Privacy & Information Management
policy & procedure

Policy

It’s A Practise will comply with:

  • The Privacy Act 1988 and the Privacy Amendment Act 2012 to protect the privacy of individuals' personal information

  • The Health Records Information Privacy Act 2002 (HRIP Act)

This includes having in place systems governing the appropriate collection, use, storage and disclosure of personal information, access to and correction, and disposal of that information.

Outcome

Compliance with legislative requirements governing privacy of personal information.
All It’s A Practise Clients/Participants are satisfied that their personal information is kept private and only used for the intended purpose.

Background

The Privacy Act 1988 (Privacy Act) is an Australian law that regulates the handling of personal information about individuals by private sector organisations. Amendments made in 2012 (the Privacy Amendment Act 2012) updated the Australian Privacy Principles (APPs), effective from March 2014.

The amendment requires an organisation to explicitly state how they will adhere to the APPs and inform Clients/Participants on how their privacy will be protected. The APPs cover the collection, use, storage and disclosure of personal information, and access to and correction of that information.

The Health Records Information Privacy Act 2002 (HRIP Act) governs how long personal health information must be kept.

Definitions

  • Personal information: Information (or an opinion) held (whether written or not) from which a person’s identity is either clear or can be reasonably determined.

  • Sensitive information: A particular type of personal information, such as health, race, sexual orientation or religious information.

Procedure

Ensuring All It’s A Practise Staff Understand Privacy and Confidentiality Requirements

  • The Director of It’s A Practise will review this Privacy Policy annually and ensure they understand their responsibility to protect the privacy of individuals' personal information.

  • All staff will undergo training related to Privacy and Confidentiality Requirements at the time of induction and then annually.

Managing Privacy of Client/Participant Information Storage

  • Client/Participant information collected is kept in an individual Client/Participant record.

  • Each Client/Participant record has a unique identification number and includes:

    • Personal information

    • Clinical notes

    • Investigations

    • Correspondence between the Client/Participant and/or primary and/or secondary contact and their therapist or other employee

    • Correspondence from other healthcare providers

    • Photographs

    • Video footage.

  • A firewall is used in the It’s A Practise computer system as a means of protecting information stored on the computer.

  • Security procedures such as user access passwords and multi-factor authentication assist with protection of information.

  • Paper records are kept in locked, fireproof cabinets.

  • Client/Participant information is stored for seven years post the date of last discharge, or until age 25 for clients under 18 years of age.

  • Client/Participant-related information or any papers identifying a Client/Participant are destroyed by shredding and deletion from the computer and all databases.

  • User access to all computers and mobile devices holding Client/Participant information is managed by passwords and automatic inactive logouts.

Managing Privacy and Confidentiality Requirements of Clients/Participants

  • It’s A Practise refers to this Privacy Policy in the Client/Participant’s Service Agreement.

  • The Service Agreement includes five core consents:

    • Consent for sharing and obtaining information

    • Consent for receiving services

    • Consent for photography

    • Consent to participate in Client/Participant Satisfaction Surveys

    • Consent to participate in Quality Management Activities

These consents are discussed with the Client/Participant and/or their decision-maker in a way they can understand prior to the commencement of service.

Persons contacting It’s A Practise with an enquiry do not need to provide personal details. Once a decision is made to progress to services, personal and sensitive information will need to be collected.

It’s A Practise may share pertinent information with other Allied Health Professionals during case conferencing or when determining support plans. Information is shared only to provide the best service possible and only with professionals bound by privacy and confidentiality codes. Permission to share information is sought from the Client/Participant prior to the delivery of services and as required.

Personal information is not disclosed to third parties outside of It’s A Practise other than for a purpose made known to the Client/Participant and to which they have consented, or unless required by law. Clients/Participants are informed there may be circumstances when the law requires It’s A Practise to share information without their consent.

Keeping Accurate Client/Participant Information

  • Clients/Participants are informed of the need to provide up-to-date, accurate and complete information.

  • It’s A Practise staff update information during reviews or when made aware of changes.

  • Allied Health staff update client records as soon as practical after service delivery to ensure accuracy.

Using Client/Participant Information for Other Purposes

Under no circumstances will It’s A Practise use personal details for purposes other than those stated above unless specific written consent is given by the Client/Participant or their representative.

Client/Participant Access to Their Information

Clients/Participants have the right to access the personal information It’s A Practise holds about them.
To do this, Clients/Participants must contact the Director of It’s A Practise.

Management of a Privacy Complaint

If a person has a complaint regarding how their personal information is handled by It’s A Practise, they should first contact the Founder & Director.


Complaints will be managed according to the Complaints Management Policy.

If resolution is not achieved, the individual may contact the Office of the Australian Privacy Commissioner or the NDIS Quality and Safeguards Commission.


It’s A Practise will fully cooperate with these processes.

Right to Access Information

Federal:
Access to personal information must be provided unless a lawful exception applies.

NSW:
Private sector organisations can take up to 45 days to respond.


Further guidance: IPC NSW Fact Sheet – Providing Access to Health Information

Electronic Transactions and Electronic Signatures

Purpose
To clarify and formalise how electronic signatures and transactions are accepted and managed by It’s A Practise in compliance with applicable legislation.

Policy

  1. It’s A Practise may accept electronic signatures and conduct electronic transactions under the Electronic Transactions Act 2000 (NSW) and the Attorney-General’s Department guidance on electronic signatures.

  2. Staff must ensure:

    • The identity of the individual signing electronically is verified;

    • The electronic signature is linked solely to the individual;

    • The signed document’s integrity is maintained and protected from alteration;

    • Signed records are retained according to records-management protocols.

  1. Where law or best practice requires, a handwritten signature may be requested.

  2. All electronic transactions (including service agreements, consents, and clinical documentation) must use secure, access-controlled systems.

  3. Staff are responsible for verifying the legal validity of any electronic transaction and escalating uncertainty to the Director.

Consent to the Handling of Personal and Sensitive Information

Purpose
To define how consent is obtained, recorded, managed, and withdrawn in relation to personal and sensitive information, consistent with OAIC guidance.

Policy

  1. Consent is required for the collection, use or disclosure of personal information where sensitive information is involved or information is used beyond the original purpose.

  2. Consent must be:

    • Informed – Clear information provided about what, why, and how information will be used.

    • Voluntary – Given freely, without coercion.

    • Current and specific – Relevant to a defined purpose and timeframe.

    • Capacity-based – The person providing consent must understand the implications.

  1. Consent may be express (verbal, written, or electronic). Implied consent is limited and must not be presumed from silence.

  2. Bundled consent should be avoided unless each purpose is clearly explained and independently agreed to.

  3. Individuals may withdraw consent at any time by contacting the Director. Withdrawal processes must be accessible, and consequences explained.

  4. Records of consent must be retained as part of the client file.

Withholding or Refusing Consent
It’s A Practise recognises an individual’s right to withhold or refuse consent. However, withholding consent may limit the organisation’s ability to provide safe and effective services.

Where essential information is withheld, clinicians may be unable to make informed, evidence-based decisions, increasing risk. The clinician will:

  • Discuss the implications with the client/participant or decision-maker;

  • Document the discussion and rationale;

  • Determine with the Director whether services can safely continue.

While It’s A Practise will endeavour to meet client needs wherever possible, ongoing service provision must comply with the AHPRA Code of Conduct, NDIS Quality and Safeguards Commission requirements, and internal standards of care.

If withholding information, documents, or evidence-based data prevents compliance with these obligations, It’s A Practise may discontinue services in accordance with the Referral Intake and/or Cancellation and Discharge Policy.

Collection of Personal and Sensitive Information

Purpose
To outline how It’s A Practise collects personal and sensitive information in line with the Privacy Act 1988, APPs and OAIC guidance.

Policy

  1. Personal information: Information or opinion about an identified or reasonably identifiable individual.

  2. Sensitive information: Includes health, racial, religious, sexual orientation, and biometric/genetic data.

  3. Personal information is collected only when reasonably necessary for business or clinical functions.

  4. Sensitive information is collected only with consent, or where a permitted general situation applies (e.g., serious health risk).

  5. Individuals are notified at or before the time of collection regarding:

    • Identity of It’s A Practise;

    • Purpose of collection;

    • Any legal obligations for collection;

    • Disclosure recipients;

    • How to access or correct information; and

    • Consequences of non-provision.

  1. Information collected will be limited to what is necessary and maintained accurately.

  2. Where collected from a third party, reasonable steps will be taken to ensure the individual is aware unless impracticable.

De-Identification

Personal information may be de-identified for research, reporting or quality improvement purposes, in accordance with OAIC guidance on de-identification and the Privacy Act.

References

  • Privacy Act 1988 and Privacy Amendment Act 2012 (Cth)

  • Health Records Information Privacy Act 2002 (NSW)

  • Electronic Transactions Act 2000 (NSW)

  • Attorney-General’s Department: Electronic Signatures Guidance (2024)

  • Office of the Australian Information Commissioner (OAIC): Consent and Collection Guidance (2024)

  • Information and Privacy Commission (IPC) NSW: Consent Fact Sheet (2024)

  • Australian Privacy Principles (OAIC)

  • Allied Health Professions Australia (AHPA) Allied Health NDIS Registration Support (2024)

  • Ahpra & National Boards – Code of Conduct (2022)

11. Version Control

Policy Version 3 — Updated 31/10/2025
This document supersedes Version 3 (20/02/2025).

Privacy & Information Management Policy & Procedure. V3. Current 31/10/2025