Strivesocial: Privacy and Information Management Policy

1. Introduction

1. Purpose

The purpose of the Privacy and Information Management Policy for Strivesocial, an NDIS service provider, is to establish clear guidelines for collecting, using, storing, disclosing, and disposing of participant's information protecting their right to privacy. It aligns with the Privacy and Dignity and Information Management NDIS Practice Standards, Australian Privacy Principles, and relevant laws.

1. Scope

This Policy is applicable to all Workers affiliated with Strivesocial. It is the responsibility of every individual, regardless of their employment status, to fully comprehend and comply with the commitments outlined in this policy. All Workers must acknowledge that they have read, understood and will comply with the contents of this Policy.

1. NDIS Indicators (Objectives)

Privacy and Dignity

Outcome: Each participant accesses supports that respect and protect their dignity and right to privacy.

To achieve this outcome, the following indicators should be demonstrated:

1. Consistent processes and practices are in place that respect and protect the personal privacy and dignity of each participant.

2. Management of each participant’s information ensures that it is identifiable, accurately recorded, current and confidential. Each participant’s information is easily accessible to the participant and appropriately utilised by relevant workers.

3. Each participant understands and agrees to what personal information will be collected and why, including recorded material in audio and/or visual format.

Information Management

Outcome: Management of each participant’s information ensures that it is identifiable, accurately recorded, current and confidential. Each participant’s information is easily accessible to the participant and appropriately utilised by relevant workers. 

To achieve this outcome, the following indicators should be demonstrated:

1. Each participant’s consent is obtained to collect, use and retain their information or to disclose their information (including assessments) to other parties, including details of the purpose of collection, use and disclosure. Each participant is informed in what circumstances the information could be disclosed, including that the information could be provided without their consent if required or authorised by law.  

2. Each participant is informed of how their information is stored and used, and when and how each participant can access or correct their information, and withdraw or amend their prior consent. 

3. An information management system is maintained that is relevant and proportionate to the size and scale of the organisation and records each participant’s information in an accurate and timely manner. 

4. Documents are stored with appropriate use, access, transfer, storage, security, retrieval, retention, destruction and disposal processes relevant and proportionate to the scope and complexity of supports delivered.

1. Policy Statement

At Strivesocial, we are deeply committed to safeguarding our Participants' right to privacy while ensuring accurate, reliable, and accessible management of their information. We believe that every Participant's personal data should be treated with utmost respect and confidentiality. This policy guides our practices towards these commitments, underpinning our organisational principles of respect for Participant autonomy, transparency, and accountability. It establishes the standards for our dedicated workforce to handle information appropriately, respecting each Participant's privacy and dignity.

1. Relevant legislation

All relevant legislation to this Policy is outlined in the Legislation Register.

1. Related documents

1. Privacy Consent Form

1. Privacy Consent Form (Easy Read)

1. Incident Management Policy

2. Incident Report Form

3. Feedback and Complaints Policy

4. Risk Management Register

1. Responsibilities and Roles

1. Julie Athanasiou is responsible for the development and review of this policy. It is expected that Julie Athanasiou ensures this Policy remains compliant with all applicable laws, regulations and standards. 

2. Key Management Personnel play a vital role in ensuring the effective implementation of this Policy throughout Strivesocial. It is the responsibility of all Key Management Personnel to not only assist Workers in understanding and complying with this policy but also to comply with it themselves. By leading by example, they demonstrate the importance of adherence to the policy and foster a culture of compliance within the organisation.

3. Workers are responsible for understanding the contents of this policy and complying with all procedures applicable to them.

1. Definitions

Strivesocial means Strivesocial Pty Ltd  ABN 22 682 526 147.

Key Management Personnel means Julie Athanasiou and other key management personnel involved in Strivesocial from time to time.

Director means Julie Athanasiou.

Worker means a permanent, fixed term or casual member of staff, a contractor or volunteer employed or otherwise engaged by Strivesocial and includes the Director.

Personal information means any data or viewpoint about an identifiable individual or one who can be reasonably identified, regardless of the veracity of such information or if it is recorded in a physical form.

Sensitive information means a category of personal information that usually receives a higher degree of privacy protection. This encompasses details related to health, genetic makeup, racial or ethnic background, political viewpoints, association with a political group, religious or philosophical beliefs, affiliation to a professional or trade association or union, sexual orientation or behaviour, criminal history, and certain kinds of biometric information.

1. Procedures

1. Protection of Sensitive Information

1. As part of Strivesocial’s Privacy and Information Management Policy, we carefully manage sensitive information to protect the privacy and dignity of our participants.

2. Strivesocial only collects sensitive information where it is reasonably necessary for our functions or activities. This could include health and medical information and information relating to disability and support requirements. This will only be done under two circumstances:

1. The individual has given explicit consent.

2. Strivesocial is required or authorised by law, including applicable privacy legislation, to do so.

3. Strivesocial is committed to treating all Participants with dignity and respect. We take all reasonable measures to protect the privacy and dignity of each participant, particularly when handling their sensitive information.

1. Obtaining Participant consent

1. Workers must, in a respectful, clear, and honest manner, explain to the Participant the purpose and potential use of their data, and who it may be disclosed to, including instances where information could be shared without consent, as per legal requirements.

2. Workers should use plain language, active listening, and encourage questions to ensure the Participant fully understands.

3. Consideration must be given to any potential communication barriers and efforts made to address these, for instance by offering interpreter services or legal aid.

4. Workers must document the Participant's consent using the Privacy Consent Form, ensuring all details are fully understood and agreed upon by the Participant.

1. Informing Participants about their information

1. Workers must inform Participants about their data storage and usage. This should be done when providing the Privacy Consent Form during the initial intake process, and periodically thereafter, or when changes are made to the data storage or usage. 

2. Communications should respect the privacy and confidentiality of the Participant. 

3. Workers should provide information on how Participants can contact Strivesocial to access or correct their data, lodge a complaint, or amend their prior consent. 

4. If the Participant wishes, Workers should encourage their engagement with family, friends, or chosen community in this process. 

5. If a Participant has a complaint about how Strivesocial has collected or handled their personal information, it will be managed in accordance with the Strivesocial Feedback and Complaints Policy.

1. Information collected and stored

1. The personal information Strivesocial collects and securely store includes:

1. Participant Details including Name, contact details, gender, date of birth, marital status, disability and support needs.

2. Identifiers such as Numbers used by the government or other organisations for identification.

3. Service Details such as Information about provided services and delivery methods.

4. Medical Information including Health and medical details relevant to service provision.

5. Financial Information including Billing details and information about funded services under NDIS or otherwise.

6. Interaction Records including Records of conversations and interactions with our workers.

2. Strivesocial may collect personal information in the form of recorded material such as audio and/or visual format.

1. Information collection methods

1. Strivesocial collects personal information through various means to ensure the effective delivery of our services. These methods include:

1. Information collected through forms or interactions on the Strivesocial website.

2. Information gathered when individuals correspond with us, for example via letters, faxes, emails, or telephone calls.

3. Personal data collected through forms filled out in-person or received via mail.

4. Information collected directly during face-to-face interactions.

5. Information obtained from referring third parties, such as the National Disability Insurance Scheme or a support coordinator.

6. Personal information collected from participants during events and forums.

7. Personal information received from third party funding and Government Agencies.

1. Purpose of personal information collection

1. As an NDIS service provider, Strivesocial collects personal information to manage, provide, and enhance our services. This data collection enables us to:

1. Understand and evaluate Participants' specific needs, preferences, and goals to customise Participant Support plans.

2. Answer Participant inquiries, administer services, process payments, and provide tailored supports as per the Participants' NDIS plans.

3. Keep Participants updated about their plans, our services, and any changes or updates, including information about disability supports and the NDIS. 

4. Carry out quality assurance activities including surveys, research, and analysis, resolve complaints, and continually refine our services to meet the NDIS Practice Standards and Quality Indicators.

5. Adhere to legal, regulatory, and reporting obligations, including incident reporting, record keeping, and providing reports to funding and government agencies.

6. Inform individuals about our activities and promote Strivesocial, including through events and forums. Where consent is provided, we may send marketing communications.

7. Perform research and statistical analysis relevant to our services, and invite individuals to participate in these activities, which contribute to the evaluation and enhancement of our services.

8. Manage and improve user experience on our website using “cookies” to personalise webpage content, track visits, and tailor advertising. Users can manage cookies through their browser settings.

1. Third party disclosures

1. Strivesocial may share personal data with certain third parties including:

1. NDIS Commission;

2. funding providers; 

3. regulatory bodies like National Disability Insurance Agency, and Medicare; 

4. individuals acting on the subject's behalf; 

5. law enforcement; 

6. courts; 

7. financial institutions for payment processing; and

8. External service providers.

2. These disclosures shall be in line with fulfilling our services, compliance with laws, or due to the subject's explicit authorization.

1. Maintaining the Information Management System

1. Workers responsible for handling information must ensure information is entered into the Strivesocial document management system accurately and in a timely manner.

2. Regular system audits should be performed by management to ensure information is kept current and accurate.

1. Document storage and security

1. Strivesocial ensures the security of personal information via several strategies, including:

1. website encryption;

2. firewalls, anti-virus software; 

3. restricted system access with password protection; 

4. controlled physical access to premises; 

5. limiting data access to necessary Workers; and 

6. providing ongoing data security training and policies.

2. All documents, electronic or paper-based, must be stored in accordance with the following document storage and security procedures. This includes appropriate use, access, transfer, security, retrieval, retention, and disposal.

1. Storage 

1. All electronic based documents must be stored in a cloud based storage system.

2. All paper-based documents should be converted into an electronic version and uploaded to a cloud based storage system, the paper-based documents should be stored in a locked file cabinet or destroyed.

2. Transfer of documents 

1. Ensure necessary consents have been obtained before transferring any document containing personal or sensitive data.

2. All confidential documents (physical or digital) should be clearly marked as "Confidential."

3. For internal document transfers: digital transfers should use secure, approved, company-controlled systems (like an intranet or secure shared drives) and access be restricted to the document to only those who need it. Physical documents should be transferred directly hand-to-hand wherever possible. If this is not feasible, use internal mail services with a traceable delivery process.

4. For external document transfers: digital transfers should  preferably be encrypted before transmission and use secure, approved methods (like secure email, secure file transfer protocol (SFTP), or encrypted cloud services). The encryption key/password should be shared via a separate, secure communication method. For sending physical documents outside of the organisation, use a reliable courier service that offers secure, traceable delivery. The documents should be packed in tamper-evident packaging.

3. Information Retention

1. Upon reaching the end of their defined retention periods, all physical and electronic documents must be disposed of in accordance with our document disposal procedures to guarantee safe and confidential elimination.

2. Unless mandated differently by legal requirements, all records and personal information of our Participants will be preserved for the following durations:

1. For adult Participants: A minimum of seven years after they cease to be Participants of Strivesocial.

2. For minor Participants: A minimum of 25 years after they cease to be Participants Strivesocial.

1. Disposal of Information

During the disposal process, Workers should abide by the following steps:

1. Determine if the documents have reached their designated end of the retention period. Ensure that there are no pending requests or legal obligations for these documents.

2. Assign a classification to the documents based on the nature of their contents and the level of confidentiality.

3. Unneeded working documents or copies of confidential information should be securely placed in designated bins or sufficiently shredded using cross-cut shredders for optimal security.

4. In cases of highly confidential documents, extra measures such as engagement of certified document destruction services may be warranted.

5. Documents devoid of confidential content may be suitably recycled.

6. Prior to disposing of any electronic media, including computers, hard drives, USB keys, etc., Workers must ensure these devices are properly sanitised.

7. Merely deleting a file does not completely erase it from a storage device. Workers should use secure file deletion software that overwrites the data, making it irretrievable.

8. If external data destruction services are engaged, it is crucial to ensure that they adhere to the organisation's security standards and furnish a certificate of destruction upon completion of the task.

1. Incident reporting and management

1. Privacy incidents, such as unauthorised access, alteration, or destruction of personal information, can arise due to human errors, technical issues, or intentional actions, affecting both electronic and hard-copy data. These incidents must be promptly reported to minimise their impact.

2. Any privacy incident, whether having a major or minor impact, or even being a near miss with no apparent Participant impact, must be reported to the Incident Manager or other Key Personnel following the Incident Reporting Procedure.

3. Workers should be proficient in recognizing potential privacy incidents and must promptly report all incidents. The emphasis of reporting is not to penalise individuals, but to reduce the potential impact of the incidents.

4. Strivesocial is committed to notifying relevant authorities, such as the 

1. Department of Health and Human Services; 

2. NDIS Commission; and 

3. the Office of the Australian Information Commissioner,

within one business day upon recognizing a potential privacy incident or receiving an allegation of a possible breach.

1. Training

1. All Workers must undergo regular training to ensure understanding and compliance with the Privacy and Information Management Policy and its associated procedures. Training will be provided upon induction and at regular intervals, as needed or when changes to the procedures are made.

2. It is important that all Workers adhere to these procedures to protect the rights and safety of our Participants.

1. Policy review and updates

This Policy is to be amended and updated according to the requirements to comply with the applicable laws and Regulations.

Approval Authority: Julie Athanasiou

Version: 1

Approval Date: November 2024

Review Date: November 2026