Compliance Bulletin

Personal information includes a broad range of information, or an opinion, that could be used to identify an individual. What is personal information will vary, depending on whether a person can be identified or it is reasonable to believe that they could be identified in the circumstances.

The Privacy Act 1988 defines it as:

‘Information or an opinion about an identifiable individual, or an individual who is reasonably identifiable:

• Whether the information or opinion is true or not; and
• Whether the information or opinion is recorded in a material form or not’

Personal information includes but is not limited to:

• An individual’s name, signature, address, phone number or date of birth
• Sensitive information
• Credit information
• Employee record information
• Photographs, video recording
• Internet protocol (IP) addresses
• Voice print and facial recognition biometrics
• Location information from a mobile device (because it can reveal user activity patterns and habits)

Sensitive information is a type of personal information which requires a higher level of protection. Sensitive information includes but is not limited to:

• racial or ethnic origin
• political opinions or associations
• religious or philosophical beliefs
• trade union membership or associations
• sexual orientation or practices
• criminal record
• health or genetic information
• some aspects of biometric information.

Sensitive information should not be collected except in limited circumstances.

Confidential Information is any non-public information that must be protected from unauthorised access, use or disclosure. Not all confidential information is personal or sensitive (see definitions above) but all personal and sensitive information collected through HIPPY must be kept confidential and used only for legitimate program purposes

In the context of HIPPY, confidential information includes:

• Families’ and staff members’ personal information
• Program records, case notes, enrolment information and internal communications
• Operational information about HIPPY Australia or Site Providers that is not intended for the public
• Any other information that families, staff or providers share with the expectation that it will remain private

1. open and transparent management of personal information - Organisations must handle personal information openly and transparently, including having an accessible privacy policy that explains what they collect, why they collect it, and how it will be used and stored.
2. anonymity and pseudonymity - Where possible, people must be given the option to interact with an organisation anonymously or using a pseudonym, unless identification is required or is impractical.
3. collection of solicited personal information - Organisations may only collect personal information they genuinely need, using lawful and fair methods; extra care is required when collecting sensitive information
4. dealing with unsolicited personal information - If an organisation receives personal information it didn’t ask for, it must decide whether it could have lawfully collected it. If not, it must destroy or deidentify it if possible
5. notification of the collection of personal information - When an organisation collects personal information, it must promptly tell the individual what is being collected, why, how it will be used, and who it might be shared with.
6. use or disclosure of personal information - Personal information can only be used or shared for the reason it was collected, unless an exception applies or the person consents.
7. direct marketing - Organisations generally can’t use personal information to market to individuals unless certain conditions are met, and individuals must always have an easy opt‑out option
8. cross-border disclosure of personal information - Before sending personal information overseas, organisations must ensure the receiving country or organisation meets Australian privacy standards
9. adoption, use or disclosure of government related identifiers - Organisations can’t use government issued ID numbers (like Medicare or Centrelink numbers) as their own identifiers unless permitted.
10. quality of personal information - Organisations must take reasonable steps to make sure the personal information they collect and use is accurate, up‑to‑date, and complete
11. security of personal information - Personal information must be protected from misuse, loss, or unauthorised access, and securely destroyed or de‑identified when no longer needed
12. access to personal information - People have the right to request access to the personal information an organisation holds about them, unless a lawful exception applies
13. correction of personal information - If someone believes their personal information is incorrect, incomplete or outdated , organisations must take reasonable steps to correct it.

As part of filling in the Enrolment and journey form, Coordinators collect personal and sensitive information. This is the first and most important opportunity to discuss privacy with HIPPY families.

Coordinators should use the Respecting your privacy: HIPPY Australia collection notice for families and Respecting your privacy: HIPPY Australia collection notice for staff to clearly outline what information is collected , why , when , how it is used, and families’ rights to withdraw consent at any time.

These conversations can also be supported by the Respecting your privacy prompt cards .

Families must sign the collection notice to give consent for their information to be collected and used. Without this consent, the program cannot be delivered as this information is central to supporting families and measuring program impact.

Although most information is collected at enrolment, additional details may be gathered through later forms, visits and conversations that could identify individuals. It’s therefore important to continue to remind families of their rights to privacy beyond the initial explanation.

Because Tutors often build close relationships with families, they may learn personal information that isn’t directly related to HIPPY itself. This information can help staff understand a family’s circumstances, but it is still private. If a Tutor believes this information should be disclosed to the Coordinator, then Tutors must seek permission from the family.

If the Tutor or Coordinator decide to record this information in case notes, it must be stored securely and not disclosed inappropriately.

Sometimes Coordinators or Tutors may find it useful to provide examples of how they’ve worked with a family to Tutors or other families, for example adapting an activity for a child with sensory sensitivity.

In these cases, due to the sensitive information related to the example (information about the child’s health), it’s important that these examples are deidentified (shared in ways where it is impossible to identify the child or family).

Due to mandatory reporting rules around child safeguarding, it may be necessary to report some information about families.

If staff have a reasonable belief of the risk or occurrence child abuse or neglect, legally they must report it to their manager, followed by their state/territory’s child protection authority, then their Site Advisor and follow HIPPY Australia’s Critical incident guidelines .

It is considered appropriate and not a breach of privacy to discuss families with colleagues or HIPPY Australia Site Advisors as part of, and when it’s relevant to, work. These discussions are classified as internal. However, staff should be careful not to share personal information unnecessarily or inappropriately.

Although the sector and BSL is moving to an increasingly paperless environment, storing files and information digitally, the practical reality of HIPPY currently requires several forms to be filled out physically. Here are some steps you can take to keep information safe:

• Store paper ETO forms securely in a filing cabinet when not being used. This filing cabinet should always be locked when unattended, including when staff are out of the office during work hours.
• Keep desks clear of files, documents and notepads that contain information about families or the program when not directly using them. These materials should be secured in a locked drawer or filing cabinet when unattended to ensure that personal or sensitive information is not accidentally left in view.
• Remember that visitors, including cleaners and maintenance staff, and colleagues working in other programs also access your work area. Be mindful of keeping confidential materials private.

HIPPY’s performance management system ETO (Efforts to Outcomes) stores confidential information from families and staff collected over the years they spend with the program. As such, ensuring access to ETO remains secure is a major priority of all HIPPY staff. Key steps staff can take to ensure this include:

• Never share your ETO password with anyone, even with colleagues
• Avoid letting other people use your computer with your account logged in, even if you are supervising them
• Always lock your computer or laptop when you leave your desk even if it is only for a short period of time
• Make sure you use strong passwords that are at least eight characters long and are made up of upper- and lower-case letters, numbers and other characters
• Inform HIPPY Australia as soon as Tutors or Coordinators leave the organisation so that their ETO access can be removed.

Disclosing personal or sensitive information over the phone can carry risks. When not in a private space, it can be unclear if people nearby are able to hear your conversation and, when receiving or even making calls, it can sometimes be hard to identify exactly who you are talking to meaning personal information could be disclosed accidentally.

Extra challenges can be encountered when dealing with complex family situations, where you may be unaware that certain information should be kept confidential from other family members.

Ultimately, if you are in doubt, it is best to avoid disclosing personal or sensitive information over the phone.

As emails can be sent in an instant but also kept indefinitely, they, like other forms of written or recorded communication, require particular care and attention when personal information is included in them.

Although emails may be encrypted and be protected through cybersecurity, It is still recommended that you limit sending confidential documents and information over email unless specifically required. Though not common, data leaks and breaches do occur.

Simple tips to ensure that data leaks and breaches aren’t simply due to human error include:

• Checking that the email is being sent to the correct person – it’s easy to send an email to the incorrect person, particularly when using autocomplete suggestions when typing an email address. Double check the address(es) when sending personal or sensitive information
• Making sure that all the information in an email chain is appropriate for the person you’re sending it to before forwarding emails
• Never using your personal email address for work – always use a work email to make sure personal information does not come from or to your personal email, which is considered unauthorised disclosure of personal information and a data breach.

Social media has created a space where the private can suddenly become very public. If you use social media to connect with HIPPY families and the local community, you can work to protect families’ and staff members’ privacy by:

• Using closed/private social media groups in order to control access to information
• Making sure that any people depicted in photos and videos being posted are aware that their image will be used on social media specifically, informing them of who it will be visible to (a closed group or the general public)
• Appointing a moderator/administrator for your social media sites so that you are aware what is being posted and can remove posts that may share personal information.

When using electronic devices for HIPPY work out and about, make sure you:

• set a strong password on your device
• never leave your portable devices unattended
• are mindful of people reading your screen over your shoulder
• and avoid free wi-fi in public places as it is not secure, privacy is not guaranteed, and others may be able to see or track what you are doing on the network.

If you need to talk about HIPPY families or staff over the phone, make sure that you are in a space where no one will overhear you. It’s important to check that the person you are calling is also in an appropriate place to receive the call.

Our jobs are a significant part of our life, and it is natural that we talk about it with friends and family. Remember, however, that friends and family are not HIPPY employees and you should not disclose personal or confidential information to them.

Never leave files, documents or notepads in your car or lying around the house where anyone can read them. It is best to treat these spaces as you would a desk, making sure they remain clear of anything that could allow others to access personal or confidential information.

A privacy breach is when there’s a failure to comply with one of the APPs and are cases when individual’s rights to privacy are disregarded. This may include the loss or unauthorised access of personal information (APP 11) but equally could be not having an easy to access privacy policy (APP 1). Provider organisations must have procedures put in place to ensure that privacy breaches do not occur.

Data breaches are a type of privacy breach where personal information about families or staff members is accessed or disclosed without authorisation or is lost (even by accident). Examples of data breaches include instances when:

• a mobile phone that holds an individual’s personal information is stolen
• a database containing personal information is hacked
• someone’s personal information is sent to the wrong person accidentally.

At HIPPY, risks of data breach could include Tutors still having access to ETO after they have finished working for the program, enrolment forms being left unattended on desks, or HIPPY staff members having their devices hacked or infected by malware.

Data breaches cause significant harm to both the individuals who have their personal information disclosed (psychological, physical, financial, reputational) and to organisations (reputational) and must be dealt with.

Yes, as the personal information provided to and stored by HIPPY Australia, families must be made aware of their rights and give their consent for the BSL to collect their personal information.

The Respecting your privacy prompt cards can be a useful tool to support these conversations.

Yes. Losing a device or document that holds personal information has the potential to be a source of a data breach.

HIPPY Australia should be informed immediately through your HIPPY site’s Line Manager. Following this, HIPPY Australia will work with you and your organisation to assess and respond to the situation, considering things such as whether the phone has a passcode, where it was lost, whether your ICT team can erase data or remove access remotely.

Ideally, we would provide sites with the option to enter data, including pack delivery, directly into ETO in the same way Coordinators might put Tutor training data in. However, it is not currently possible to provide and manage sufficient logins to make this viable. Sites are, of course still able to fill in digital versions of forms to collect information rather than print out and carry physical forms.

The Privacy at HIPPY module is included as part of the Coordinator and Tutor training courses on the Canvas LMS. Line Managers with a login to the LMS can also access the module through the Coordinator training course.