ongoing consent and must be recorded for record-keeping purposes.
Consent forms for each organization within the group can be accessed through their respective case management platforms, including Enhance Health Group. The group strongly encourages maintaining best practice standards. If a consent form is over 12 months old from the date of signing, a new consent form must be obtained and signed. All consent forms should be securely stored in an access-controlled location by Enhance Health Group.
Consent must not be implied, even if legally acceptable. The Enhance Health Group strives to uphold best practices and always seeks signed consent forms for the services provided.
When a service delivery case is closed, the consent form no longer authorizes the collection, use, or disclosure of information regarding that individual.
If a client or participant is referred to Enhance Health Group for services following the completion or cessation of prior services, a new consent form must be obtained.
If a client or participant is referred for multiple services and they are provided concurrently, only one consent form is required while services are ongoing.
Use and Disclosure
The Group collects personal information to enable us to conduct business, within our scope of services including:
- Determining an individual’s requirements for appropriate services
- Setting up and administering services
- Identifying a person and protecting that person from unauthorised access to his/her personal information
- Recruitment and selection processes
- To determine an employees’ and contractors’ suitability to deliver occupational rehabilitation, therapy, or treatment services in line with the AHPRA registration and DVA requirements.
Personal information may be used for purposes other than for which it was collected, namely:
- To prevent a serious threat to a person’s health or life
- As required or authorised by law
- Where reasonably necessary for the enforcement of criminal or revenue law
- Where summoned, subpoenaed or where a freedom of information request is received by an authorised person or the client and complies with the Privacy Act’s Privacy Principles and our contractual obligations.
The Group may disclose personal information where consent has been given. Consent to the disclosure of personal information may be given explicitly, such as in writing or verbally. Disclosure of information may be provided to stakeholders involved in the scope of services, such as:
- Referring agent/department
- Treating practitioners
- Nominated support person/s
- Nominated Union delegate
- A legal entity
- Prospective employers
- Prospective training organisations
- Prospective equipment suppliers
- Community providers engaged for the purpose of services.
Disclosure of Employee and Contractor Professional Details:
Enhance Health Group provides occupational rehabilitation, therapy, and disability employment services in accordance with contracts and registrations held with various State, Territory and National regulation agencies, including, though not limited to:
Western Australia: WorkCover WA
Other: Department of veteran Affairs (DVA)
Other: Third Party Accreditation Auditors
The Group collects your personal information related to your suitability and qualifications that enable you to deliver occupational rehabilitation, therapy, or treatment services in accordance with industry standards, national or State/Territory-based regulatory agencies, ESSA and AHPRA requirements for health practitioners.
To demonstrate our compliance with requirements set by the above regulatory agencies, ESSA and AHPRA, The Group is required to provide your personal information related to professional registration details on their request, to demonstrate that our staff are appropriately qualified and registered to deliver workplace rehabilitation and/or therapy services.
The Group is further required to provide evidence of your professional registration currency to third party auditors who are engaged to ensure The Group continues to comply with our contractual and certification obligations. Third party auditors are bound by privacy obligations.
If you have enquiries about regulatory or other agencies accessing your professional registration details held by the Group, please contact the Internal Audit team at aDMIN@EnhanceHealthgroup.com.au.
When is disclosure not appropriate?
The Group do not collect personal or sensitive information unless the information is reasonably necessary for, or directly related to, one or more of the functions or activities we have been requested to undertake as a part of our service delivery and operations.
The Group do not disclose personal information to a party outside or unrelated to the scope of services. Parties that may be eligible to personal or sensitive information can include a party contracted to the Enhance Health Organisations to provide administrative services or activities on our behalf, and whereby that party is bound by the same privacy rules.
The Group do not disclose personal or sensitive information to overseas recipients unless required to by law or if these recipients are directly related to the scope of services.
The Group do not disclose records of personal and sensitive client information or company intellectual property to ex-employees.
The Group do not disclose records that have been obtained by a third party, even if related to the scope of services provided unless summoned by a court of law. For example, The Group is not able to disclose independent medical and allied health assessments of documents obtained from a third party. However, clients can request access to those records from the owner/creator of those records directly.
In accordance with the Health Records and Information Privacy Act 2001, if the individual chooses not to provide The Group with personal information pertaining to their health and authority to collect and disclose information, we may not be able to provide the full range of our services. The referring party should be notified (if the services was not self-referred) to discuss the implications on services because of consent being declined.
For any request for information that is not a direct request from the client or participant, a new authority consent form must be sighted and be signed within the last 12 months of the request.
For further guidance relating to the disclosure of information, please refer to the Records Request and Subpoena Procedure available on the Enhance Health Group Intranet.
Children And Young People:
The Privacy Act 1988 (Privacy Act) protects an individual’s personal information regardless of their age. An individual under the age of 18 has the capacity to consent if they have the maturity to understand what is being proposed. This is assessed on a case-by-case basis. If The Group believe or are unsure of the person’s ability to consent, then the consent from a parent or guardian might be sought.
Provision Of A Telehealth Service
Where appropriate, The Group services may be provided by telephone or videoconferencing. Clients and customers responsible for setting up the technology needed so they can access telehealth services. The Group employee providing services can assist with this if required. The Group will be responsible for the cost of the call to the client and the cost associated with the platform used to conduct telehealth services.
To access telehealth services, client’s will be instructed that they require a quiet, private space; an appropriate device, i.e. smartphone, laptop, iPad, computer, with a camera, microphone, and speakers; and a reliable internet connection.
The privacy of any form of communication via the internet is potentially vulnerable and limited by the security of the technology used. To support the security of personal information, Enhance Health Group uses Teams technology which is compliant with the Australian standards for online security and encryption.
The Group will ensure we obtain permission and approval before recording any material via telehealth or otherwise, including taking photographic images, video, or audio for the purpose of observation and assessment. Any recorded material will be kept private and confidential and will be destroyed once The Group has completed the assessment and formulated the relevant documentation required.
Limitations of Telehealth
A telehealth consultation may be subject to limitations such as an unstable network connection which may affect the quality of services. In addition, there may be some services for which telehealth is not appropriate or effective. The Group will consider and discuss with clients and customers the appropriateness of ongoing telehealth sessions.
The Group will take all reasonable steps to protect the security of personal and sensitive information collected. This includes measures to protect electronic materials and materials stored and generated in hard copy.
The Group store sensitive and confidential information developed on our security-controlled database. This database enables The Group to lock access to various users, as deemed appropriate regarding the nature of information and purpose for which that information has been obtained.
The Group operate within a secure and encrypted network that cannot be accessed by external stakeholders. The Group further operates as a paperless office where possible. However, if confidential or sensitive information is in written format on paper, this information is discarded using a secure paper removal and destruction process once no longer required.
Where information cannot be destroyed and needs to be maintained, The Group archive documentation using a professional document management company location. Confidential and sensitive information can then be made available to individuals on request and in accordance with Privacy laws.
What Cookies Are
Cookies might be used for the following purposes:
- To enable certain functions
- To provide analytics
- To store your preferences
- To personalise content and Ads
- To enable ad delivery and behavioural advertising
Cookies cannot read data from your hard drive or read cookies files that may have been created from another website. Cookies expire after a certain amount of time.
Third Parties Cookies on Group Website
Access and Correction
The individual may request access to any personal information directly relating to them that has been developed and held by The Group. Only information pertinent to that individual will be disclosed.
In most cases, a summary of personal information such as name, address, contact telephone numbers, reports developed by The Group, emails sent/received, and service delivery notes can be made available to the individual by making an application in writing to The Group.
If the individual is able to establish that the information is not accurate, complete, and up to date, The Group will take reasonable steps to correct the information so that it is accurate, complete and up to date.
Should it be deemed necessary to refuse access or correction to an individual’s information, The Group will provide reasons for denial of access or a refusal to correct personal information. The Group may refuse an individual access to personal information in a number of circumstances such as where the information may be related to existing or anticipated legal proceedings, where access to the information could result in potential harm to the individual’s physical or mental wellbeing, where denying access is required or authorised by law, or where the request for access is regarded as frivolous or vexatious.
The Group is required by law to retain personal information for a period of time after an individual has ceased any relationship with us. After the required time has passed, The Enhance Health Group archive case files on our secure and access-controlled network database.
For information which has been requested, a fee may be charged to cover the cost of retrieval and the supply of this information. All requests for access to personal information will be handled as quickly as possible and The Group shall endeavour to process any request for access within 30 days of having received the request. Some requests for access may take longer than 30 days to process depending upon the nature of the personal information being sought and should be communicated to the requesting party.
Breaches in Confidentiality
It is an offence under the Social Security (Administration) Act 1999 for a person to intentionally obtain, make a record of, disclose to any other person, or otherwise use, protected information if the person; Is not authorised by or under the Social Security Law to do so;
Knows or ought to reasonably know, that the information is Protected Information. This means that the Group’s personnel may commit a criminal office if they:
- Search for or access Protected Information where not authorised
- Make copies of Protected Information where not authorised
- Disclose Protected Information to other staff or third parties who do not need to know that information
- Otherwise use Protected Information where not permitted.
A breach in confidentiality relates to a Notifiable Data Breach that is likely to cause serious harm to an individual or individuals impacted by that privacy breach following unauthorised access, disclosure and/or loss of personal information. Where a breach in confidentiality has been identified, the Manager will undertake the following activities within 24 hours:
- Notify the impacted party/parties immediately of any threatened or actual privacy events; and
- Consider and action all reasonable requests and directions from the interested parties.
- Where notifiable data breaches have occurred, the Manager will assess the impact on interested parties and in negotiation with the related parties, determine if the breach constitutes a requirement to notify the Privacy Commissioner at the Office of the Australian Information Commission (OAIC). Notifying the OAIC will be completed by the Legal and Risk team.
The Directors will work with the Manager to consider whether we notify to the Privacy Commissioner. The outcome for notification is determined if the following 3 criteria are satisfied:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
- This is likely to result in serious harm to one or more individuals, and
- The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action
Where The Group has informed the OAIC, we will cooperate and notify impacted parties of the breach in relation to the assessment and reporting of a breach to the OAIC and notification to impacted customers.
The Group respect the individual rights of its employees and consequently manages records it keeps in relation to employees in a careful and responsible manner. The Group are required to keep personal records for seven years from the date an entry is changed or from termination of an employee’s employment, depending on what happens first.
Access by an employee to his/her own personnel file is generally permitted. An employee may have access to:
- His or her time and wages records, including overtime (if applicable) and remuneration
- His or her records of leave, including leave taken and available entitlement
- His or her records of superannuation contributions; and
- Workers’ compensation records if an employee has had an accident.
Records are available through Myob and access is controlled by the Director to ensure only approved employees can view an individual’s employee records. For example, the direct Manager can view induction records, leave entitlements and personal details. Finance is able to view bank details to enable processing of remuneration and superannuation.
Access by an employee to records of other employees is generally not permitted. If an employee believes that a special case exists, and the other employees involved do not object then the manager may permit such access. The Director will make the final decision regarding one employee having access to another employee’s personnel file.
An employee may request an interview with their employer, The Group, or a representative of the employer at any time during working hours to discuss a record which has been made or is to be made by The Group.
When a third party, e.g., a bank or real estate agent requests information about an employee, that employee will be contacted and his/her permission will be required, in writing, before any information is released.
All staff should be aware that personal information about contractors is not an ‘employee record’ and due care must be exercised in handling such information within the law.
Unsuccessful Job Applicants
In preserving the privacy of unsuccessful candidates by destroying records, it is difficult to prove a fair process. Consequently, the practice outlined below is to be generally followed as part of the recruitment process. Applications and associated documentation will be held for a reasonable period of time after a position is filled, unless the candidate requests the information be filed in the event of other positions arising with the company. If any dispute arises, both parties will have relevant evidence to refer to. Candidates have the right to withdraw or ask for special treatment of their personal information if they do not agree with this stated practice.
Suspected or actual privacy breach identified / reported
Immediate Response Required
- Employee to immediately notify the Manager of the specific team that a privacy breach occurred or is suspected.
- Employee and Manager to immediately contact stakeholders in receipt of unauthorised information and request the unauthorised information to be deleted/destroyed. Request confirmation of the information being destroyed. This includes deleting information from a deleted email folder.
- Manager or employee to notify the impacted stakeholder of the privacy breach. This might include the client and the referring parties. It is the Manager’s discretion to determine the appropriateness of whether the employee or the manager notifies the impacted party. The Manager might determine an experienced employee is competent to manage the communications, whereas a new employee on probation might not have the experience to undertake this form of communication.
Documenting The Data Breach
Within 4 hrs, Manager must complete the following actions:
- Complete the Notifiable Data and Privacy Breach Form available on the intranet. This will include undertaking an investigation of how the privacy breach occurred and implementation of immediate remedial actions.
- Notify the Privacy Officers via the Privacy inbox and email completed Notifiable Data and Privacy Breach Form.
- Notify the relevant CRM/BDM if applicable, and email completed Notifiable Data and Privacy Breach Form.
- Privacy Officers will review the Notifiable Data and Privacy Breach Form and determine the hierarchy of escalation that is required due to the severity of the data and privacy breach.
- Escalation may require notification to the relevant Director