Lyndon Privacy Policy

Date Issued: 27 April 2015

POLICY STATEMENT

Lyndon’s confidentiality (and consent) and privacy policy defines standards of practice around the collection and use of personal and confidential information provided by service users. This policy outlines how Lyndon manages personal information, including what happens to the information collected and how it is shared with others.

Lyndon requires personal information from people seeking drug and alcohol treatment so we can conduct a thorough assessment and provide suitable treatment and support services. We only need information relevant to the services we provide.

RATIONALE

Lyndon maintains client records according to the 13 Australian Privacy Principles (APPs) from Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, as well as abiding by any applicable State or Territory privacy laws (including the Health Records (Privacy and Access) Act 1997.

Client Records

Lyndon does not share personal information from service users with other people or organisations unless:

  • A service user has asked us to do so
  • Lyndon is compelled by law to This includes court orders or subpoenas directing us to provide information about service users; mandatory reporting of harm to a child; and section 16A requests from NSW Family and Community Services in relation to the care of a child or children.
  • Disclosure will prevent someone hurting themselves or someone else or reduce a threat to public health or safety
  • Where disclosure is required by a health service provider to provide For example if a service user is transported to hospital because of an accident or injury

De-identified information is used for research and evaluation, reporting to our funding bodies on organisational activities, internal review of service delivery as part of quality improvement activities; and for the purpose of conducting and contributing to the evidence base regarding effective treatment options for alcohol and drug dependence. Names and contact details are not included in de-identified information.

Employee records

Although personal information held in employee records is exempt under the Privacy Act, Lyndon maintains a similar commitment to protection of that information consistent with the APPs. In addition, while the Privacy Act relates to individual personal information, Lyndon will also apply the same principles to the collection of information about other organisations and service providers.

PROCEDURE

The following information is provided as a guide to Board members, employees, students and volunteers about how to obtain informed consent from service users, protect their privacy and share information with others when directed by law or service user wishes.

1.      Responsibilities

The CEO is responsible for the effective implementation of this policy across the organisation.

All Board members, management, staff, consultant and reviewers (including consumer reviewers) and volunteers (including students on placement) are responsible for complying with this policy in its entirety.

Any breach of confidentiality or privacy may have severe consequences, including the possibility of disciplinary action. All employees are responsible for identifying potential breaches and bringing them to the attention of their Manager. If a situation arises where an employee is unable to follow the policy or procedure, an exemption is to be requested from the CEO outlining the issue. Failure to comply with this and related policies and procedures regarding privacy and confidentiality of personal and health information will result in disciplinary action.

2.      Storage of client records including consent forms

Lyndon stores personal information electronically and in hard copy. Control measures in place to protect the security and privacy of that information include:

  • Password protection and restricted access to electronic records enabling only authorised employees including the client’s case manager and members of the treating team to access, use and Access by other employees is on an as-needs basis with management approval in accordance with the approved uses of personal information collected
  • Server is contained within a secure office with limited Network access is authorised by Management through secure network. Backup systems for all client, employee and corporate records are securely stored with access to approved personal only. Storage of electronic information is managed domestically, without sharing of infrastructure or cloud connectivity internationally
  • Data provided to reviewers, evaluators and others for the purpose of research, service monitoring and reporting is de-identified and contracts confirm storage and use requirements
  • Member/Donor/Stakeholder databases are stored electronically with access by approved employees only
  • Lyndon does not share or sell mailing lists or other databases containing personal information of any individual (client, employee, member, donor, stakeholder) with other organisations

Client records containing personal information, including health information, collected and used by Lyndon as outlined above will be stored for a period of 7 years after the last entry was made. From 2014, Lyndon will maintain a register of records that have been created, archived, accessed and destroyed in accordance with the Health Records (Privacy and Access) Act 1997.

3.      Seeking consent and providing information on privacy to service users

Lyndon provides information to service users about collecting their health and personal information including:

  • Purpose of collecting information
  • How information will be used
  • Who (if  anyone)  information  may  be  transferred  to  and  under  what  circumstances information will be transferred
  • Limits to privacy of personal information
  • How a client can access or amend their health information
  • How a client can make a complaint about the use of their personal

On entry to any Lyndon program service users will be provided with written information about consent and privacy, given an explanation of the written information and asked to consent to the collection of their information by Lyndon. Signed consent form will form part of every service users record.

4.      Providing information to others

If other agencies are requesting information in the form of reports or referrals, service users will be asked to consent to the release of information. If consent is not obtained information will not be provided to third parties unless the limits of confidentiality apply to the situation (see consent form).

Requests from third parties for information about current or past service users are to be made in writing and assessed by the Deputy Executive Officer before any information is released even if those requests are made under legislative authority (e.g. subpoenas).

5.      Access to records

Service users can access information Lyndon holds about them in current or past records. Current records can be viewed in company of a Lyndon case worker. Past records can be viewed by writing to the Chief Executive Officer with a request. Reports or summaries of current or past treatment will be provided on the request of the service user providing there is no reason to withhold the information.

Situations in which access to information may be withheld include:

  • Access to information creates an unreasonable impact on the privacy of others
  • The request is clearly frivolous or vexatious or access to the information has been granted previously
  • The record is subject to existing or anticipated legal dispute resolution proceedings
  • Denial of access is required by legislation or law enforcement agencies

Lyndon is required to respond to a service user’s request to access information within 10 days of receiving the request.

Information in client or resident records cannot be altered. However, service  users  can request new information is added to the record including what aspects of the existing information they disagree with and what new information is to be provided if it is relevant to their drug and alcohol treatment at Lyndon or a correction of personal details previously recorded.

6.      Breach of Privacy or Confidentiality

If staff are dissatisfied with the conduct of a colleague with regards to privacy and confidentiality of information, the matter should be raised with the staff member’s direct supervisor. If this is not possible or appropriate, follow delegations indicated in the Grievance and Dispute Settling Policy. Staff members who are deemed to have breached privacy and confidentiality standards set out in this policy will be subject to disciplinary action.

If a client or stakeholder is dissatisfied with the conduct of a Lyndon staff or Board member, a complaint should be raised as per the Feedback and Complaints Policy. Information on making a complaint is made available to clients, stakeholders and can be found on the Lyndon website. Additionally, a complaint can be taken over the phone by any staff member and written details given to the Chief Executive Officer.

References/ additional resources

Nil

© Copyright - Lyndon Community | Site by Regional Integrated Marketing                                          Staff Login                                                       Privacy Policy