Privacy and Information Management Policy and Procedure

Policy Statement

You Therapy Services is committed to protecting the privacy of our clients/participants personal information (which includes their health information). We are, as NSW health providers in the private sector, bound by the Health Records and Information Privacy Act 2002 (NSW) and the Privacy Act 2002 (NSW), as amended, this legislation includes both the Australian Privacy Principles and the NSW Health Privacy Principles.

This policy provides information as to how personal information is dealt with by outlining systems governing the collection, use, storage and disclosure of personal information, access to, correction and disposal of that information. We are fully committed to complying with the consent requirements of the NDIS Quality and Safeguarding Framework and any relevant federal, state or territory requirements.

Our staff are bound by privacy & confidentiality requirements who will endeavour to ensure all clients/participants are satisfied their personal information is kept private and only used for the intended purpose.

This policy will guide our staff in meeting these obligations. It also details to clients/participants how we use their personal information.

The policy will be made available to clients/participants upon request.

Procedure

Managing Privacy of Participant Information Storage

1.Participant information collected is kept in an individual participant record. Records are kept in electronic format. Where paper format exists, information needs to be transferred or scanned into the electronics record.

2. A participant record can include: personal information, clinical notes, investigations, correspondence from other healthcare providers, photographs, video footage.

3. A Firewall is used in the You Therapy Services computer system as a means of protecting information stored on the computer. Other security related procedures such as user access passwords also assist with the protection of information.

4. User access to all computers and mobile devices holding participant information is managed by passwords and automatic inactive logouts.

5. Any papers identifying a participant will be destroyed by shredding.

6. You Therapy Services are required to keep records for a minimum period of 7 years from the date of the last entry for people 18 years or more, and for individual less than 18 years of age, seven years from the date the person turns 18 i.e. aged 25.

7. You Therapy Services uses the cloud-based case management and reporting system, iinsight. iinsight uses a 2-step verification system to provide an additional layer of protection and their data bases are located in Australia. Please refer to their website for further information on data protection: https://www.iinsight.biz/

8. You Therapy Services uses Microsoft Office365 for Exchange, Sharepoint and Microsoft Teams. Sharepoint is used to store client information, including assessment and report forms. All data at rest is stored in Australia. Microsoft Teams is used for telehealth appointments where appropriate.

Managing Privacy and Confidentiality Requirements of Participants

1. You Therapy Services refers to their Privacy Policy on the participant’s NDIS Service Agreement and on their website.

2. Consent to photographs and information sharing is included on the participant’s NDIS Service Agreement. This includes the following consents: I. Consent for sharing and obtaining Information II. Consent for photography These consents are discussed with the participant and /or their decision maker in a way they can understand prior to the commencement of service.

3. Persons contacting You Therapy Services with an enquiry do not need to provide personal details. However, once a decision is made to progress utilising You Therapy Services, personal and sensitive information will need to be collected in order to undertake the services.

4. You Therapy Services may need to share pertinent participant information with other Allied Health Professionals to assist in determining support plans. Information is only shared to provide the best service possible and is only shared with those people whose Professional Codes of Ethics include privacy and confidentiality. Permission to share information is sought from the participant prior to the delivery of services and as required at other points of intervention as / if required.

5. Personal information is not disclosed to third parties outside of You Therapy Services, other than for a purpose made known to the participant and to which they have consented, or unless: a. is required or authorised by law, including under the NDIS Act b. will prevent or lesson a serious or imminent threat to someone’s life or health or a threat to public safety c. we engage a contractor to provide some services and that contractor needs personal information of certain participants, providers, carers or other persons in order to perform that service for us

6. Participants are informed there may be circumstances when the law requires You Therapy Services to share information without their consent. This information is included within the Service Agreement.

7. You Therapy Services will take reasonable steps to reduce the likelihood of a data breach occurring. Personal information will be securely stored and accessed only by relevant workers. If we know or suspect personal information has been accessed by unauthorised parties, we will take reasonable steps to reduce the chance of harm and advise involved participants and the Office of the Australian Information Commissioner of the breach.

Keeping Accurate Participant Information

Participants are informed of the need to provide us with up to date, accurate and complete information. You Therapy Services staff update information on the participant record at the time of reviews or when they become aware of change in information. Staff at You Therapy Services update the participant record as soon as practical after the delivery of services to ensure information is accurate and correct.

Using Participant Information for Other Purposes

Under no circumstances will You Therapy services use personal details for purposes other than stated above, unless specific written consent is given by the participant or their representative.

Participant Access to Their Information

Participants have the right to access the personal information You Therapy Services holds about them. To do this, participants must contact the Director of You Therapy Services in writing via a) Email: laura@youtherapyservices.com b) Post: PO Box 93, Adamstown NSW 2289

Management of a Privacy Complaint

If a person has a complaint regarding the way in which their personal information is being handled by You Therapy Services, in the first instance they are to contact the Director. The complaint will be dealt with as per the Feedback and Complaints Management Policy and Procedure. If the parties are unable to reach a satisfactory solution through negotiation, an independent mediator should be used (parties will bear their own costs). If mediation is unsuccessful the person may request an independent person such as the Office of the Australian Privacy Commissioner or the NDIS Quality and Safeguards Commission to investigate the complaint. You Therapy Services will provide every cooperation with this process.

Responsibilities for implementation of this policy and procedure

Management

• To develop, maintain and review the Privacy Policy and ensure they understand their responsibility to protect the privacy of individuals’ personal information

• To ensure that all You Therapy Services staff members are trained in privacy and confidentiality requirements and bound by these under their employment agreement.

Staff

All Staff will undergo training related to Privacy and Confidentiality Requirements at the time of induction and then annually.

Links to other Business systems

• You Therapy Services Feedback and Complaints Management Policy and Procedure

• You Therapy Services Human Resources Policy and Procedure