Australian Regional and Remote Community Services (ARRCS) is the largest provider of residential and community services in the Northern Territory. We are a not-for-profit organisation which provides health and aged care as part of UnitingCare Queensland, a network of Uniting Church agencies dedicated to assisting individuals, families and communities.
In line with our values, ARRCS respects and upholds individuals’ rights to privacy and rights to their personal information. Consequently, ARRCS is committed to protecting the privacy of personal information it collects, holds and administers in the process of providing its services.
These commitments are undertaken to comply with the Australian Privacy Principles (APPs) prescribed under the Commonwealth Privacy Act 1988.
ARRCS primarily collects personal information and sensitive information to ensure delivery of optimum appropriate, timely and quality health, childcare, disability and aged care services that are tailored to the needs of the individual and support their personal network.
This Policy ensures the privacy of personal and sensitive information.
Applies to all staff, who in the course of their work have access to personal information across the range of ARRCS services.
ARRCS is committed to complying with the Australian Privacy Principles (APP), and the collection, use, storage, protection and disclosure of personal information held will be in accordance with those principles.
Responsibilities and Requirements
Information we collect, use and store
To ensure the delivery of optimum health, childcare, disability and aged care services, ARRCS usually collect the following types of personal information:
- Name and contact details of client (including address, telephone number and email address).
- Health status and services provided.
- Clinical care information.
- Relevant demographic and social information, such as date of birth.
- Name and contact number of any carers or relevant family members.
- Name and contact number of the consumers general practitioner and other relevant health care providers.
- Financial institution information.
- Government-related identifiers (including but not limited to Medicare, Centrelink and Department of Veterans Affairs numbers).
To deliver holistic palliative care services to consumers with a life limiting illness, we also request our consumers to volunteer their religious affiliations to better support the delivery of services as and when required by the consumer and their family.
Consequences if personal information is not collected
ARRCS is committed to providing its consumers with the very best of care to improve their quality of life and to provide support to their personal network.
If personal information is not collected because it is refused or not available, it may result in a different level of service being accessible.
ARRCS uses personal information to improve services to some of the most vulnerable groups in the community.
If sufficient information is not gathered in relation to certain research projects, the incomplete data may jeopardise future care and service planning and funding arrangements that ARRCS enters into for it to deliver premium services.
ARRCS may not be able to effectively resolve an individual’s complaint or dispute if their personal information is incomplete or missing.
Legal requirements for handling personal information
As an organisation that manages, funds and monitors a health service, ARRCS has various exemptions for collecting, using and disclosing personal information under ‘permitted general situations’ and ‘permitted health situations’ as defined in the Privacy Act 1988.
The information handling requirements imposed by some APPs do not apply if a ‘permitted general situation’ or a ‘permitted health situation’ exists.
These exceptions apply in relation to the collection of personal information (including sensitive information, in some cases) (APP 3), the use or disclosure of personal information (APPs 6 and 8) and the use or disclosure of a government related identifier (APP 9).
In general terms, ARRCS is permitted to handle personal information if the collection is required or authorised under other Australian laws (such as contractual agreements with the Department of Veteran Affairs) or in accordance with established health and medical bodies that operate under their own obligations of professional confidentiality.
Obligations for obtaining consent
ARRCS is permitted to collect personal information (including sensitive information) as part of its functions as a not for profit health care provider.
Using and disclosing personal information requires consent where it is practical and reasonable to do so.
Consumers are requested to provide their consent to the use and disclosure of personal information collected from them for the purpose of providing optimum care.
In the absence of consent, or a person authorised to act on your behalf, under the Privacy Act 1988, information can only be released to another if:
- There is a statutory obligation to disclose certain information. (For example, subpoenas, warrants, coronial inquiries, provisions of other acts, such as the Adult Guardianship Act (NT) 1989).
- The public interest requires the release of confidential information.
Disclosure of personal information to others
Disclosure of personal information to ARRCS places the organisation in a position of trust within the community and as such we seek to protect and uphold the privacy of individuals in accordance with the APPs.
ARRCS will not provide personal information (including health or sensitive information) to other entities unless it is required under laws (such as through contractual agreements with the Commonwealth under the Aged Care Act 1997), or it reasonably believes that the recipient of the information will not disclose the personal information derived from ARRCS.
Where it is required by law, personal information disclosed to other sources will be de- identified.
There are a number specific instances under which ARRCS needs to provide personal information to other agencies, bodies and individuals. The following are typical examples:
- where ARRCS is authorised to provide another agency (such as to the Northern Territory Department of Health) with personal information to enable care to be delivered to the consumer;
- where, for legal reasons, ARRCS is obligated to provide information under a Court Order or other legal enforcement authority such as the Police or Coroner - the Privacy Act 1988 provides strict guidelines for the release of information under these circumstances;
- where ARRCS provide de-identified information to funding agencies and government departments to meet our contractual requirements (de-identified information cannot be linked directly back to an individual);
- where ARRCS maximise the efficient delivery of our care through engaging aged care specialists who work on our behalf to improve the quality of life for our consumers (consumer consent is sought prior to this release of information); and
- where a consumer is incapable of giving or communicating consent and personal information is required to be given to their ‘adult guardian’ (under the Adult Guardianship Act (NT) 1989), Disability Services Act, Carers Recognition Act, Mental Health and Related Services Act or ‘responsible person’ (under the Privacy Act 1988) for the necessary provision of appropriate care or treatment or for compassionate reasons.
In all other situations, the release of personal information may only occur with written consent or substitute decision-maker who has legal authority.
Notwithstanding the above, an ARRCS consumer has the right to withdraw consent to release personal information (for example for direct marketing) at any time. Ideally such communication should be in writing to the relevant ARRCS Service Manager responsible for your care.
Unsolicited personal information that ARRCS receives will be de-identified or destroyed unless it falls within Commonwealth or State funding arrangements, or is required to be retained by law.
Under contractual arrangements with various funding bodies and government departments, ARRCS is obliged to provide a range of different reports.
Some reports provide de-identified information on the amount of care provided and the types of consumers that ARRCS supports and some reports include the consumers name and date of birth and address.
Under the funding provided by the Commonwealth Home and Community Care program de-identified data is supplied.
Under the Department of Veterans’ Affairs contract reporting information is provided to Medicare on the amount of care provided, the Veteran’s name and the DVA pension numbers of the veteran clients supported.
Under the Disability Services contract, reports are provided to the Department of Health which includes the consumer name, address, date of birth and service provision data.
ARRCS will identify individuals (including consumers and staff) by a number of unique identifiers internally assigned by ARRCS.
ARRCS may retain a record of other external agency personal identifiers that are required to provide services, coordinate with other care agencies, or otherwise fulfil service, operational, or reporting obligations.
Use of contractors
At times ARRCS uses contractors to provide aspects of care and support to consumers.
Contractors are required to abide by the same confidentiality and privacy requirements as ARRCS employees and this is clearly stated within non-disclosure clauses in their contract.
There may be disclosures of personal information where there is a change of contractors, in which case personal information may be transferred to a new contractor.
ARRCS may also disclose your personal information in seeking assistance and advice from lawyers, auditors, data support specialists and other advisers who are bound by confidentiality obligations to us.
APPs: The Privacy Amendment Act introduces a set of new, harmonised, privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses. These new principles are called the Australian Privacy Principles (APPs). They will replace the existing Information Privacy Principles (IPPs) that currently apply to Australian Government agencies and the National Privacy Principles (NPPs) that currently apply to businesses. Under the changes, there are 13 new APPs. A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.
APP Organisation: is defined to be: an individual, a body corporate, a partnership, any other unincorporated association, or a trust unless it is a small business operator. In general, a small business operator is a business with an annual turnover of $3,000,000 or less for a financial year, unless an exception applies (s 6C). The exceptions include businesses that provide a health service and hold health information other than in an employee record and businesses that disclose personal information for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information.
Access: involves giving a client information about themselves held by ARRCS. Giving access may include allowing a client to inspect personal information or giving a copy of it them.
Collection: means gathering, acquiring or obtaining personal information from any source and by any means. Collection includes when ARRCS keeps personal information it has not asked for or it has come across by accident.
Compliance: means doing what the Privacy Act 1988 and this Manual requires services and staff to do.
Consent: means ‘express consent or implied consent’.
De-identified information: refers to information from which identifiers have been permanently removed or where identifiers have never been included.
Disclosure: means releasing information to others outside of ARRCS. Disclosure does not include giving a client information about themselves (this is ‘access’).
Personal information: is information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about a client whose identity is apparent, or can reasonably be ascertained, from the information or opinion (e.g. name, address, telephone number). Personal information can include health and sensitive information.
Questions or concerns
If you have any questions or concerns, would like to correct your Personal Information or you wish to make a complaint about a breach of the Act at any time, please get in touch. We take your privacy seriously and are always ready to listen. If you are not happy with the way we collect, use, hold or disclose your information you are welcome to lodge a complaint. To do so, please contact:
Level 5, 192 Ann Street, Brisbane 4000
Postal address: GPO Box 45, Brisbane Qld 4001
Phone: 07 3253 4000