Hearth Support Services Pty. Ltd. (ABN 21 618 155 810) understands the importance of protecting the privacy of an individual’s personal information (including health information). We are required to comply with the Privacy Act 1988 (Cth) (Privacy Act), and we will handle your personal information that we collect and hold in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act. We will also handle health information that we collect and hold in compliance with applicable State and Territory based health records laws.
This Policy may be updated, and we suggest you refer to our website for any updates. If you require a hard copy of this Privacy Statement or a copy in another format, please contact your Relationship Manager or the Hearth Office and we will arrange for a suitable copy to be provided to you.
What is personal/sensitive information?
Personal information is any information that identifies an individual or any information from which an individual’s identity could reasonably be ascertained.
Sensitive information is a type of personal information that is afforded a higher level of protection by privacy laws. It includes information on health, genetic and biometric information, race or ethnic origin, political opinions, membership of political, professional or trade associations or trade unions, religious beliefs, sexual orientation or practices and criminal record. References in this policy to personal information include sensitive information.
Personal Information we may collect
During the provision of our services we generally collect and hold four kinds of information:
- personal information provided by you, including your name and contact details.
- health and financial information as you enter into a Services Agreement with Hearth, as well as part of our ongoing service provision.
- information that we obtain about you when you visit our website including your internet protocol (IP) address, the time of your visit, the pages, and links you have viewed; and
- aggregated statistical data which is information relating to your use of our website and our services, such as traffic and demographics.
Furthermore, the information we collect and hold will depend on who the individual is, such as a participant in receipt of our services or a next of kin, a guardian or other responsible person, an emergency contact or person responsible for paying an account. Examples of personal information we may hold and collect include an individual’s:
- name, address (postal and email) and telephone numbers
- date of birth
- gender status
- sexual orientation status
- marital status
- country of birth
- indigenous status
- next of kin
- payment information such as credit card details
- health fund and health insurance cover details
- workers compensation or other insurance claim details
- Medicare details
- concession card details
- medical history and other health information we are provided with or we collect while providing our services
- other details an individual provides for admission to our service
- other information we need to provide our services.
How do we collect personal information?
Personal information (including health information) will be collected directly from the individual, or the individual’s family member or advocate where it is reasonably practicable to do so. This may take place when the individual completes documents such as a service request, registration, or other form, provides information over the telephone or applies for a job with us. On occasion, we may require access to information from another provider, government agency or another third party so that we may provide the best services we can. We collect sensitive information about an individual, either directly or from a third party, with the individual’s consent (which may be implied or express, depending on the circumstances).
Depending on who the individual is, we may collect their personal information from third parties such as:
- a responsible person or representative (e.g. guardian)
- an individual’s health service provider including therapists and other specialists
- a health professional/therapist who has treated the individual
- an individual’s health insurer or other insurer
- an individual’s family
- job referees
- other sources where necessary to provide our services (e.g. Occupational Therapists) or to assess job applicants (e.g. police checks).
Why do we need your personal information?
We collect your personal information for the purposes of providing you with our support and services.
It also enables us to confirm the level of government funding in relation to your support, to lawfully liaise with a nominated representative and to contact family if requested or needed, to identify and inform you of any other services that may interest you, or for other purposes permitted or referred to under any terms and conditions you enter into or otherwise agree to with respect to our services.
Hearth may use the personal information that we collect and hold to:
- assess and understand the support and other needs of individuals in order to provide them with the appropriate services
- ensure continuity of support of individuals who enter and leave our service
- contact individuals to respond to enquiries, to follow up, in an emergency, for authorisation in relation to any services
- enable the provision of education and training of staff
- effectively support, manage, monitor, and improve our support and services
- funding, planning, evaluation, and complaint-handling
- communicate with individuals by various means about our services, events, offers and options available
- charging, billing, processing funding claims and collecting debts
- assess job applications
- verify an individual’s identity
- ensure the health and safety of our staff and individuals who use our services
- comply with quality assurance or audit activities
- undertake accreditation activities
- respond to feedback
- address liability indemnity arrangements and reporting
- prepare the defence for anticipated or existing legal proceedings
- undertake research and the compilation or analysis of statistics relevant to service provision or health and safety
- conduct participant experience surveys with the aim of evaluating and improving services; and
- enable our facilities and our service providers to comply with their legal and regulatory obligations.
We may also use personal information in circumstances where we are required or authorised by Australian law to do so or where we otherwise have consent of the individual or their representative.
Who do we disclose your personal information to?
We may disclose an individual’s personal information to the following third parties for the above purposes to:
- government departments such as the National Disability Insurance Agency (NDIA)
- accrediting bodies associated with the NDIA including state agencies and organisations
- other service providers involved in the individual’s treatment or support services
- private health insurers and other insurers
- training and teaching activities
- a responsible person when the individual is incapable or cannot communicate, unless the individual has requested otherwise – see Disclosure to a responsible person for more information
- our insurers and legal representatives
We may not use or disclose personal information for a purpose other than the primary purpose of collection, unless:
- the secondary purpose is related to the primary purpose and you would reasonably expect disclosure of the information for the secondary purpose
- you have consented
- the information is health information and the collection, use or disclosure is necessary for research, the compilation or analysis of statistics, relevant to public health or public safety, it is impractical to obtain consent, the use or disclosure is conducted within the privacy principles and guidelines and we reasonably believe that the recipient will not disclose the health information;
- we believe on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety
- we have reason to suspect unlawful activity and use or disclose the personal information as part of our investigation of the matter or in reporting our concerns to relevant persons or authorities
- we reasonably believe that the use or disclosure is reasonably necessary to allow an enforcement body to enforce laws, protect the public revenue, prevent seriously improper conduct, or prepare or conduct legal proceedings; or
- the use or disclosure is otherwise required or authorised by law.
We may engage service providers to securely store and manage our business information, including your personal information.
Disclosure to a responsible person
We may disclose Personal Information about an individual to a person who is responsible for the individual if:
- the individual is incapable of giving consent or communicating consent
- the Relationship Manager is satisfied that the disclosure is necessary to provide appropriate support, for compassionate reasons, or is necessary for a quality review of our services (and the disclosure is limited to the extent reasonable and necessary for this purpose); and
- the disclosure is not contrary to any wish previously expressed by the individual of which the Relationship Manager is aware.
- A ‘responsible person’ is a parent, a child or sibling, a spouse, a relative, a member of the individual’s household, a guardian, an enduring power of attorney, a person who has an intimate personal relationship with the individual, or a person nominated by the individual to be contacted in case of emergency, provided they are at least 18 years of age.
Managing privacy preferences and capacity
Whether an individual has the capacity to make their own privacy decisions is assessed by Heath staff on a case-by-case basis having regard to matters such as their age and circumstances. Generally, an individual aged 15 years and over will have the capacity to make their own privacy decisions.
For children under 15 years or for individuals who lack capacity to make privacy decisions for themselves, we will refer or deal with requests for access, consents and notices in relation to personal information by reference to the parent and/or guardian or other responsible persons authorised by applicable laws and will treat consent given by them as consent given on behalf of a child or the individual who lacks capacity.
We will at or before the time or as soon as practicable after we collect personal information from you take all reasonable steps to ensure that you are notified or made aware of the purpose for which we are collecting personal information as well as the identity of other entities or persons to whom we usually disclose personal information.
Storage and security of your personal information
We store personal and health information in both paper and electronic formats. The security of personal and health information is very important to us and we take reasonable steps to ensure that the personal and health information we hold is protected against misuse, loss, unauthorised access, modification, or disclosure. This Information is held in both hard copy and electronic forms in secure databases on secure premises that have access requirements. However, we cannot guarantee the security of any personal information transmitted to us via the Internet.
Some of the ways we do this include:
- requiring our staff to maintain privacy and confidentiality
- implementing document storage security
- imposing security measures for access to our computer systems
- providing a discreet environment for confidential discussions; and
- allowing access to personal and health information only where the individual seeking access to their own information has satisfied our identification requirements
Personal and health information is retained for the period of time determined by applicable Australian laws after which it is de-identified or disposed of in a secure manner.
Keeping your personal information accurate and up to date
We take all reasonable steps to ensure that the personal information we collect is accurate, complete, and up-to-date, and also when we use or disclose it, that it is relevant.
We will also take reasonable steps to correct the personal information we hold if we are satisfied that it is inaccurate, incomplete and out of date, irrelevant or misleading, or if an individual asks us to correct their personal information for these reasons. A request to correct personal information can be made at any time by contacting your Relationship Manager or the Hearth Office.
However, the accuracy of that information depends largely on the quality of the information provided to us. We therefore suggest that individuals:
- let us know if there are any errors in their personal information; and
- keep us up to date with changes to their personal information (e.g. their name and address). Individuals may do this by mail or email using the information provided below.
There may be circumstances in which we may have to refuse a request for correction. If this happens, we will notify the individual in writing of our reasons for the refusal and explain how they can complain if they are not satisfied.
Opting out of direct marketing
We will only use personal information for direct marketing and promotional activities with the individual’s express consent. All direct marketing communications will include the option for an individual to opt out of receiving direct marketing communication. Individuals can opt out at any time.
Accessing your personal information
Under the Privacy Act, you have a right to access your personal information that is collected and held by us. An individual can access their personal information by contacting their Relationship Manager, the General Manager of the relevant Hearth office or the Privacy Officer at Hearth.
If individuals request access to their personal information, we will need to verify their identity and may ask them to complete a request for information form. We will then grant the request within a reasonable period. However, we may refuse a request for information to certain individuals to some or all of the personal information in certain circumstances allowed by the Privacy Act or other applicable laws or if consent is not granted by the individual. If Hearth refuses a request for information, we will give written notice of our decision, including our reasons and how to complain if the individual is not satisfied with the decision.
We will endeavour to give access to an individual’s personal information in the form they request. However, if that is not possible, we will provide alternative means of access or discuss how access can be given through a mutually agreed intermediary.
We will disclose the personal information we give access to, to the individual’s authorised representative or legal adviser where we have been given written authority to do so.
Dealing with Hearth Support Services anonymously
Where it is lawful and practicable to do so, individuals may deal with us anonymously or use a pseudonym. However, in many instances we need to identify you when you deal with us, including to provide our services and to respond to complaints. If we do not receive all of the personal information we request, we may not be able to do these things effectively. You may also address any feedback to us anonymously by sending a letter to:
Hearth Support Services
Suite 1, 431 Burke Road
Individuals who have any questions about privacy, this policy, or the way we manage personal information or who believe that we have breached their privacy rights should contact their Relationship Manager or the Hearth Privacy Officer. Hearth will endeavour to acknowledge receipt of a written complaint within 7 days and provide a written response to the complaint within a reasonable timeframe. It may be necessary to request further information from the complainant before the matter can be resolved. Any such request will be made in writing.
If the individual is not satisfied that Hearth has resolved their complaint, they have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC). If they wish to make a complaint or to find out any more information about their privacy rights the OAIC can be contacted as follows:
Telephone number: 1300 363 992
In writing: Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 2001
Individuals may also make a complaint regarding the handling of their health information to the NDIS or statutory health complaints authority in their State or Territory
For questions or complaints about privacy, individuals should first contact their Relationship Manager or the General Manager of the relevant office either by direct phone or in writing or by phoning 1800 894 013.
Individuals can also contact the Hearth Privacy Officer:
The Privacy Officer
Hearth Support Services
Suite 1, 431 Burke Road