Your privacy and confidentiality

Anglicare Tasmania Inc. respects the privacy rights of all individuals. We are required to comply with the principles contained within the following privacy legislation:

• Privacy Act 1988 (Cth) (Privacy Act)
• Right to Information Act 2009 (Tas)
• Personal Information and Protection Act 2004 (Tas) (PIP Act)

We must also comply with the:

• Australian Privacy Principles (Cth) (APP)
• Personal Information Protection Principles (Tas) (PIPP)
• Health Complaints Act 1995 (Tas)

Anglicare Tasmania is committed to the protection of personal privacy.

Process
Here we identify how your personal information will be collected, stored, used, disclosed and disposed of. We also explain how you can access and amend your personal information and what you can do if you think your privacy has been interfered with.
Throughout this document we are referred to as Anglicare, us and we. We refer to an individual as you.

Personal Information – Collection and Use
Anglicare is required to collect information and data by the government as part of our funding arrangements. This does include some personal information.
Anglicare also collects personal information to enable us to provide services, which may include:

• the provision of disability, mental health and NDIS services,
• aged and home care services,
• housing support services,
• financial counselling,
• alcohol and drug support services,
• children, young people & family services, and
• research to improve the quality and types of service we provide.

We collect personal information by lawful and fair means.
The type of personal information we collect includes, but is not limited to:

• identity, address and other contact details,
• next of kin contact details,
• information about funding for services (claims number),
• other services clients are receiving from other organisations,
• financial information; and
• health Information.

Personal information will only be collected directly from

• you,
• a third party if you consent, or
• your legally recognised or appointed representative.

In some circumstances, consent is not required for the collection of personal information. This includes where the collection, use or disclosure of the personal information is required by law.

Examples include where disclosure is necessary to lessen or prevent a serious threat to

• life,
• health,
• safety, or
• welfare, –
• of an individual.

If a child is under 16 years of age, and it is not reasonable or practicable to collect the information directly from them. The information may be collected from a parent or guardian without the child’s consent.

When we collect personal information from you, we do this:

• by using written forms,
• through contact over the telephone, your mobile or other messaging technology,
• the internet, via our website,
• email transmission, and/or
• directly in person.

In most cases we will need you to acknowledge your consent to any collection, use or disclosure of your personal information. In most cases we will seek your permission before collecting personal information. This will be:

• in writing,
• through an acknowledgement selection online, or
• Your consent or acknowledgement may also be implied through conduct such as when:
• you speak to a staff member,
• you provide us with personal information that we have not specifically requested; or
• when we have provided you with the opportunity to choose (via opt in or opt out) and you have chosen accordingly.

We will not collect your Sensitive Information including Health Information unless:

• you consent,
• the collection is required or permitted by the PIP Act (and/or Privacy Act where applicable); or
• you are an employee of Anglicare and the information collected is employee information.

Can you be Anonymous or use a Pseudonym?
Where it is lawful and practical, individuals have the option of not identifying themselves with Anglicare. However, in most situations, it is not possible for Anglicare to provide services if you use a pseudonym or remain anonymous.

Privacy Statement/Collection Notice
We will ensure you are aware when we collect your personal information and the primary purpose of its collection. When you interact with Anglicare you will receive a privacy statement from us. The statement provides information about how we manage personal information generally. It may be delivered to you,

• verbally,
• hard copy paper,
• electronically or
• via a link to our website.

If you access supports through Anglicare’s services, you will be provided a Service Agreement. This will provide privacy summaries and links to our website.
If Anglicare does not obtain the personal information requested, we may not be able to perform or provide you with the requested services.

Disclosure of Personal Information
Where necessary, to complete our activities and reporting, personal information may be disclosed to;

• Federal & State Government funding bodies, at level,
• Anglicare sub-contractors
• other service providers or professional advisors based in Tasmania and/or based in other states
• other service providers at the time of client
• discharge,
• exits, or
• transfer, – to another organisation

Where possible, Anglicare will de-identify personal information and data before sharing it externally.

Circumstances for disclosure
Under the following circumstances personal information may be shared:

• an assessment indicates that client/personnel is likely to harm themselves or others,
• client/personnel have disclosed a serious criminal activity or family violence,
• children are at risk of harm or neglect,
• assisting in locating a missing person,
• when approached by police requesting assistance,
• we are required to by legislation,
• a client’s file is subpoenaed by law, or
• an employee is summoned to appear before a court of law.

Security of Personal Information
Anglicare has implemented processes to protect personal information. We implemented security measures to protect from:

• accidental loss,
• unauthorised access,
• improper use,
• unsanctioned modification and
• unlawful or accidental destruction.

Anglicare will not provide personal information to unauthorised persons. Anglicare uses an Australian cloud-based system to store your personal information.

Access & Amendment of Information
You may request access to your personal information using our contact details below. If you request access to your personal information you will either:

• receive a copy of the information, or
• be provided support to view the electronic records.

Requests for personal information will be met without unreasonable expense or delay, unless:

• This would pose a serious and imminent threat to the life, health or safety of any individual.
• This would unreasonably affect the privacy of other individuals.
• The information relates to existing or anticipated legal proceedings between Anglicare and yourself. Where the information could not be obtained by the legal process of discovery in those proceedings.
• It would be unlawful to provide access.
• Denying access is required or authorised by law. or
• Providing access would be likely to prejudice an investigation into possible unlawful activity.

We will need to verify your identity before providing access to your personal information.

Within 20 working days of your written request to access your personal information, we will:

• provide you with access to your personal information or
• reasons for our refusal to access

Where your file contains personal information that relates to a third party. This information may be redacted before you can access your file.
Anglicare will take reasonable steps to make sure the personal information it collects, uses and/or discloses is

• accurate,
• complete and
• up to date.

If your personal information changes or you believe our records are not;

• accurate,
• complete and
• up to date.

Please contact us to update the information you have provided to Anglicare by using the details below.

If we agree that the information needs correcting, we will take reasonable steps to correct that statement. If we do not agree that the information needs correcting. You can ask us to put a statement with the personal information explaining why it needs to be corrected.

We will respond to your request to update or correct inaccurate information within 20 working days of receiving your request.

Interstate and Overseas Disclosure
Anglicare may transfer personal information interstate or overseas where necessary for the purpose of collection. Anglicare will comply with the requirements of

• PIPP Act and/or
• Privacy Act, –

to ensure personal information stored interstate or overseas are subject to similar privacy laws.

Destroying Personal Information
Anglicare will securely destroy personal information, when it is no longer required by Australian law.

Responding to data-breaches
In cases of data breaches, Anglicare will conduct an assessment to identify if the breach meets the criteria of the Notifiable Data Breach (NDB) Scheme. The NDB requires Anglicare to notify individuals and the Office of the Australian Information Commissioner when,

• There is unauthorised access to, or disclosure of personal information held by Anglicare (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
• This is likely to result in serious harm to any of the individuals to whom the information relates.
• Anglicare has been unable to prevent the likely risk of serious harm with remedial action.

Where it is identified that the breach meets these conditions, Anglicare will follow the requirements of the following documents to respond to the NDB:

• Anglicare – Disaster Recovery Backup Security Overview,
• IT Critical Incident Flowchart, Cyber security plan, and
• Critical Incident Management.

In cases where Anglicare does not meet the requirements of the NDB the organisation will:

• Attempt to contain and retrieve the breach,
• Removal access or sharing e.g. Removing permissions or files involved,
• Investigate and identify sources of the breach
• Review and identify impact of disclosure based on individual need,
• Take appropriate actions to mitigate impact and reoccurrence.

Supporting documentation

Australian Privacy Principles

Forms – Privacy and File Management

Notifiable Data Breaches scheme

Personal Information Protection Act 2004

Privacy Act 1988 (Cth)

Right to Information Act 2009 (Tas)

Personal Information and Protection Act 2004 (Tas) (PIP Act)

Health Complaints Act 1995 (Tas)