Create Foundation
Home About Us FAQs What We Do How to Help Publications Links Contact Us
You are HereHome » Privacy Management Policy

Privacy Management Policy

Policy Recommended by Leadership Committee: Date: December 2007         
Policy Ratified by Board of Directors:
Date: December 2007



 

Policy Statement

CREATE is committed to ensuring that its Privacy Management system is accountable, open and transparent. CREATE is committed to children and young peoples’ and carers right to privacy and confidentiality. All service users are entitled to access personal information that CREATE has on file and the right to make a complaint if they think information about them is not being handled properly.
 
Authority   
Privacy Act 1988 (Commonwealth)

Principles
Principles are sourced from the Privacy Act 1988 (Commonwealth)
1.    Collection
2.    Use and disclosure
3.    Data security
4.    Openness
5.    Access and correction
6.    Identifiers

Links
Complaints Policy

Purpose
The purpose of this Privacy Management Policy is to describe procedures for implementing a range of processes relating to the management of confidential information either electronic or hard copy. This includes; file management, storage of staff diaries/workbooks, case notes, faxes, data base records, mail lists, and other records of transactions for service users and / or key stakeholders.

The purpose of this policy is to:
•    Indicate which documents and materials produced by the organisation are presumptively open to members and/or the public
•    Indicate which documents and materials produced by the organisation are presumptively closed to members and/or the public
•    Specify the procedures whereby the open/closed status of documents and materials can be altered.

Definition
Service users – includes children and young people under the age of 25 years that have a care experience, and foster and kinship carers and / or grandparents who access CREATE services, programs, activities, and newsletters

Key stakeholders - all relationships that CREATE has with sector partners, including those who may hold CREATE membership

Records - are the evidence of the transactions or activities when providing a service to service users, consumers

Hard copy records – includes paper based records such as printed emails, certificates, letters, case notes, reports and registers.

Electronic records – computer based records kept on the agencies computer system

Categories

Children and young people

  1. All children and young people records shall be available to them regardless of the child or young person’s age.
  2. No child or young person’s record will be made available to anyone outside of the organisation without a duty to provide it
    (see Procedure: Release guidelines section).
  3. Within the organisation child or young person personal information is only accessible to those who need it to carry out their functions and obligations.
  4. There should be no occasion that the Board would require access to confidential personal information for children and young people. Non identifying information can be made available.

Board Records

  1. The Board operates in an open and transparent manner.
  2. Upon written request Board minutes may be viewed at the discretion of the Board. With the exception being if the Board passes a motion to make any specific portion of the minutes confidential.
  3. If the Board denies any request it will provide a written explanation.
  4. The Company Secretary is responsible for maintaining company records, and for responding to all requests for information from the Board.

Staff Records

  1. All staff records (HR files) shall be available to the staff member concerned or by their legal representatives.
  2. No staff records shall be made available to any person outside the organisation without authorisation in writing from the staff member concerned
  3. Within the organisation, staff records shall be made available only to those persons with managerial or personnel responsibilities for that staff member, except that.
  4. Staff records shall be made available to the board when requested.

Member and Donor records

  1. All member and donor records shall be available for consultation by the members and donors concerned or by their legal representatives.
  2. No member and donor records shall be made available to any other person outside the organisation.
  3. Within the organisation, member and donor records shall be made available only to those persons with managerial or personnel responsibilities for dealing with those members and donors, except that.
  4. Member and donor records shall be made available to the board when requested. 

Administrative records

  1. All records and materials not falling into the categories above may be released to the public at the discretion of the Privacy Officer (Regional Coordinator), who shall take into consideration
  • a general presumption in favour of transparency
  • the relevant provisions of the Associations Incorporation Act regarding information to be made available to members
  • the marketing, commercial, legal, and administrative interests, priorities, and resources of the organisation, including
    * commercial confidentiality
    * copyright issues

PROCEDURE

1. Collection
The CREATE Foundation will not collect personal information unless the information is essential for it to carry out its functions or activities outlined in funding and/or Service  Agreements.

CREATE will take reasonable steps to ensure that the individuals (on whom we hold personal information) are aware that the information is held, can be accessed, the purpose of collection and the circumstances in which information can be used and disclosed.

All personal information on service users (children and young people, foster carers) on the clubCREATE data base will be restricted to delegated staff. All other personal information should be stored in secured cabinets and only accessible to staff who need access to carry out their duties.

CREATE has two nominated Privacy Contact Officers, in the position of Regional Coordinators, and they act as the first point of contact for privacy issues that may arise dependant on where the inquiry is generated (location). The Privacy Contact Officer is responsible for responding to the query in a timely manner (within 10 working days) and determining whether the issues raised in relation to records management are a process issue or should be handled as a complaint. Refer to the Complaints Policy for guidelines.

No personal information or records of service users can be held off-site, and remote access to information held on CREATE systems is only available in extenuating circumstances to delegated staff authorised by the CEO.

Any information held by CREATE should not be shared, or provided to a third party without express permission from the child or young person if aged over 18 years,  and the statutory body in each state and/ or territory for children and young people under 18 years. Notwithstanding our duty of care obligation to report child protection concerns and subsequent data, or evidence if appropriate to statutory bodies or the Police. Refer to subpoena request section for more information.

clubCREATE

clubCREATE is an electronic data base that records consumer (children and young people, and foster carers) information for the purpose of membership to the clubCREATE newsletter and other information and activities.

The data base can only be accessed by staff nominated by the CEO, and is password activated.

clubCREATE data cannot be provided to a third party without written approval from a statutory funding body and approved by the CEO.

2. Use and disclosure
In most cases the Information stored is in the following categories, however, exceptions to this list may occur which can be negotiated on a case by case basis.

•    Recording statistical information (numbers of children attending programs, functions, events and so on)
•    Carer / volunteer personal and demographic details
•    File notes
•    Correspondence
•    Reports
•    Training records
•    Research

CREATE will not disclose personal information about any individual to others in the absence of a legal obligation to disclose it, or if deemed to be in the service users best interest in accordance with state legislation. This includes mandatory reporting.
CREATE will take reasonable steps to ensure that the personal information it collects uses or discloses is accurate, and up-to-date. CREATE will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. These are detailed in the file management process listed below:

File management process

CREATE generally does not hold files for children and young people or carers. However, in circumstances when they do the following process should be adhered to.

  1. Any files for carers and children and young people are to be located in locked filing cabinets in each state and/or territory.
  2. The files are to be locked each evening and the key located in a secure (locked) location.
  3. Computer files holding personal information of service users are only available to centre staff in the state they originate from.
  4. Confidential files for carers and children and young people that are inactive for 2 years are to be stored by CREATE in archive files for 7 years, and then where appropriate (dependant on state legislative requirements) forwarded to the statutory body in each state and / or territory. This is the responsibility of Centre Coordinators.
  5. The Records Management Policy will be reviewed yearly as part of the annual planning process.


3. Data security
CREATE will store data in secure locations in either hard copy or electronic. Staff diaries and case notes are an official and legal record

  • Staff diaries containing private or confidential information about children and young people should be stored and filed in locked and secure archive storage for 7 years. Centre Coordinators are responsible for ensuring that diaries are returned by staff and stored.
  • Current diaries should be stored securely if they contain confidential client information. Staff should ensure that contact details, and full names of children and young people are NOT included in their diaries. For example, the christian name OR surname may be used but NOT the full-name.

Confidential service user records

To prevent unlawful access all records including files should not be left unattended in the office (including in-trays). Information should be locked away when not in use. Unauthorised persons should not be allowed entry into confidential work areas.

Service user files should not be transported out of the office, unless in extenuating circumstances and approved by the Privacy Contact Officer or CEO.  Security provisions  should be in place such as a locked brief case should records be transported. This should be supervised by the Privacy Contact Officer.

4. Openness

All CREATE staff and volunteers are to be informed of the confidentiality requirements and all staff and volunteers are required to sign a Confidentiality Agreement. The Agreement is to be filed in individual personnel files. This is the responsibility of the HR or delegated Officer.

CREATE will inform children and young people and key stakeholders of the Privacy Management Policy and the Complaints Policy via:
•    ClubCREATE newsletter
•    CREATE Web-site
•    Young Consultants Training
•    Youth Advisory Council Training
•    Promotional and marketing material
•    During direct service activities

5. Access and correction

CREATE is not covered under the Freedom of Information Act as it is a non government organisation. CREATE’s information is released under an “Administrative Release” framework and will provide individuals with access to their personal information upon written request. Administrative Release is a term commonly used in the non-profit sector to identify the terms under which documents can be released. There is no charge for this service.

Personal information held on file by CREATE is able to be accessed by the following:
•    The individual who information is stored about (upon written request)
•    Through subpoena (court ordered request for documents)
•    At the request of the statutory funding body (in each state and/or territory)

If CREATE for whatever reason decides to deny access to the information, it will provide reasons as to why access is being denied in writing. This should be done after consultation and approval from the CEO.

If the individual and the organisation disagree about whether the information is accurate, complete and up-to-date the person making the request can ask that the organisation place additional information on the file. This can be done via a written statement claiming that the information is not accurate, complete or up-to-date. CREATE will take reasonable steps to add, or include the information on the individual’s file.

If a service user wishes to have access to information that CREATE holds about them, they need to formally advise CREATE in writing of their request.

Release guidelines

A child or young person of ANY age can ask to see information kept about them that CREATE holds

File release for children and young people is governed by the following guidelines:

  1. No inward correspondence is to be released (letters and other written material from a third party about the child or young person) CREATE can only release information that has been generated by CREATE, we are not able to release third party information
  2. The following can be released: case notes, outward correspondence to the individual and personal reports and documentation ie. Certificates of attendance and so on
  3. CREATE upon receipt of a written or verbal request will:
    • Review the file
    • Photocopy all case notes, and outward correspondence for the individual
    • Delete all references to:
      a. Other children in care
      b. Remarks that may identify a notifier (someone who has reported a concern about the child or young person)
  4. Contact the person requesting the file to collect the file or come in to the office to view the file
  5. Sign a receipt of acknowledgment for the file


Release guidelines – Subpoena request

  1. All information listed on the subpoena is to be released.
  2. All references to other parties (other children in care, or other people not identified on the subpoena are to be deleted) If the scope of the subpoena includes other parties this must be complied with.
  3. If staff are unsure of the requirements, queries should be directed to the authority requesting the subpoena for clarification.
  4. The CEO or delegated Manager is responsible for authorising information to be released for subpoenas


Release guidelines – other agency or stakeholder (only information about the organisation or stakeholder is to be released).
This is in cases where a stakeholder may request to see the information that CREATE has on file about them.

  1. The validity of the request should be determined by the Regional Coordinator and they should seek approval from the statutory body in the state the request derives from if deemed necessary
  2. Before releasing information the Regional Coordinator should seek approval from the CEO
  3. No information is to be provided about children and young people
  4. The request for information release needs to be in writing and must identify the specific information requested and the reason
  5. Identifiers

Information kept on file should be accurate and up to date.

Service user statistical data should (where possible) be provided in code format (either alpha code or client number) and not using client full names. This may be for purposes of research.

All information disposed of by the service should be shredded if it contains identifying information.

CREATE will take reasonable steps to destroy, archive or permanently de-identify (white out, block out with marker) personal information if it is no longer needed.

Children and young people are not able to be identified by photograph image, or by full name in any publication or material produced by CREATE without the express permission of the statutory body (in writing) in the state where the child is in care (unless the child or young person is over the age of 18 years).

Photographs of children and young people under the age of 18 years are not to be displayed by CREATE in centre offices where the public have access.

Children and young people’s – stories, narrative, life history and personal experiences cannot be shared or published in the public domain without their express approval. This includes children and young people of all ages. It is not permissible merely to change the child’s name to protect their identity. Life stories are deeply personal and should be respected.

Timeframe/s

CREATE requires a minimum of 15 working days and a maximum of 30 days to process written requests for the release of information. Every effort will be made to release information within the 15 day period.

If CREATE anticipates that this deadline is unable to be met, the CEO should be notified, and the person making the request will be informed and a new date negotiated.


Back To Top

Green Line
 
Printer friendly version Printer Icon
 
Donate here
Newsletter - Signup for Updates

Join clubCREATE - Click here

Create Merchandise
CREATING OPPORTUNITIES FOR CHILDREN & YOUNG PEOPLE IN CARE
Website & contents © 2008 CREATE Foundation Home  |  Privacy Management Policy  |  Access and Equity Policy  |  Complaints and Feedback Policy  |  Complaints Form  |  Site Map
Head Office: Level 6, 280 Pitt St Sydney NSW 2000  |  P: 02 9267 1999  |  F: 02 9267 9433  |  E: create@create.org.au