Customer Personal and Information Privacy Procedure
Purpose of this Procedure
This Division is aligned to the requirements of the Victorian Health Records Act, Privacy Act and Disability Act to ensure that Leisure Networks complies in practice with its legal obligations and its duty of care to customers.
Authorities & Responsibilities
The Chief Executive Officer is responsible to ensure that all representatives of Leisure Networks understand their obligations with respect to maintaining customer privacy.
Customer Support Officers, Planning Facilitators, contractors and any employee working with customers are responsible to ensure that their practice protects customer privacy.
Collection of information
Leisure Networks shall:
- only collect from customers personal information that is necessary for providing requested supports
- advise customers on a regular basis that they can gain access to their personal information and to make corrections
- only use personal information for the primary purpose for which it was collected or for a secondary purpose that the person would reasonably expect and for which has provided consent.
- advise customers that they can gain access to their personal information.
- obtain the signed consent of any customer who appears in a photo or video footage that will be used for public or general purposes by using a “Video and Photo Consent Form”
- obtain the informed consent of a customer prior to using their information for a secondary purpose.
- make sure customer personal information is accurate, complete and up to date.
- take all reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.
- give individuals the option of not identifying themselves when entering transactions with organisations, if that would be lawful and feasible.
- restrict the collection sensitive information to what is needed and lawful to collect, excluding political views, religious beliefs, sexual preferences or membership of groups.
- On registering a customer, informed consent must be sought from the person, or a nominated support person when the customer is unable to give consent, prior to collection of personal information
- Informed consent must be sought from the customer prior to sharing their personal information with other Leisure Network’s employees or for using their personal information for a secondary purpose
- Informed consent must be sought from a customer who appears in a photo or video footage that will be used for public or general purposes by using a “Video and Photo Consent Form”
- Customers must be provided with access to advocacy or individual support to assist in matters relating to collection of personal information and for seeking informed consent for collection and sharing of personal information
- Informed consent must be sought from the person, or a nominated support person when the customer in unable to give consent, prior to taking photographs and / or
images. Customers also need to provide consent as to advise how and for what purpose images taken would be used and/or shared.
Determining whether a customer can give consent
- In the case of a minor, a parent, guardian or ‘Person Responsible’ as defined in the Guardianship and Administration Act 1986 must be involved in the provision of consent, in all cases;
- For adult customers referred to Leisure Networks, discussions with the person’s family/carer and/or NDIS key contact are required to assist to determine the person’s ability to provide consent and, where a customer is unable due to a disability, to ascertain who the person uses as their representative;
- When a person makes contact seeking support services from Leisure Networks, staff will recommend that a parent or ‘Authorised Person’ attend the
introductory meeting to support the customer and to assist in processes such as consent, where needed;
- In the event that a customer is considered unable to give consent by Leisure Networks staff, an ‘Authorised’ or ‘Person Responsible’ will be sought;
- In the event that Leisure Networks is chosen to provide Support Coordination Services and the customer is considered unable to give consent nor do they have any other informal supports to provide consent, Leisure Networks will document the following statement on the customer’s individual Supportability file.
“(insert name) does not have the capacity to provide informed consent by the means of giving verbal consent, signing a service agreement or consenting documentation. This is a systemic issue that LN has raised with the NDIA, NDS Victoria and state-wide advocacy services – the issue is currently under policy review. In the meantime, to ensure continuity of service, LN will progress with the delivery of Support Coordination services based on the fact that we have received a Request For Service from the NDIA”.
- Verbal consent provided by customers should be recorded in the Customer individual SupportAbility files; and
- Consent procedures and forms should be refreshed annually and saved under ‘Documents’ inSupportAbility.
Customer File Management
- Customer Files within SupportAbility are only accessible to Customer Support Officers, Planning Facilitators, Workers and the customer on request
- Customer Files are only accessible for view by officers within the service area from which the services are provided. Permissions are set within SupportAbility accordingly.
o Customer Files are to be maintained and kept up to date so that all personal information is accurate and complete
- Customer Files are to be stored securely in a locked cabinet and/or password protected areas
- Customer Files under no circumstances are to be removed from Leisure Networks office unless there is the expressed permission of the CEO and the reason is to carry out customer related activities.
- Customer Files must be returned to secured storage and customer information screens shut down immediately after use. Should an officer need to move away from their desk, customer file information must be removed from public view
- Staff printing customer information will remove printed or photocopied customer information from the copying centre as soon as printed.
- Face to face or telephone discussions with a customer of a personal or sensitive nature should be conducted in a private space so as not to be overheard by others
- Details relating to a customer’s behaviour, health status, disability or any incidents relating to customers should only be discussed with those people needing to know in order to provide appropriate support and care, or for official external audit purposes.
- In the case of releasing information for the purpose of research, customer information must be de-identified.