Introduction and Purpose
This policy sets out Proveda’s commitment to respecting the privacy of our customers and stakeholders and our obligation to uphold Australian privacy laws.
What is personal information?
‘Personal information’ includes a broad range of information, or an opinion, that could identify an individual. It includes ‘health information’, which is one of the most sensitive types of personal information.
Personal information we collect, hold, use and disclose
We take care to protect privacy when we collect, hold, use and disclose personal information.
Security and storage of personal information
We take reasonable steps to protect the security and storage of personal information we hold to prevent misuse, loss, unauthorized access, modification or disclosure.
Retention and destruction of personal information
We will only hold personal information for the purpose for which it was obtained, until it is no longer needed, and in accordance with any legal obligations.
Access to and correction of personal information
You have a right to access personal information we hold about you and to have your personal information corrected.
Interacting with us anonymously
You do not have to identify yourself to interact with us and we will assist you to the best of our ability, but if you choose to remain anonymous it may limit what we can do.
Feedback, Queries and Complaints
We welcome any feedback, queries and complaints.
Notifiable data breach
The law requires certain data breaches to be handled in a specific way.
Dignity, personal privacy and confidentiality
We are committed to respecting the dignity of our customers, which includes physical privacy, psychological privacy, social privacy and confidentiality of information.
Information on how to contact our ‘Privacy Officer’.
Updates to this policy and associated documents
This policy is the latest version. It was updated on 12 December 2023.
1. Introduction and Purpose
Proveda is committed to protecting the privacy of any person about who we collect personal information, including but not limited to our customers, volunteers, service provider partners and their employees and other stakeholders.
We are bound by the Privacy Act 1988 (Cth) including the Australian Privacy Principles, the Health Records and Information Privacy Act 2002 (NSW), and other privacy laws such as the requirements in aged care and NDIS legislation.
A copy of the Australian Privacy Principles can be found on the website of the Office of the Australian Information Commissioner: www.oaic.gov.au.
2. What is personal information?
‘Personal information’ includes a broad range of information, or an opinion, that could identify an individual. What is considered personal information will vary depending on whether a person can be identified or is reasonably identifiable in the circumstances.
Some examples of personal information are name, signature, address, phone number, date of birth, and photographs.
Personal information also extends to a category of information called ‘Sensitive information’ and broadly includes information or an opinion about an individual’s racial or ethic origin, political opinions or associations, religious or philosophical beliefs, trade union membership or associations, sexual orientation or practices, criminal record, health information, genetic information and some aspects of biometric information.
‘Health information’ broadly means any personal information about health’ and includes information or opinion about illness, injury and disability, both physical and psychological. Health information is regarded as one of the most sensitive types of personal information.
3. Personal information we collect, hold, use and disclose
We use personal information in the following ways:
- For the primary purpose for which it was collected or a secondary purpose that is related to the primary purpose and it would be reasonably expected that we would use or disclose the information.
- Where we have engaged a third-party service provider to perform legitimate functions on our behalf and all reasonable steps have been taken to protect the security of personal information.
Sensitive information is collected with the informed consent of the customer. This kind of information is given a higher level of protection and will only be used for the primary purpose for which it was obtained or for a secondary purpose that is directly related to the primary purpose, and with the person’s consent or where required or authorised by law.
The kind of personal information we collect differs depending on the relationship you have with
Proveda. Click here to view the attachment to this policy for examples.
A ‘Privacy, Confidentiality and Collection of Personal Information’ notice is included in our Service Agreements. Consent to the collection, storage and relevant sharing of personal information, including health information, is obtained through the Agreements.
We will not disclose personal information unless it is with the consent of the customer, or an exception applies. This includes for example, when we are required to meet mandatory reporting obligations, to lessen or prevent a serious threat to life, health or safety, or to locate a missing customer. Our process includes checking for any appointment of or changes to a ‘nominated contact person’, ‘emergency contact’ or confirming documentation in support of an ‘authorised representative’ before disclosing a customer’s personal information.
Privacy and confidentiality cannot be assured when personal information is disclosed to overseas recipients. Therefore, Proveda will not disclose personal information to overseas recipients unless we have specific consent.
If a social network site such as Facebook or LinkedIn is used to communicate with Proveda, any personal information shared may be collected and held overseas. There is no protection under the Privacy Act 1988 if there is a breach of the Australian Privacy Principles by an overseas third-party.
4. Security and storage of personal information
Security and storage
We hold personal information in both electronic and hard copy formats, and all reasonable steps are taken to protect the security of that information.
Measures in relation to electronic data include data encryption, firewalls, second factor authentication, passwords and a range of internal processes and protocols to assess and monitor access to and use of our systems to mitigate cyber security risks.
Hard copy documents and files are held in secure access-controlled premises, or if taken offsite, will be handled by Proveda employees in accordance with our internal ‘Privacy and Confidentiality Policy’.
Other personal information, including in relation to our broad range of service delivery offerings and for operational and administrative purposes, including human resources information, is held in secure servers and databases.
When we elect to use third-party products, all reasonable steps are taken to ensure that we retain effective control of the personal information we hold. All servers and databases we use are located in Australia.
PROVEDA employees follow internal policies and procedures, which includes a ‘Privacy and Confidentiality Policy’.
Engagement as an employee of Proveda is subject to confidentiality obligations and agreement to comply with our Code of Conduct. Our provider partners and their employees also agree to uphold the values in our Code of Conduct when providing services to our customers.
5. Retention and destruction of personal information
Proveda will only hold personal information for the purpose for which the information was obtained, until it is no longer needed, and in accordance with any legal obligations.
In the case of health information for customers, personal information will be retained for a minimum of 7 years from the last date from which a health service was provided. However, if the health information was collected when the customer was under the age of 18 years, the information will be retained until that customer attains 25 years of age.
When personal Information is no longer needed, and it is permitted under law, it will be securely destroyed, deleted or de-identified.
6. Access to and correction of personal information
Access to personal information
You have the right to ask for access to personal information that we hold about you. You do not need to provide a reason to ask for access, but if you do, it may assist us to address your request.
In some circumstances a request can be refused, for example, Proveda will not provide access if:
- it is reasonably believed that giving access would pose a serious threat to the life, health or safety of any individual, or to public health and safety;
- it would have an unreasonable impact on the privacy of other individuals;
- the request is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings, provision of access would be unlawful, or has legal and/or unlawful implications
When access can be provided, we will endeavour to provide access in the way requested (for example, by email, hard copy, electronic record, phone or in person).
We generally do not charge for handling a request for access to personal information, however, on a case-by-case basis, we may apply a reasonable charge if significant resources are required to process a request.
Correction of personal information
To help us maintain quality information, we encourage you to let us know as soon as there is any change to personal information that we hold about you.
When we become aware that personal information we hold is not correct (for example it comes to our attention that the information is inconsistent with a record from an authoritative source), or that it is out-of-date, incomplete, irrelevant or misleading, we will take proactive steps to confirm the accuracy of the information, and if required we will correct the information.
You also have the right to ask us to correct your personal information.
There is no charge for handling a request to correct personal information.
Process to request access or correction
If you wish to make a request for access to personal information or to correct personal information, please contact Proveda in the usual way or write to our Privacy Officer (see section 11). A request will need to be made in writing.
On receipt of a request, we will undertake an assessment and endeavour to provide a response as soon as possible, within 14 days. A longer period of up to 28 days may be required depending on the scope and complexity of the request.
If we refuse a request for access or correction, we will provide the reason(s) in writing.
You can make a complaint if you are not satisfied with the outcome or how we have dealt with a request (see section 8).
7. Interacting with us anonymously
You have the option of interacting with us anonymously or using a pseudonym. For example, you may ask a general question without the need to identify yourself.
We will do our best to assist you, however, in order to deal with a specific query or concern in a meaningful way, we will most likely need to verify your identity before we can interact with you.
8. Feedback, Queries and Complaints
If you would like to provide feedback (including about this policy), have a query, or wish to make a complaint about how we have handled your personal information, please contact Proveda in the usual way or write to Proveda’s Privacy Officer (see section 11).
On receipt of a complaint, we will undertake an investigation and determine what action should be taken. We will respond as soon as possible, within 28 days of receiving a complaint.
While we hope to resolve complaints without the need to involve third parties, if you are not satisfied with our response, the way in which it was handled by us, or you have an unresolved concern, you can complain to the Office of the Australian Information Commissioner (OAIC):
Other avenues for complaints about privacy depend on the individual circumstances. Please refer to the websites below for details about the kinds of complaints the following agencies will handle:
NSW Health Care Complaints Commission: www.hcc.nsw.gov.au
Aged Care Quality and Safety Commission: www.agedcarequality.gov.au
NDIS Quality and Safeguards Commission: www.ndiscommission.gov.au
Information and Privacy Commission NSW: www.ipc.nsw.gov.au
NSW Ombudsman: www.ombo.nsw.gov.au
9. Notifiable Data Breach
We adhere to the requirements of the ‘Notifiable Data Breaches’ scheme in the Privacy Act 1988 which requires specific action when an ‘eligible data breach’ occurs. That is, when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that we hold; and
- this is likely to result in serious harm to one or more individuals; and
- we haven’t been able to prevent the likely risk of serious harm with remedial action.
We will internally escalate and take swift action to assess and address any privacy or data breach incident as soon as we are aware an incident has occurred.
If a breach is determined to be an ‘eligible data breach’, we will notify any person affected by the breach, as well as the Office of the Australian Information Commissioner.
It is our policy to notify any person affected by a privacy or data breach even if it does not fall within the scope of an ‘eligible data breach’ and take appropriate remedial action.
10. Dignity, personal privacy and confidentiality
We are committed to our customers receiving high quality care and services and living the life that they want.
In addition to our obligations in relation to personal information, we will respect the dignity, personal privacy and confidentiality of our customers. This includes physical privacy (e.g. personal space and the extent to which one’s body is physically accessible), psychological privacy (e.g. maintaining personal identity and values), and social privacy (e.g. management of social contacts and degree of interaction).
11. Contact us
Please get in touch with Proveda in the usual way, otherwise, Proveda’s Privacy Officer can be contacted by:
12. Updates to this policy and associated documents
In addition to this policy, we publish specific Privacy Policies on our Service Provider Platform for our provider partners, and the integrated App for care workers.
Proveda is guided by an internal ‘Privacy and Confidentiality Policy’ and we adhere to a Code of Conduct.
This policy may be updated from time to time to reflect changes in our practices, external complaint processes or when there is an amendment to privacy law.
When we make changes to this policy, we will publish the latest version on the website.
This policy was last updated on: 12 December 2023.