Privacy Policy

Client Privacy and Confidentiality

Policy Context

We respect and support a client’s right to privacy, confidentiality and access to personal information. Our organisation’s practices and processes for collecting, storing and disclosing client information will meet the requirements outlined in the following legislation:
 The Commonwealth Privacy Act 1988.
 The National Disability Insurance Scheme Act 2013.
 The Victorian Information Privacy Act 2000.
 The Victorian Health Records Act 2001.
 The Notifiable Data Breach (NDB) Scheme.


Security and Quality of Information
We will ensure that all information is kept accurate, up to date and complete. Client Information will be checked for accuracy, currency and comprehensiveness each time a client is reassessed.
All personal information whether paper or electronic, will be protected from unauthorised access, alteration and loss.
No staff member, volunteer or student is entitled to access any client record or file except where such access is in accordance with their professional or administrative role. Staff, volunteers and students will have the minimum level of access to information that their role requires and they must keep this information strictly confidential.

The Executive Director (ED) will have access to client files for the investigation of complaints and for legal purposes.

reaches may be considered grounds for dismissal. All staff, volunteers and students will be required to sign an employment and confidentiality agreement before commencing service.
Confidentiality and privacy policies and procedures will be part of staff and volunteer induction and ongoing training. No personally identifying information should be contained in any agency publicity material, talks, reports or memos unless
prior informed consent has been given by the client. Conversations with or about clients should be conducted in private.
All actual or suspected breaches of privacy and confidentiality, and all breaches of security that might have a privacy or confidentiality implication, are to be reported using the Incident Report form in the Intranet.


Consent is required when we collect health information, use or disclose information for a purpose other than that for which it was collected, or disclose information to healthcare providers of another agency. We recognise that consent is valid only when it is informed, voluntary, specific and current, and the client has the legal capacity to consent.

In circumstances where clients are unable to give informed or voluntary consent an authorised representative may do so on their behalf. When an authorised representative is required to consent for a client, the staff member should ensure that they have sighted (and been given copies of) the client’s file and the relevant documentation that provides
evidence of authorisation.

If there is no authorised representative, and a client cannot give informed and voluntary consent, the client’s program coordinator will make a decision about who (eg. carer, friend), if anyone, can consent on the client’s behalf and act in the client’s best interests. The coordinator will keep detailed documentation about the reasons for any decisions made in relation to accepting an unauthorised representative’s ability to consent on the client’s behalf.

We will only collect the minimum, individual personal and health information that is necessary for delivering services to a client or for purposes that are directly related to the delivery of such services, and for departmental statistical and performance reporting purposes.

Health and personal information will be collected for the purposes of:
 establishing a client’s eligibility,
 prioritising clients for services,
 assessing a client’s needs,
 developing a care plan,
 providing data to a funding body, and
 planning and evaluation (in this situation any identifying information will be removed from the data).

We will collect any information only if we have client consent, or consent from an authorised person. Before seeking a client’s consent to collect information we will inform them about:
 what kinds of information we wish to collect and our purposes for collecting such information,
 their rights to privacy and confidentiality,
 their right to refuse to give personal information and the consequences of such a refusal,
 their right to access their personal information, and
 their right to complain if they think their health information has been collected used or stored inappropriately.

We will inform the client of the above rights and information both verbally and in written form. Written material that gives information about privacy and confidentiality and client rights with regard to privacy and confidentiality is contained in the following:
 ‘Your Information – It’s Private’ brochure
 Client Information Rights and Responsibilities Statement.
 Client Information Kit.

At the time of reassessment clients are reminded of their rights in relation of privacy and confidentiality and access to information as well as their rights and responsibilities as ADEC clients.
Collection of information, provision of information and discussions about consent will be conducted in a private area and, whenever possible, in the client’s preferred language.
All information collected by our organisation will be written clearly, simply and legibly. The information collected will not be judgmental and will be respectful of the client concerned. Entries in a client record will, wherever possible, be formulated in conjunction with the client concerned.

ADEC will only use and disclose1 information for the primary purposes for which it was collected. A client will be notified of these purposes at the time of collection and prior to a proposed disclosure and we will take all possible steps to ensure that information is used and disclosed in accordance with a client’s expectations.
We will disclose information about a client to an outside organisation or individual only if we have the client’s or authorised person’s consent to do so. Consent to disclose information will be recorded on an Information Authority form and clients will be provided with a copy.
If a client wishes us to disclose information to an advocate or other nominated person we will require them to complete an Information Authority form for this specific purpose. The only circumstances under which we will disclose a client’s information without their consent is when:
 An authorised representative requires information.
 Where it is permitted or required by law.
 There is a serious threat to the health, safety or welfare of the individual.
 There is a serious threat to public health, safety or welfare.
In these situations we will keep the client informed of a disclosure of information whenever possible and appropriate.

Authorised representatives include:

 Guardians.
 Attorneys under Enduring Powers of Attorney.
 Agents under the Medical Treatment Act 1998.
 Administrators under the Guardianship and Administration Act 1986.
 A person otherwise empowered by the clients to act or make decisions in the best interests of the person.
Proof of the representative’s authority will be sighted and a copy of that document placed in the client's file. Proof of authority includes Guardianship or Administration Order, or an Enduring/Medical Power of Attorney.


If a client, or their authorised representative, wants to access their personal information they should approach their ADEC support worker who will arrange access as soon as practicable and where possible, in the form requested by the client such as to view or copy documents, or to have information explained verbally. Copies of originals will be supplied
on request In some circumstances a request for access to information may be denied, such as when granting access could pose a serious threat to the life or health of the individual, where the information was given in confidence by another person and they have not consented to its release, where legal privilege applies, or where granting access would prejudice law enforcement. Access will only be denied to those parts of the health record that concern these circumstances and the client will be advised in writing of the reason for refusal as soon as practicable but within 45 days.

Individuals seeking access to their information will also be advised that they have a right to correct it but that the previously recorded information will remain in the file.
A correction may be refused where there is lack of supporting evidence for it. In this case the person may still request that their requested correction is attached to the file, where it will be annotated with the reason for refusal.
When a correction has been made, the agency will take all reasonable steps to inform other organisations or individuals to whom the information has been disclosed.
A client who is not satisfied with a decision may complain to the Health Services Commissioner.

Privacy and Confidentiality Relating to Complaints
We recognise and support a client’s right to make a complaint if they believe that their personal information has been collected, used or stored inappropriately. Clients are made aware during the intake process of their right to make a complaint and how to do so.

This document was last reviewed on 9 September 2022.

‘Use’ refers to handling information within the agency. ‘Disclosure’ refers to the communication of client information
to another agency.