Privacy and Information Management Policy and Procedure

1. Policy Compliance

Five Sparrows Wellbeing (FSW) will comply with The Privacy Act 1988 and the Privacy Amendment Act 2012 and the Health Records Act 2001 (Vic) to protect the privacy of individuals' personal information. This includes having in place systems governing the appropriate collection, use, storage and disclosure of personal information, access to, correction and disposal of that information.

2. Outcome

Compliance with legislative requirements governing privacy of personal information. All FSW participants are satisfied that their personal information is kept private and only used for the intended purpose

3. Background

The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the handling of personal information about individuals by private sector organisations. Amendments were made to this legislation in 2012 (the Privacy Amendment Act 2012) which updates the Australian Privacy Principles (APP) and came into effect in March 2014. The amendment requires an organisation to explicitly state how they will adhere to the APP and inform their participants on how their privacy will be protected. The APP cover the collection, use, storage and disclosure of personal information, and access to and correction of that information. The APP are summarised in Appendix 1 of this document.

4. Definitions

a. Information:

i. Personal information – means information (or an opinion) we hold (whether written or not) from which a person’s identity is either clear or can be reasonably determined

ii. Sensitive information – a particular type of personal information – such as health, race, sexual orientation or religious information.

5. When Information may be Collected

a. We, or you request us to, provide services to you

b. You deal with us (e.g. your are a supplier)

c. You are involved in a matter in relation to which we provide services or otherwise work on

d. You deal with or are related to a person to whom we provide services

e. You subscribe to our mailing list or newsletter

f. You attend our events, and

g. You apply for employment or volunteering with us.

The type of information will depend on the purpose of FSW’s interaction with you. For example, if you are a client to whom we are providing a service to, we may collect personal details, contact details, and other relevant information about your family, situation, or health.

6. How do we Collect Information?

a. We collect your personal information directly from you whenever it is reasonable and practical to do so. We may also collect your personal information from third parties in the course of providing services to you.

b. We may also install and operate security surveillance cameras on our premises, and by entering onto our premises you consent to our doing so.

c. You are not obliged to give us your personal information. If you have a general enquiry, you can choose to do this anonymously or use a pseudonym. If you elect not to provide some personal information to us, this may affect our ability to provide services to you.

7. Why do we Collect Information?

We may collect personal and/or sensitive information In order to understand our clients’ situations and needs in provision of their care, and to provide them with the best service that we can.

8. Information Accuracy

FSW will take reasonable steps to ensure that all information is accurate, complete and up to date. Please contact us if any information that you have provided is incorrect, incomplete, misleading or has changed.


9. Ensuring all FSW Staff Understand Privacy and Confidentiality Requirements

a. The Director of FSW will review their Privacy Policy annually and ensure they understand their responsibility to protect the privacy of individuals' personal information.

b. All Staff will undergo training related to Privacy and Confidentiality Requirements at the time of induction and then annually.

10. Managing Privacy of Participant Information Storage

a. Participant information collected is kept in an individual participant record

b. Each participant record has a unique identification number

c. A participant record includes:

i. Personal information

ii. Clinical notes

iii. Investigations

iv. Correspondence from other healthcare providers

v. Photographs

vi. Video footage.

A Firewall is used in the FSW computer system as a means of protecting information stored on the computer. Other security related procedures such as user access passwords, multi-factorial authentication also assist with the protection of information.

a. Paper records are kept in locked, fireproof cabinets

b. Participant information is stored for seven years post the date of last discharge. In the case of participants aged under 18 years, information is kept until their 25th birthday and 7 years post discharge

c. Participant related information, or any papers identifying a participant are destroyed by shredding and deleting from the computer and all databases

d. User access to all computers and mobile devices holding participant information is managed by passwords and automatic inactive logouts.

As data transmission via electronic means (such as the internet) cannot be guaranteed to be totally secure, we do not accept responsibility for the security of information transmitted to or by us via electronic means.

Due to the user of third-party systems, some of these providers may store information outside of Australia. We may store your information in cloud or other types of networked or electronic storage. As electronic or networked storage can be accessed from various countries via an internet connection, it is not always practicable to know in which country your information may be held.

You consent to the disclosure and transfer of your information to third party service providers and contractors who are not in Australia and therefore subclause 8.1 of the Australian Privacy Principles does not apply.

11. Managing Privacy and Confidentiality Requirements of Participants

a. FSW refers to their Privacy Policy on the participant’s NDIS Service Agreement

b. The NDIS Service Agreement includes 5 Consents plus other pertinent consents to your organisation:

i. Consent for sharing and obtaining Information

ii. Consent for receiving services

iii. Consent for photography

iv. Consent to participate in Participant Satisfaction Surveys

v. Consent to participate in Quality Management Activities

These consents are discussed with the participant and /or their decision maker in a way they can understand prior to the commencement of service.

c. Persons contacting FSW with an enquiry do not need to provide personal details. However, once a decision is made to progress to utilising FSW’s services, personal and sensitive information will need to be collected.

12. When Do We Disclose Personal Information?

We may disclose your personal information to:

a. Other organisations or professionals to whom we refer you

b. Third party service providers and contractors who provide services to us, and

c. Other persons or organisations the disclosure to whom is permitted by law or you have consented, expressly or impliedly. FSW may need to share pertinent participant information with other professional Allied Health Professional at the time of case conferencing or when determining support plans. Information is only shared in order to provide the best service possible and is only shared with those people whose Professional Codes of Ethics include privacy and confidentiality. Permission to share information is sought from the participant prior to the delivery of services and as required at other points of intervention as / if required.

Additionally, as required by professional counselling associations, our counsellors undergo regular clinical supervision with qualified supervisors. Your case may be discussed in a de-identified way with a supervisor in order to provide you with optimal treatment. Please discuss this with your counsellor if you have any questions.

We may also disclose your person information where:

a. Disclosure is required or desirable to lessen or prevent a serious threat or harm to an individual’s or public life, health or safety

b. There are serious concerns about the safety or wellbeing of any person

c. The information is subpoenaed, is required to be disclosed by law or a court or tribunal, or is disclosed in relation to legal proceedings

d. The information is required by a law enforcement agency or a competent authority; or

e. Disclosure is required by mandatory regulatory requirements or professional codes by which we or our staff are bounded.

d. Personal information is not disclosed to third parties outside of FSW, other than for a purpose made known to the participant and to which they have consented, or unless required by law, including legal proceedings

e. Participants are informed there may be circumstances when the law requires FSW to share information without their consent.

13. Keeping Accurate Participant Information

Participants are informed of the need to provide us with up to date, accurate and complete information. FSW staff update information on the participant record at the time of reviews or when they become aware of change in information. Therapy staff at FSW update the participant record as soon as practical after the delivery of services to ensure information is accurate and correct.

14. Using Participant Information for Other Purposes

Under no circumstances will FSW use personal details for purposes other than stated above, unless specific written consent is given by the participant or their representative.

15. Participant Access to Their Information

Participants have the right to access the personal information FSW holds about them. To do this, participants must contact the Director of FSW. Your information will be provided to you within a reasonable timeframe. You may request that any information be corrected if it is misleading, inaccurate, incomplete or has changed.

We will not refuse your request for access or correction unless there are legal reasons for doing so. In such circumstances, we will explain those reasons to you. We may charge a reasonable fee for access to your personal information.

For security reasons, a written request will be required to access or correct your personal information.

16. Management of a Privacy Complaint

If a person has a complaint regarding the way in which their personal information is being handled by FSW, in the first instance they are to contact FSW either by:

a. Emailing

b. Completing our Complaints Form

The complaint will be dealt with as per the Complaints Management Policy. If the parties are unable to reach a satisfactory solution through negotiation, the person may request an independent person (such as the Office of the Australian Privacy Commissioner) or the NDIS Quality and Safeguards Commission to investigate the complaint. FSW will provide every cooperation with this process.

17. Updates to this Privacy Policy

We may review and update this policy. Any updated versions will be published on our website


'Guidelines on Privacy in the Private Health Sector', Office of the Australian Information Commissioner

Five Sparrows Wellbeing
Contact Us

Appendix 1 – Summary of the 13 Australian Privacy Principles

APP 1 — Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

APP 2 — Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

APP 3 — Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.

APP 4 — Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

APP 5 — Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.

APP 6 — Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

APP 7 — Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

APP 8 — Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

APP 9 — Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

APP 13 — Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.