Meals on Wheels Central Coast Limited (MOWCC) understand that it is important for clients to know how we collect, use and safeguard personal information. This policy sets out how MOWCC manage the collection, use and storage of personal information.
Collection of Personal Information
MOWCC receive personal client information through our referral pathways and personal staff information through job applications and the creation of staff records. The personal information contains:
- Phone number
- Date of Birth
- Minimum Data Set (MDS) (refer – Attachment 1)
- Family information
- Bank Details
In some cases MOWCC may need to seek information directly from a client if it is not provided through the referral pathways.
Use, Storage and Access of Personal Information
MOWCC will use personal information only to provide service and to fulfil our Minimum Data Set requirements for the funding bodies. (Refer – Attachment 1).
MOWCC stores personal information on the Client Management System and in personnel files, this system is backed up daily. Any hard copy files are secured on our premises, with records held for legislated periods of time. MOWCC will take all reasonable steps to ensure that personal information is accurate, up to date and complete, this is to ensure the quality of the information held and quality of service provision.
At no stage will individual personal information be disclosed for any other purpose than provision of service without seeking permission from the individual unless required or authorised by or under an Australian law or court/tribunal order.
MOWCC will not use government related identifiers, MOWCC uses individual organisational specific identifiers for each individual. All information included in our MDS transmission is de-identified.
Notification of the collection of Personal Information
On commencement of service provision or employment MOWCC will advise individuals:
- Purpose of the collection of information
- How clients or staff can access their information
- How clients or staff can correct the information
- Who can access the information
Dealing with unsolicited personal information
In the course of service delivery a client may provide unsolicited personal information and if:
- the information does not place the client or others in harm, staff will advise the client that they do not have to provide us with sensitive personal information.
- the information places the client or others in direct harm the staff will debrief to the CEO who will advise what further steps are to be taken.
Anonymity and Pseudonymity
Individuals have the option of not identifying themselves or of using a pseudonym when requesting general service information. However, if the individual has a need to discuss their individual service there is a practicable need for them to identify themselves to staff.
MOWCC will use individual information to provide service and to inform clients of new products and changes to service provision. MOWCC will not disclose to any other party personal individual information for the purpose of direct marketing.
Gaining Access and Updating Personal Information
MOWCC clients or staff may request access to their personal information at any time. All requests will be directed to the CEO who will reply to the request within thirty (30) days.
If a client or staff member seeks to update their information the request will be directed to the CEO, if the CEO is satisfied that the information currently held is inaccurate, out of date, incomplete, irrelevant or misleading the CEO will ensure the update of individual information.
If the CEO refuses to update the individual information, they must advise the individual in writing:
- of the reason/s of the refusal
- the mechanisms available to complain about the refusal
- the CEO must allow a statement from the individual, which outlines that they believe their information is inaccurate, out of date, incomplete, irrelevant or misleading, to be associated with their personal information so that it is accessed by users of their information when providing service.
MOWCC will not apply any charges to an individual because they request access or an update to their individual information.
Privacy or Data Breach
The Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to organisations which are subject to the personal information security obligations under the Privacy Act 1988, including Meals on Wheels Central Coast.
Under the NDB Scheme Meals on Wheels Central Coast has an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. In this context, serious harm refers to serious physical, psychological, emotional, financial or reputational harm to an individual or individuals.
The CEO is also responsible for notifying and liaising with the Office of the Australian Information Commissioner (OAIC) for data breaches which have been assessed as eligible for the purposes of the Notifiable Data Breaches Scheme, using the OAIC’s Notifiable Data Breach form which is found on their website.
MOWCC will manage all data breaches in accordance with the NDB. The MOWCC Data Breach Plan includes procedures for assessing whether a breach is eligible (notifiable), and for conducting and documenting assessments for suspected data breaches. It also sets out responsibilities for investigating breaches and notifying relevant parties, strategies for taking remedial action if possible, and how the individuals affected will be contacted.
The CEO will review the incident to determine possible causes of the breach and revise its internal policies and/or procedures to prevent reoccurrence. Possible actions will include updating policies and procedures relating to records management, and additional staff training on privacy.
Any business that fails to report a data breach can face fines of up to $360,000 for individuals and $1.8 million for businesses.