Privacy and Information Management Policy Version 1.0  

Parent document: ARC Rules and Regulations 

Document owner: Managing Director  

Policy category: Operational 1. 

Policy Statement 

We are required to comply with the Australian Privacy Principles outlined in the Privacy Act 1988 (Cth). We are committed to ensuring the appropriate use and collection of personal information by observing the Australian Privacy Principles when handling and managing an individual’s personal information. All personal information collected by us is used only for the purpose of undertaking business functions or service provision. 

 Aim 

This policy seeks to explain: 

• how we protect, collect, retain, use and disclose personal information 
•  an individual’s rights in relation to personal information we hold 
•  how we will manage any identified data breach. 

Scope 

This policy applies to all staff (employees, volunteers and contractors) and to: 

• any person who receives services and/or goods from us 
•  information provided by or to a third party relating to a person who receives services and/or goods from us 
•  any other person who may interact with us where the collection of personal information is required. 

 Definitions 

Australian Privacy Principles 

A set of principles in the Privacy Act 1988 that apply when handling personal or sensitive information in order to conduct its business. 

 Data breach 

There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by us. This relates to both physical and electronic records. 

 Privacy and Information Management Policy 

Privacy and Information Management Policy Version 1.0  

Eligible data breach 

A data breach where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held, which is likely to result in serious harm to the person to whom the information relates. 

Health information 

A subset of personal information which includes information or an opinion about the health (including illness, disability or injury), current health services, express future health services wishes of an individual.  

Permitted health situation 

As defined in the Privacy Act 1988. 

Personal information 

Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. 

 Sensitive information 

Is a subset of personal information and will only be collected with consent, where we are required or authorised by law or is otherwise allowed under the Privacy Act. This includes: 

• information or an opinion about an individual’s racial or ethnic origin 
• political opinions 
• membership of a political association 
• religious beliefs 
• philosophical beliefs 

• membership of a professional or trade association 
• membership of a trade union 
• sexual practices 
• criminal record 

 Health information 

 What Types of Information Does ARC Collect? 

 Personal information 

We will collect personal information about a person when it is reasonably necessary for or directly related to the functions and services we provide. We are required to collect some types of personal information in order to comply with Australian law and government service and funding agreements that govern how we deliver our services. 

 The types of personal information we may collect from people may include: 

• name, date of birth, gender, contact information 
• medical history including, where relevant, a family medical history 

 Privacy and Information Management Policy Version 1.0  

• racial or ethnic origin 
• Medicare number, other related information and information about private health insurance 
• current medications or treatments 
• the name of any care provider, health service provider or medical specialist we refer a person to or has referred a person to us and copies of any referrals and reports 

• relevant health and welfare information 
• information relating to your “consent to obtain and release” information 
• information about family and other related person as per signed consent form. 
• information about preferred modes of communication. 
• your NDIS plan details, including government identifiers such as your participant NDIS number (NDIS)if applicable 
• any information or documents which you provide or upload to an MPM platform in relation to the services and supports provided 
• any information about your interactions with ARC or ARC services, platforms or websites including engagement with others whilst using ARC platforms (e.g.feedback, “likes”, comments, choices, preferences, messages) 
• details about the services or products we have provided to you or that you have enquired about, including any additional information necessary to deliver those services and products and respond to your enquiries 

 Sensitive Information 

We may collect sensitive information about a person where the information is: 

• necessary to provide the person with a particular service and 
• solely relates to the person who has regular contact with us in connection with a service provided. 

 We will only collect sensitive information when consent has been provided, except where a permitted health situation exists. 

 How Do We Collect Personal Information? 

The collection of personal information is dependent on the nature of a person’s dealings with us. 

The majority of personal information will be received from the person when they: 

• contact us in person, via phone, email or through our website 
• engage us to provide a good and/or service to them 
• subscribe to our social media platforms 

• subscribe to our newsletter 
• donate 
• attend events hosted or facilitated by us. 

 We will ensure the person is notified or made aware that personal information is being collected and the purpose of the collection. 

We may also collect personal information from a third party without a person’s knowledge or consent when a person is not legally able to provide the information or consent. In these cases information will be sought from a person who is legally able to provide the relevant information.  

 Using and Disclosing Personal Information 

We will only use or disclose personal information: 

• for the primary purpose for which it was collected 
• related purposes that would be reasonably be expected 

• any purpose required or authorised by law 

 Privacy and Information Management Policy Version 1.0  

Direct marketing by us of other services relevant to the person. 

We will ensure personal information collected, used and disclosed is accurate and complete. 

We will not disclose a person’s personal information outside of without prior consent or unless required or permitted under Australian laws. 

Under the following circumstances, we may lawfully disclose a person’s personal information without consent: 

• mandatory reporting of suspected child abuse or neglect 
• mandatory reporting of suspected elder abuse 
• where it is necessary to lessen or prevent a serious threat to public safety 

• we have been issued with a court subpoena 
• it will assist location of a missing person. 

 All information used in internal or external (government services and funding agreements) statistical reporting must be de-identified. 

Any information stored via offsite software cloud services is currently located within Australia. If this should change, impacted persons will be notified. 

 We may disclose personal information to third party contractors(including information technology suppliers, communication suppliers and our business partners including entities engaged by ARC to oversee and moderate user interactions on the ARC community platform, who help us conduct our business or as required, authorised or recommended by applicable law, the NDIS Act and Rules or other policy requirements of the National Disability Insurance Agency. These entities are located in Australia and All third-party software providers must sign a confidentiality agreement before accessing our software solutions or network. 

 Where information is shared with these third parties, we will take all reasonable steps to ensure that third parties observe the confidential nature of such information and are prohibited from using or disclosing such information beyond what is necessary to assist us.  

 Other than third party contractors, Aspire Recovery Connection will seek written consent from the client to release any information about them to an external party. For example, consent to speak with other support providers. This is ordinarily documented in our “Consent to Share” form.  

 If the Consent to Share Information form is not completed, ARC may ask the person(s) seeking information to liaise directly with the client or their nominated person.  

 All clients have the right to withhold consent. ARC will advise clients of any known impacts this may have on service delivery and the ability of ARC to provide services. ARC shall work with nominated representatives/ guardians in circumstances where clients are unable to give informed consent (e.g. to a service agreement). In these cases, nominees and guardians must reflect the needs and goals as identified by the person with disability and make decisions regarding privacy and dignity to best maximise the client’s wellbeing in all aspects of his/her/their life. My Plan Manager will try to work with the nominee as required to achieve this end. 

Storing Personal Information 

We hold personal information as either a physical or electronic record and have processes in place to ensure the security of personal information. 

We apply appropriate security to personal and sensitive information to ensure only staff that require access, have access to carry out the delivery of services and programs. 

Any personal information that is no longer required is destroyed in a secure manner in accordance with the General Records Management Procedure. 

 Privacy Officer 

The Corporate Services Manager is the Privacy Officer. 

 Access to and Availability of ARC’s Privacy Information or Policy 

Access to privacy information will be made available via our website and our Privacy Information brochure. Any person can request a copy of the Privacy and Information Management Policy and staff will endeavour to provide a copy of the policy in the desired format requested. 

 Access to and Correction of Personal Information 

 Access to Personal Information 

A person can request access to their personal information held by us by contacting the Privacy Officer in writing. The Privacy Officer can deny access to information if required or authorised by Australian law. 

Privacy and Information Management Policy Version 1.0 

Where access is denied, the Privacy Officer must notify the person in writing of the reason access was denied and the process to complain. 

Where access is granted, we will arrange to make the information available within 10 working days from receipt of the written request. 

 Correction of Personal Information 

A person can request updates to their personal information by providing the appropriate evidence. We must ensure the information received is accurate, up-to-date, complete, relevant and not misleading. We may deny the request to update the information if it is deemed inaccurate, incomplete or misleading. 

Where the request to update personal information is denied, we must respond to the person in writing stating the reason the request was denied and the process to complain. 

 Eligible Data Breaches 

Where we have reasonable grounds to suspect that a data breach has occurred staff will immediately notify the Privacy Officer. 

The Privacy Officer will undertake immediate action to contain the breach and within 30 days of the notification undertake an assessment of whether an eligible data breach has occurred. 

 The Managing Director will confirm whether an eligible data breach has occurred and if they assess that serious harm is still likely, authorise the lodging of the online data breach statement with the Office of Australian Information Commissioner. 

ARC will notify the contents of this statement to: 

• all individuals affected, or 
• only those individuals at risk of serious harm. 

If neither of these options is practicable, the contents of the data breach statement will be published on our website. 

The Managing Director will notify the Board of all eligible data breaches. 

If the Managing Director assesses that serious harm is not still likely, they will initiate a review of the incident and authorise action to prevent future breaches. 

 Complaints 

All complaints relating to our handling of personal information must be managed in accordance with the Complaints Management Policy and Complaints Management Procedure. 

  Responsibilities 

All staff 

Notify all suspected data breaches to the Privacy Officer 

Apply the privacy principles in the workplace 

Participate in training on privacy compliance 

Privacy and Information Management Policy Version 1.0  

 Department Managers 

Ensure the Privacy Principles are enforced 

Provide staff with information and training about privacy requirements 

Privacy officer 

Receive notifications of possible privacy breaches 

Assess all data breaches, prepare statements of data breaches and notify individuals effect by the data breach 

Report all data breaches to the Managing Director and to the Office of Australian Information Commissioner 

 Manager Corporate Services 

Function as the Privacy Officer 

Provide information and advice about the Privacy Principles 

 Managing Director 

Promote strong privacy governance and capability 

Receive reports of data breaches from the Privacy Officer 

Confirm assessment of eligible data breaches by the Privacy Officer 

Authorise the lodging of the online data breach statement with the Office of Australian Information Commissioner 

Report eligible data breaches to the Board 

Ensure that other data breaches are reviewed 

 Executive 

Ensure that privacy is respected and protected 

Ensure privacy issues are considered in the establishment of all partnership or contractual arrangements 

Identify and manage any risks to the organisation arising from privacy considerations 

Ensure application of the Australian Privacy Principles to all aspects of the business 

 Board 

Ensure that due diligence is applied in identifying potential damage to the organisation from a breach of privacy. 

 Delegations 

 Delegation Delegated to (position) Reference 

Authority to lodge of online data breach statement to the Office of the Australian Information Commissioner 

Managing Director 

Privacy and Information Management Policy Version 1.0 

 Relevant Legislation, Policies, Procedures and Other Documents 

 Legislation 

Privacy Act 1988 (Cth) 

Privacy Regulations 2013 (Cth) 

Privacy (Tax File Number) Rule 2015 (Cth) 

Privacy (Persons Reported as Missing) Rule 2014 

Spam Act 2003 (Cth) 

 Policies and Procedures 

Complaints Management Policy 

Complaints Management Procedure 

Information Sharing Policy (Appendix to the ISG) 

Information Sharing Procedure 

Information Technology Information Security Procedure 

 Other Documents (internal and external) 

Consent to Obtain/Release Information Form (local documents) 

Feedback Form 

Information Sharing Record Form 

Information Sharing Checklist 

APP Guidelines, Office of the Australian Information Commissioner 2015 

Information Sharing Guidelines for Promoting Safety and Wellbeing 2013 (SA) 

Aged Care Quality Standards 

Australian Service Excellence Standards 

National Quality Standard (Education and Care Services) 

National Standards for Mental Health Services 

NDIS Practice Standards 

NDIS Code of Conduct 

Document History Version No. Version Date Next Review Date Approved by Summary of Changes 

1.0 24/11/22 to 30/11/25 

Executive 

Policy updated in line with the NDIS Code of Conduct 

Added access to and availability of ARC’s Privacy Information or Policy 

Added reference to use of information for direct marketing 

Added Delegations 

Privacy and Information Management Policy Version 1 .0  

Version No. Version Date Next Review Date Approved by Summary of Changes