Privacy Policy

This policy sets out how we collect, use, disclose and manage your personal and sensitive information. These commitments are undertaken to comply with Australia Privacy Principles (APPS) prescribed in the Privacy Act 1998 (Cth).

More than Support Pty

This policy sets out how we collect, use, disclose and manage your personal and sensitive information. These commitments are undertaken to comply with Australia Privacy Principles (APPS) prescribed in the Privacy Act 1998 (Cth).

The Privacy Act 1988 regulates the way individuals’ personal information is handled.

As an individual, the Privacy Act gives you greater control over the way that your personal information is handled. The Privacy Act allows you to:

• know why your personal information is being collected, how it will be used and who it will be disclosed to

• have the option of not identifying yourself, or of using a pseudonym in certain circumstances

• ask for accessto your personal information (including your health information)

• stop receiving unwanted direct marketing

• ask for your personal information that is incorrect to be corrected

• make a complaintabout an organisation or agency the Privacy Act covers, if you think they’ve mishandled your personal information.

Privacy and confidentiality guidelines

To support the privacy and confidentiality of individuals: 

• we are committed to complying with the privacy requirements of the Privacy Act, the Australian Privacy Principles and for Privacy Amendment (Notifiable Data Breaches) as required by organisations providing disability services 

• we are fully committed to complying with the consent requirements of the NDIS Quality and Safeguarding Framework and relevant state or territory requirements 

• we provide all individuals with access to information about the privacy of their personal information 

• each individual has the right to opt out of consenting to and providing their personal details if they wish 

• individuals have the right to request access to their personal records by requesting this with their contact person 

• where we are required to report to government funding bodies, information provided is non-identifiable and related to services and support hours provided, age, disability, language, and nationality 

• personal information will only be used by us and will not be shared outside the organisation without your permission unless required by law (e.g. reporting assault, abuse, neglect, or where a court order is issued) 

• images or video footage of participants will not be used without their consent

• participants have the option of being involved in external NDIS audits if they wish.

Security of information

To keep information secure: 

• we take reasonable steps to protect the personal information we hold against misuse, interference, loss, unauthorised access, modification and disclosure.

• personal information is accessible to the participant and is able for use by relevant workers 

• security for personal information includes password protection for IT systems, locked filing cabinets and physical access restrictions with only authorised personnel permitted access 

• personal information no longer required is securely destroyed or de-identified.

Data breaches

As part of information security responsibilities:

• we will take reasonable steps to reduce the likelihood of a data breach occurring including storing personal information securely and accessible only by relevant workers 

• if we know or suspect your personal information has been accessed by unauthorised parties, and we think this could cause you harm, we will take reasonable steps to reduce the chance of harm and advise you of the breach, and if necessary the Office of the Australian Information Commissioner.

Breach of privacy and confidentiality

A breach of privacy and confidentiality is an incident:

• follow the Manage incident process to resolve 

• may require an investigation 

• an intentional breach of privacy and confidentiality will result in disciplinary action up to and including termination of employment.

Information security is important as we handle, transmit and store personal information on a daily basis. Under privacy laws, we are required to take reasonable steps to keep all personal information accessed safe from accidental or deliberate misuse. This policy aims to safeguard our information and our ICT (information and communications technology) resources from those with malicious intent.

Our Information Policy:

• applies to all information and communications technology (ICT) used by the organisation including computers, computer networks, internet connections, smart phones and email 

• applies when unsolicited phone calls, emails or text messages are receive

Personal information

All personal information, including that of participants and workers, must be:

• stored securely with reasonable security precautions against misuse or unauthorised access (e.g. electronic information should be password protected, hard copies stored under lock and key) 

• readily accessible but only on a need-to-know basis 

• retained for the required time (7 years) 

• destroyed securely when no longer required 

• not shared with any third parties without correct consent.

General information security precautions

The following are recommended precautions for helping to keep information secure: 

• access to all personal information is strictly based on a need-to-know basis 

• when sending group emails, use the ‘BCC’ field rather than the ‘To’ field so email recipients cannot see other recipients’ email addresses 

• always password lock computers when unattended (shortcut to password lock a Windows computer is “Windows key + L”) 

• operating system updates (also called “patches”) must be installed promptly after they become available 

• active anti-virus software must be installed and kept up-to-date on all computers

• internet modem routers must have security (i.e. firewall) enabled 

• internet modem routers and network security cameras must have a strong admin password 

• WiFi networks must have strong passwords to gain access 

• only download or install software from trusted sources 

• mail servers should be configured to use encryption 

• computers should be configured so admin rights are restricted to key management personnel (i.e. so workers can’t install software) 

• when an employee leaves, their access to the organisation’s computer network and email systems is removed promptly.

Passwords

• all computers which store or access personal information require unique and strong passwords to gain access 

• passwords must not be shared or reused between computers, users, or different applications (e.g. password for Facebook should be different to the password for Google mail which should be different to the computer login password) 

• passwords should not be left written on paper left lying around 

• passwords should be regularly changed i.e. every three months 

• always use strong passwords with a minimum of 8 characters which include a combination of:

• lower case letters (abcdefghijklmnopqrstuvwxyz) 

• upper case letters (ABCDEFGHIJKLMNOPQRSTUVWXYZ) 

• numbers (1234567890) 

• symbols (!@#$%^&*()-=_+,.<>/?’”[]{}|\`~:;'”)

• do not use easy-to-guess passwords such as “123456”, “password” or “qwerty” etc.

Avoiding scams and ransomware

• do not pay the ransom if your computer is infected with ransomware 

• be aware of current scams targeting individuals and businesses by following government sites such as SCAMWATCH 

• be suspicious of any unsolicited emails or text messages purporting to be from government agencies, banks, delivery services or other similar organisations—check the sender’s email address for clues (scammers will try to fool you with a very similar email sender’s address) and delete any suspicious emails or look up the organisation’s main phone number and call if unsure

• be suspicious of unsolicited phone callers purporting to be from Telstra, Microsoft, the Australian Tax Office and do not provide any information, instead end the call—if unsure, look up their main number and call it to confirm 

• do not allow remote access to any computer or network resource by a third party unless it is arranged with a known and trusted IT services provider.

Portable devices

As a guide for portable device security: 

• do not leave smart phones and mobile computers unattended in public 

• do not leave smart phones and mobile computers in vehicles (locked or unlocked) 

• do not leave smart phones and mobile computers in checked-in baggage when flying 

• check portable storage devices (e.g. USB drives, USB flash drives) for viruses prior to using them 

• use password protection on portable storage devices if they are used to store any personal information (such as employee or participant information).

Social media

As a guide for good social media practices: 

• only those authorised to do so should represent the organisation on social media

• personal information and confidential company information must not be posted or shared on social media 

• when an employee leaves, their access to the organisation’s social media must be promptly removed.

Printed material

As a general rule: 

• personal information in printed format must be stored securely when not being used

• personal information in printed format must not be left lying around 

• when no longer required, printed material that contains personal information must be shredded or removed by a secure document destruction service.

Incidents

• a data breach or breach of privacy and confidentiality is an incident, follow the Manage incident process to manage and resolve the incident 

• incidents where individuals are at serious risk of harm as a result of the breach must be advised of the breach and assisted with ways to reduce their risk of harm from the breach 

incidents where individuals are at serious risk of harm as a result of the breach are reportable to the Office of the Australian Information Commissioner https://www.oaic.gov.au/