Client Records Policy
Specifically, TASC will:
- collect and keep information about clients only when it is relevant and necessary to the provision of the service
- ensure data about each client is up to date, accurate and secure, whether stored in hard copy or electronically, in accordance with privacy legislation
- take account of any relevant cultural or religious sensitivities of people using services in the way information about them is collected, stored and used
- store clients’ records for the required length of time
- transfer or dispose of client records correctly.
When TASC collects, keeps and uses identifiable data about a client, the following procedures will be implemented to guarantee the privacy of the client, ensure that records are appropriate, accurate and secure.
Collecting identifiable data
TASC collects and records information where it is necessary to carry out its functions and activities, which is mainly for the purposes of direct service provision or referrals.
This information is collected for the purpose of:
- service monitoring, evaluation and reporting (de-identified information only is used for this purpose);
- meeting the reporting requirements of our funding and governing bodies;
- monitoring and management of service to individuals (case files);
- meeting other legal legislative requirements.
Coordinators will review the scope of information collected on a regular basis to ensure that only relevant information is being recorded.
When information is being sought from clients, the staff member or volunteer seeking the information will request the person’s consent to provide the information and inform them of:
- the reason for requesting the information
- how the information will be recorded and stored
- what other information will be recorded during the provision of service
- how their privacy will be protected
- their rights to view or access information about them.
The staff member or volunteer will ask the client if they have any concerns or specific requests about the way their personal information will be recorded or managed.
If identifiable information about a client will be shared with another agency, the staff member will obtain the client’s consent for this and record the date of the verbal consent or obtain the client’s signature on a consent form.
Storage and use of identifiable data
Information collected about individual clients will be stored in files. All files containing personal information will be maintained on the premises with locked key access by staff only. Files will not be left in the open where the public may view or access them. Client files will not be removed by any person without the permission of the relevant Coordinator. Client files will be stored for 7 years and then securely disposed of where client consent is in place.
Appropriate arrangements will be put in place to ensure that access to computer records is granted only to employees requiring such access in the course of their duties. The service has electronic files protected by password.
Clients may request access to their files. Access by a client to their file requires the authorisation of the relevant Coordinator and will be arranged by the Organisational Development Coordinator once approved. A request for access by a client must be considered and dealt with within a reasonable time frame.
Breaches of identifiable data
Data breaches can occur in a number of ways:
- Lost or stolen IT devices (laptops, tablets), removable storage devices, or paper records containing personal information
- Hard disk drives and other digital storage media being disposed of or returned to equipment lessors without content first being erased
- Databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of TASC
- Employees accessing or disclosing personal information outside the requirements or authorization of their employment
- Paper records stolen from insecure recycling or garbage bins
- Personal information mistakenly provided to the wrong person
- An individual deceiving TASC into improperly releasing the personal information of another person
Responding to breaches of identifiable data
Containing the breach
Once TASC has discovered or suspects that a breach has occurred it will take immediate action to limit the breach through the following:
- Containing the breach – stop the unauthorised practice, recover the records, shut down the system (if practical) that was breached, revoke or change computer access privileges, or address weakness in physical or electronic security.
- Assess steps that can be taken to mitigate the harm an individual may suffer as a result of the breach
Evaluating the risks associated with the breach
To determine what other steps are immediately necessary, TASC will assess the risks associated with the breach by considering the following factors
- The type of personal information involved
- Does the type of personal information that has been compromised crate a greater risk of harm
- Who is affected by the breach (employees, contractors, the public, clients, service providers, other agencies/organisations)
- The context of the affected information and the breach
- What is the context of the personal information involved
- What parties have gained unauthorised access to the affected information
- Have there been other breaches that could have a cumulative effect
- How could the personal information be used
- The cause and extent of the breach
- Is there a risk of ongoing breaches or further exposure of the information
- Is there evidence of theft
- Is the personal information adequately encrypted, anonymised or otherwise not easily accessible
- What was the source of the breach
- Has the personal information been recovered
- What steps have already been taken to mitigate the harm
- Is this a systematic problem or an isolated incident
- How many individuals are affected by the breach
- The risk of serious harm to the affected individuals
- Who is the recipient of the information
- What harm to individuals could result from the breach (identity theft, financial loss, threat to physical safety, threat to emotional wellbeing, loss of business or employment opportunities, humiliation, damage to reputation or relationships or workplace or social bullying or marginalisation)
- The risk of other harms – for example:
- the loss of public trust in the agency, government program, or organisation
- reputational damage
- loss of assets (e.g., stolen computers or storage devices)
- financial exposure (e.g., if bank account details are compromised)
- regulatory penalties (e.g., for breaches of the Privacy Act)
- legal liability, and
- breach of secrecy provisions in applicable legislation
Notification can be an important mitigation strategy but is not always an appropriate response to a breach (for example, providing notification about low risk breaches can cause undue anxiety and de-sensitise individuals to notice). TASC will consider each incident on a case-by-case basis to determine whether breach notification is required.
In general if the breach creates a real risk of serious harm to the individual, the affected individuals will be notified. As part of this notification TASC will also:
- Take into account the ability of the individual to take the necessary steps to mitigate any such harm; and
- Consider whether it is appropriate to inform other third parties such as the Office of the Australian Information Commissioner (OAIC), the policy, or other regulators or professional bodies about the data breach.
Notification will typically occur directly, either by phone, letter, email or in person, to the affected individuals. Indirect notification (website information, posted notices etc.) will only occur in an instance where direct notification could cause further harm, or the contact information of the affected person is no known.
Notification of the breach to affected individuals will include the following information:
- Description of the breach
- Type of personal information involved
- Response to the breach
- Assistance that can be offered to the affected individuals
- Whether the breach has been notified to regulators or other external contacts
- Legal implications
- How individuals can lodge a complaint with TASC
- How individuals can lodge a complaint with external bodies
TASC will consider whether the following external bodies, regulators or authorities should be notified of the breach:
- Funding bodies
- Professional or other regulatory bodies (ASIC, ACCC etc.)
- Agencies that have a direct relationship with the information lost or stolen
Preventing future breaches
In order to prevent future breaches a prevention plan may be developed which may include:
- A security audit of both physical and technical security
- A review of policies and procedures and any changes to reflect the lessons learned from the investigation and regular reviews thereafter
- A review of employee selection and training practices; and
- A review of service delivery partners
Maintaining and verifying client records
Coordinators are responsible for reviewing and updating client records on a regular basis.
A file will be created for each client and used to record only that personal information necessary to provide a high quality and appropriate service tailored to the individual service user’s needs. Additional information may be required to comply with legislation.
In recording personal information about clients, the Coordinator will ensure that information collected is accurate, complete and current.
The Organisational Development Coordinator is responsible for managing the filing of client records, maintaining the register of client records and managing the archiving and disposal of client records.
A register of client records will be kept at TASC’s Toowoomba premises. The register will cover all hardcopy files and all computer data systems where information about clients is stored. For each type of record, the register will document:
- the type of information recorded
- where the records or data are stored
- who is responsible for entering and maintaining the record
- what security measures are in place
- when and how the information is updated
- how this particular set of records are disposed of (frequency or time period and method).
Client records are kept for 7 years from the last point of service provision unless a contrary agreement is reached with the service user. Records of clients who have left the service are archived on a regular basis.
Records of clients who have left the service are disposed by archiving or the return of records to the client or another agency.