Policy Statement
Paizo is committed to protecting the privacy and confidentiality of our clients, participants, families, staff, service providers and community partners. Paizo is bound by the Commonwealth Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APP).
We are open and transparent about our management of your personal information and strive to ensure that the personal information we collect is accessed, stored and disposed of in an appropriate manner.
When you give your personal information to Paizo, you consent to our collection, use and disclosure of your personal information in line with this Privacy Policy and any contract, agreement or other arrangement between us.
Purpose
The purpose of this Privacy Policy is to outline how personal information is collected and managed by Paizo.
Scope
This policy applies to all Paizo employees, contractors, volunteers, students and persons undertaking or delivering training or education at Paizo. It governs the management of all personal and sensitive health information collected by Paizo, whether obtained directly or through third parties.
This includes information relating to:
Patients and Families: Current, past, and prospective patients and their legal guardians.
Our Team: Current and former staff members and contractors.
Stakeholders: Third-party service providers, healthcare referrers, and any individuals interacting with our clinical services.
Responsibilities
Adherence to this Privacy Policy is the responsibility of all personnel. Any breach of these privacy obligations may result in disciplinary action, up to and including the termination of employment or contract.
Collection of Personal Health Information
Paizo employees will primarily collect information verbally or in a written format during interviews and clinical assessment.
At times, we may need to collect information about a participant or client from a third party, such as a parent, carer, guardian, health service provider, government agency or the client’s educational institution or workplace. We do this if the customer has authorised us to collect the information in this way, or where it is not reasonable or practical for us to collect this information directly from the customer.
We collect personal information only when it is reasonably necessary and directly related to Paizo’s functions and activities.
Paizo may collect photographs or audio recordings of participants or clients; however, a Media Consent and Release Form must be signed beforehand by the participant or client, consenting to the collection of this information.
If unsolicited personal information is collected, Paizo employees must de-identify and destroy this information as soon as practicable.
Paizo employees are to inform the participant (verbally and/or in writing) that all information will be treated in a confidential manner.
Paizo employees must attempt to collect the information from the participant or client directly; unless it is unreasonable and impracticable to do so, e.g., if the participant is unable to communicate using conventional methods, has poor cognition or is under the age of 18.
If a participant or client lacks the capacity to provide information or consent to information being collected, written or verbal authorisation must be sought from their guardian to collect information and recorded in the service agreement. Proof of consent must be obtained prior to the disclosure of private information to any person other than the participant or client.
Paizo employees are to direct the participant or client and/or their guardian to the Service Agreement which outlines their rights and provides further information regarding the information that is being collected.
Use/Disclosure of Personal Health Information
Paizo employees must not disclose personal health information to external parties unless it is a matter of personal safety, for the recovery of debt, related to legal matters and/or the participant or client has consented to the release of their personal information.
Paizo employees must gain consent through a signed Service Agreement before releasing information or discussing personal information to individuals involved with the participant or client’s care. Employees must ensure that clients, participants, or their authorised representatives are informed of their right to withdraw consent at any time by notifying Paizo.
Employees must ensure that participants, clients and/or their representatives acknowledge that information may have already been provided to authorised persons to which they previously consented and that withdrawal of consent will only apply into the future and after the date of the withdrawal of consent.
Paizo may use your information to contact you with information about our services. You can opt out of marketing communications by contacting us. Should you elect not to opt out, we will work on the basis that we have your consent to receive similar information and communications in the future.
Participants or clients have the right to access a copy of their personal information, if requested.
If participants or clients wish to make a complaint about the use of personal information, please contact Paizo at admin@paizo.com.au or call Angelique Campbell (Director at Paizo) on 0432 122 121.
Use of the Artificial Intelligence (AI)
Paizo employees may use Artificial Intelligence (AI) systems to support some administrative and quality-improvement activities through our practice management software, Splose. Splose is integrated with an AI tool (sploseAI) that operates within our organisation and is not accessible to any external third-party.
The sploseAI system processes personal information only for internal operational purposes and only in ways that are permitted under this Privacy Policy and applicable privacy laws. Employees must not upload, share, transmit or disclose identifiable client or participant information to any external AI tool or third party.
All AI-assisted outputs must be reviewed by qualified staff and AI must never be used to make decisions about eligibility, services, clinical matters or any other decisions that may affect the rights, safety or wellbeing of clients or participants.
Accessing Personal Health Information
Paizo employees must not disclose personal health information to external parties unless it is a matter of personal safety, for the recovery of debt, related to legal matters and/or the participant or client has consented to the release of their personal information.
All employees must refer to the OAIC Guide to Health Privacy for guidance in each instance where a request to access personal information has been received.
Paizo employees must ensures that client consent is obtained prior to any external disclosure of personal information. In cases where the client lacks capacity, consent must be sought from their legal guardian or appointed representative and documented accordingly
Participants or clients have a right to access information we hold about them, unless an exception applies.
The participant or client must request access in writing via email (admin@paizo.com.au).
The participant or client must tell us what information they require, and the manner requested (i.e., via email or hardcopy)
Generally, we must respond to a participant’s or client’s access request within 30 calendar days.
Access to personal information will be granted in the manner requested unless it is unreasonable or impracticable. Where access is refused, Paizo will issue a written notice setting out the reasons for the decision, provide alternative access options where possible, and provide information regarding our internal complaints mechanism and the right to contact the Office of the Australian Information Commissioner (OAIC).
Paizo may request a fee to cover the administrative costs associated with accessing, collating, and preparing requested records where the participant or client has consented. This will be dependent on the complexity and the work involved to produce documents. In these cases, Paizo will advise the participant, client or third party of the additional costs in advance.
Paizo can use or disclose health information where the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order (such as a subpoena or summons). If the law requires any employee to disclose information, they must do so. Examples include mandatory reporting of child abuse (under care and protection laws) and mandatory notification.
Storage of Personal Information
All employees are responsible for ensuring personal information is stored appropriately and exclusively in our online, encrypted third party storage system, or in our paper-based storage systems.
Personal and health information must be de-identified if used in any non-encrypted or public-facing environment.
Employees must not discuss personal and health related information outside the work environment.
Employees must ensure that anti-virus software are kept up to date to avoid a breach of confidential information.
Employees must not provide electronic database, email, and SharePoint access to persons external of Paizo.
Following discharge of a participant or client from our services, all information must be stored on our secure practice management software and hardcopies must be disposed of in a secure manner.
Paizo must keep a record of personal information and retain records in accordance with Australian legal requirements and clinical record-keeping standards.
Correction of Personal Information
Australian privacy law gives participants or clients the right to correct the personal information Paizo holds about them if it is:
inaccurate
out of date
incomplete
irrelevant
misleading
If a request to correct personal information is received, Paizo must respond to a request to correct a participant or client’s personal information within 30 days.
Clinical Images/Recordings and the Use of Mobile Devices
Paizo clinicians may take photographs, video or audio recordings of participants or clients solely for the purposes of clinical progress review, reporting and overall clinical management related to the client or participant’s goals and support.
All clinical images and recordings are classified as health information and are subject to the same strict confidentiality and privacy considerations as outlined in this Policy.
Clinical images/recordings must only be taken with appropriate consent, stored securely and only disclosed in accordance with the consent given. The participant or participant’s representative has the right to consent to or refuse the collection, use and disclosure of clinical images/recordings and this consent can be withdrawn at any time.
While clients or participants have the right to withdraw their consent for an image/recording to be used, they should also be informed when obtaining consent that, once an image/recording has been taken this will then become part of their health record and must be retained in accordance with the Privacy Legislation in South Australia.
Clinicians must only use an image/recording for the purpose it was collected, such as progress review and reporting and overall clinical management related to the client or participant’s goals and support. Using clinical images/recordings for any other purpose other than what the participant or client has consented to is inappropriate and in breach of staff obligations.
Clinicians must ensure that clinical images/recordings stored on a mobile device have security settings which are adequate to protect the information (i.e., password protections) to prevent unauthorised access. Clinical images/recordings are not made publicly available or uploaded to any social media network.
Clinicians must ensure that clinical images/recordings are uploaded onto the client or participants file in Splose and then deleted immediately from the mobile device. Clinicians must also Include records on who took the image/recording, the date it was taken and how it was taken (i.e., phone or tablet).
