PRIVACY AND CONFIDENTIALITY POLICY

We may revise this Privacy Policy from time to time. We will display a notice on our Website for at least 30 days, indicating when any revisions have been made. 

This Privacy Policy was last updated on 3 July 2026. 

The updated policy strengthens how healthAbility protects personal and employee information. It introduces clearer rules about sharing staff information, improves information security measures, strengthens the response to privacy breaches, and provides better guidance for sharing information outside Victoria.

Overall, these changes improve privacy protection and legal compliance, while keeping the way client information is collected, used and shared largely unchanged.

PURPOSE

This Policy outlines how Nillumbik Community Health Service Ltd. trading as healthAbility collects, holds, manages, uses, discloses or transfers Personal and Health information and how individuals (including healthAbility employees) may access and correct Personal and Health Information held by healthAbility.

healthAbility manages Personal and Health Information in accordance with the Information Privacy Principles (IPPs) under the Privacy and Data Protection Act 2014 and the Health Privacy Principles (HPPs) under the Health Records Act 2001.

SCOPE

This policy applies to the entire organisation.

FUNCTIONS AND ACTIVITIES OF healthAbility

healthAbility collects and handles Personal Information and Health Information in the exercise of its functions and activities in accordance with the Privacy and Data Protection Act 2014 (Vic.) and the Health Records Act 2001 (Vic.). The following list broadly describes the functions and activities for which healthAbility collects, holds, uses and discloses Personal and Health Information:

1. Providing services to the public including health and community services.

2. Dealing with enquiries, feedback and complaints from the general public.

3. Managing healthAbility’s human resources and facilities, including employment and payroll related activities; and

4. Other administrative or incidental activities including procuring goods and services and complying with reporting requirements.

Collection of Sensitive (Personal and Health) Information

healthAbility collects sensitive(Personal and Health) Information for the purpose of performing the functions and activities described above.

The types of Personal Information healthAbility routinely collects may include: name, date of birth, phone number, address, email address, gender, title, employment history, educational and professional qualifications, financial history, tax file number, salary and wage information, credit card and bank account information.

The types of Health Information healthAbility routinely collects may include information such as symptoms or diagnosis and the treatment given, medical reports, specialist reports, test results, pharmaceutical prescriptions, certificates of capacity and clinical notes. The type of information healthAbility collects will depend on the individual’s interaction with healthAbility and the information that may be necessary to assist persons with their health or community needs.

Collection of Sensitive (Personal & Health) information directly from an Individual

healthAbility collects Sensitive (Personal and Health) Information directly from the individual to whom the information relates. For example, when the individual:

1. Completes a registration form or medical history or attends to obtain services.

2. Provides feedback or makes an enquiry or information request to healthAbility.

3. Applies for a job with healthAbility.

At or before the time of collecting information from clients or others, healthAbility will inform people regarding data collection as follows:

• Who is doing the collection and identify HealthAbility as the collector;

• Types of data and reasons for collection and legal bases of collection;

• Any other organisations who routinely or who may already have provided, information about the person and details of this information and lawful bases for so doing

• Information collected by healthAbility by compulsion of law;

• Main consequences for people if healthAbility does not collect information;

• How people can:

        -Access or request amendments to information healthAbility collects or stores

        -Complain about a breach of any privacy principle or law

• Any overseas disclosure of data and likely countries

healthAbility’s functions and activities require healthAbility to collect Sensitive Information about an individual.

Sensitive Information is personal information that includes information or an opinion about an individual’s:

• racial or ethnic origin

• political opinions or associations

• religious or philosophical beliefs

• trade union membership or associations

• sexual orientation or practices

• criminal record

• health or genetic information

• some aspects of biometric information.

Consent is needed for the collection of sensitive information or to use or disclose personal information for a purpose other than the purpose it was collected for.

Can Clients withdraw Client consent?

Clients can withdraw consent at any time. healthAbility must make sure the process is easy and accessible, and that clients understand the possible consequences of withdrawing consent. For example, Clients may no longer have access to a service. Once clients withdraw consent, healthAbility can’t rely on client’s past consent for any future use or disclosure of client’s personal information.

Collection of Sensitive (Personal and Health) Information from Third Parties

healthAbility also collects Sensitive (Personal and Health) Information about an individual from other persons and sources including where:

1. This is required or authorised by or under an Australian law;

2. The individual has consented to the collection from someone other than the individual;

3. This is required or authorised by an Australian court or tribunal; or

4. It is not possible or is impractical to collect the information from the individual concerned.

healthAbility may collect documents or information about a person from for example other health providers or employers. In managing healthAbility human resources, healthAbility may also collect Sensitive (Personal and Health) Information about healthAbilty’s employees from third parties such as recruitment agencies and other healthAbility employees.

Use and disclosure of Sensitive (Personal and Health) Information

healthAbility uses and discloses Sensitive (Personal and Health) Information to carry out its functions and activities. Generally, this means that healthAbility will not use or disclose information except for the primary purpose for which the information was collected. However, in some cases healthAbility may use or disclose information for a related secondary purpose, if the individual the information is about can reasonably expect healthAbility to do so or if the individual expressly consents.

healthAbility must not divulge a child’s personal or health information unless:

• Parent/carer consent is provided or

• We are legally obliged to or authorised to do so (for example, under privacy legislation, the Child Information Sharing Scheme or the Family Violence Sharing Scheme

Generally, healthAbility uses and discloses Sensitive (Personal and Health) Information for the following primary purposes:

1. To provide its services, including health and community services; or

2. For human resources purposes, including employment and payroll activities

healthAbility may also use and disclose Sensitive (Personal and Health) information for secondary purposes related to its processes. For example, to improve its processes in the future.

In some cases, healthAbility may disclose an individual’s Sensitive (Personal and Health) information to third parties, including:

1. A medical practitioner or a health services provider;

2. A legal practitioner or a representative;

3. A parent in the case of a child;

4. A family member (if nominated by that person to assist them with the services);

5. Courts or tribunals or police where they are authorised to obtain it; and

6. Other persons authorised by that individual or by law to receive it.

healthAbility will only disclose information to third parties to the extent it is necessary to carry out our functions. healthAbility will only disclose information to external service providers when they will also take reasonable steps to protect personal information.

Staff information disclosure

healthAbility recognises that information about its employees, contractors and volunteers (including whether an individual works for the organisation, their role, location, or work patterns) constitutes personal information and must be protected.

healthAbility will not confirm or disclose to any external party (including callers, visitors, or third parties) whether a staff member:

• is employed by the organisation

• is present on site

• is scheduled to work

• or any other employment-related details

unless:

• the identity and authority of the requester has been verified; and

• the disclosure is authorised by the staff member; or

• the disclosure is required or permitted by law.

This requirement applies to:

• phone enquiries

• reception interactions

• email enquiries

Where there is any uncertainty, staff must:

• decline to provide the information; and

• escalate to a manager or the Privacy Officer.

This control supports compliance with privacy legislation and the organisation’s obligations under the Occupational Health and Safety Act 2004 to provide a safe working environment, including protection from psychosocial risks.

Direct Marketing

Use of Sensitive (Personal & Health) Information in Direct Marketing

Under the Australian Privacy Principles (APPs), part of the Privacy Act 1988, specific rules govern the use of sensitive information for direct marketing.

1. healthAbility can only use or disclose an individual’s ‘sensitive information’ (which includes personal information about their health, political opinions, their racial or ethnic origin or their sexual orientation) for direct marketing if the individual has given their express consent.

2. Clear Option: healthAbility must ensure each direct marketing communication includes a clear and simple method for individuals to opt out of receiving future communications.

3. Action on Opt-out: healthAbility must act on opt-out requests within a reasonable time frame and without charge.

4. Record Keeping: healthAbility should maintain records of consents and opt-out requests to demonstrate compliance with APP 7.

Requests from our clients to Not Receive Direct Marketing

healthAbility will acknowledge in writing or email any requests not to receive direct marketing and will:

• Abide by requests as soon as is practicable

• Keep a record of any communications to or from people regarding direct marketing

• Not charge fees to those applying to not receive direct marketing or to effect the request

Withdrawing Consent

Under the Australian Privacy Principles (APPs), individuals (clients) have specific rights regarding the withdrawal of consent for the use of their personal information in direct marketing.

healthAbility must follow the below regarding client withdrawal of consent.

Clear and Simple Opt-out Process:

• The opt-out process must be straightforward, easy to access, and free of charge.

• Instructions on how to opt out should be prominently displayed and written in clear, understandable language.

Prompt Action:

• healthAbility must act on opt-out requests promptly, ensuring that the individual is removed from the direct marketing list within a reasonable time frame.

No Further Marketing:

• Once an individual has opted out, healthAbility must cease all direct marketing communications to that individual.

Acknowledgment:

• healthAbility should acknowledge receipt of an opt-out request and confirm that it has been processed.

Record Keeping:

• Maintain records of opt-out requests to ensure compliance and to avoid contacting individuals who have withdrawn their consent.

Making information available to another health service provider

In the event an individual requests healthAbility to make their personal health information available to another provider, a copy or written summary must be provided to the new health provider. 

In the event of transfer or closure of healthAbility

healthAbility will ensure that, in the event of a transfer or closure of the practice, clients are informed and their health information is handled responsibly. Clients are given the option to transfer their records to another provider of their choice or to have them securely stored. Explicit consent is obtained for the transfer of records, and secure methods are used to protect privacy. Staff are trained on these procedures, and all actions are documented to maintain compliance and safeguard patient information during transitions.

Access to and Correction of Sensitive (Personal and Health) Information

healthAbility will make any information it holds about an individual reasonably accessible to the individual and will provide the information to the individual on reasonable request. In some circumstances, healthAbility may ask that the request be made in writing to assist healthAbility in identifying the relevant information or documents. For example, if you are making a request to access your medical file, healthAbility may request that you put your request in writing to enable healthAbility to identify you.

healthAbility will endeavor to maintain accurate records. healthAbility will use best endeavors to correct the information promptly when an error is identified (either internally or by an external party).

Following receipt of a request for access or correction, healthAbility will take steps to verify the identity of the individual before considering the request. Where appropriate, you may be asked to provide your name and address so that your identity can be verified.

healthAbility will not release or provide access to information to a third party, unless:

1. It has been authorised to do so by the individual to whom the information relates;

2. It is permitted or required to do so by law; or

3. It is appropriate or required in the performance of a function of healthAbility.

Requests for access to and/or correction of documents containing personal information held by healthAbility should be addressed in writing to:

The Privacy Officer

Post: 43 Carrington Rd, Box Hill VIC 3128

Email: Feedback@healthability.org.au

Unique Identifiers

healthAbility may assign a unique identifier to a person if healthAbility believes it is necessary to enable healthAbility to carry out its functions efficiently. healthAbility will not use or disclose an identifier healthAbility assigns to a person unless it is necessary for healthAbility to fulfil its functions or its obligations to another organisation or where the disclosure is otherwise required or authorised by law.

Data Storage and Security

healthAbility has privacy and security measures in place to avoid misuse, loss, unauthorised access, modification or disclosure of Personal or Health Information. healthAbility Employees are bound by the applicable confidentiality clauses in the ‘Code of Conduct’ and relevant employment contracts.

Access to Personal and Health Information is restricted to authorised personnel on a role-based and need-to-know basis. healthAbility implements controls to prevent unauthorised access, including system access controls, authentication requirements and monitoring of access where appropriate.

Where appropriate, healthAbility will destroy or permanently de-identify Personal Information or Health Information if it is no longer required.

healthAbility undertakes reasonable steps to monitor and review access to information and to identify and respond to any unauthorised access or disclosure.

Anonymity

The nature of most of healthAbility’s functions and activities is such that individuals must provide their name and contact information.

However, wherever it is possible and lawful to do so, individuals can interact anonymously with healthAbility.

Transfer of Information outside Victoria

Generally, healthAbility will not transfer any Personal or Health Information outside of Victoria. Where such a transfer is necessary, healthAbility will take reasonable steps to ensure that any recipient handles the information in a manner consistent with the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) under the Health Records Act 2001. 

This may include ensuring that the recipient is subject to laws or contractual obligations that provide substantially similar protections or obtaining the individual’s consent prior to disclosure. In some circumstances, consent may be implied where permitted by law.

All transfers of Personal or Health Information outside Victoria will be undertaken in accordance with applicable privacy legislation.

Complaints

Any concerns or complaints regarding privacy should be made in writing to healthAbility using the contact details below:

The Privacy Officer

Post: 43 Carrington Rd, Box Hill VIC 3128

Email: Feedback@healthability.org.au

If you are not satisfied with healthAbility’s response to your privacy complaint, you can make a complaint to the Office of the Victorian Information Commissioner (OVIC). Details of how to make an OVIC complaint can be found on their website.

If you wish to make a complaint against healthAbility’s for a breach of privacy in relation to health information, you should contact the Office of the Health Complaints Commissioner. Details of how to make a complaint can be found on our website.

Privacy Breaches

The Privacy Officer will investigate any reported privacy breaches and (where relevant) consider the following:

• Breach containment and preliminary assessment

• Evaluate the risks associated with the breach

• Notifying the affected parties (if appropriate)

• Preventing future breaches

Where applicable, for example if there is a foreseeable risk of harm to individuals affected by a privacy breach, healthAbility may report the privacy breach to the Office of the Australian Information Commissioner (OAIC) or OVIC.

healthAbility will assess whether a privacy breach constitutes an eligible data breach under the Notifiable Data Breaches scheme in accordance with the Privacy Act 1988, including whether there is a likely risk of serious harm to affected individuals.

Where required, healthAbility will notify affected individuals and relevant regulators, including the Office of the Australian Information Commissioner (OAIC) and/or the Office of the Victorian Information Commissioner (OVIC).

Changes to this Privacy Policy

healthAbility may amend this Privacy Policy to reflect changes in legislation, services or information management practices.

When Privacy Policy updates occur, staff must ensure that:

  • A notice of the change is clearly published on the organisation’s website and/or relevant service platforms for a minimum period of 30 days
  • The notice includes the date of the update and clearly indicates that changes have been made
  • Communications are consistent with organisational procedures for informing service users and, where relevant, their support people in a timely and clear and accessible manner
  • The current version of the Privacy Policy must always display the most recent “last updated” date.

RESPONSIBILITIES

WhoWhat
Board• Endorse Privacy and Confidentiality Policy.
• Be familiar with the organisation’s legislative requirements regarding privacy and the collection, storage and use of personal information.
• Comply with Privacy and Confidentiality Policy and associated procedures.
CEO and
Executive
Leadership Team
• Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information.
• Ensure systems are in place across the organisation to adequately protect the privacy of personal information and confidentiality of other sensitive information.
• Act in accordance with organisational systems in place to protect privacy and confidentiality.
• Comply with Privacy and Confidentiality Policy and associated procedures.
PLC and Payroll• PLC and payroll adhere to secure information handling and confidentiality procedures to maintain privacy of our employees personal and health information.
Staff• Be familiar with the legislative requirements regarding privacy and the collection, storage and use of personal information
• Act in accordance with organisational systems in place to protect privacy and confidentiality.
• Comply with Privacy and Confidentiality Policy and associated procedures.

• Do not disclose staff or client information to unverified external parties, including confirming whether a staff member works at healthAbility.

healthAbility will ensure that all staff receive training and ongoing awareness in privacy, confidentiality, and data security obligations relevant to their role.

DEFINITIONS

• CEO - Chief Executive Officer

• Health Information is defined in the Health Records Act 2001 (Vic.) and means information or an opinion about—the physical, mental or psychological health (at any time) of an individual; or a disability (at any time) of an individual; or an individual's expressed wishes about the future provision of health services to him or her; or a health service provided, or to be provided, to an individual— that is also personal information; or other personal information collected to provide, or in providing, a health service; or other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.

• Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.

For example, personal information may include:

o an individual’s name, signature, address, phone number or date of birth

o sensitive information

o credit information

o employee record information

o photographs

o internet protocol (IP) addresses

o voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)

o location information from a mobile device (because it can reveal user activity patterns and habits).

The Privacy Act 1988 doesn’t cover the personal information of someone who has died.

o Sensitive information is personal information that includes information or an opinion about an individual’s:

o racial or ethnic origin

o political opinions or associations

o religious or philosophical beliefs

o trade union membership or associations

o sexual orientation or practices

o criminal record

o health or genetic information

o some aspects of biometric information.

Generally, sensitive information has a higher level of privacy protection than other personal information.