Persons Affected
All employees, volunteers, student placements, Board Members and contractors engaged by Northern Area Community & Youth Services Inc.
Policy
NACYS is committed to protecting the privacy and confidentiality of clients, staff, and stakeholders in the
way all information is collected, stored, and shared.
NACYS holds two types of information that are covered by this policy: personal information and
organizational information.
NACYS recognizes the need to be consistent, cautious, and thorough in the way that information about
clients, staff and stakeholders is collected, stored, and shared.
All individuals have legislated rights to privacy of personal information. In circumstances where the right
to privacy may be overridden by other considerations (for example, child protection concerns), staff act
in accordance with the relevant policy or legal framework, or both.
All individuals are to have an appropriate level of understanding about how to meet the organization’s legal
and ethical obligations to ensure privacy and confidentiality.
NACYS is committed to ensuring that information is used in an ethical and responsible manner.
Definitions
Privacy provisions of the Privacy Act 1988 govern the collection, storage and sharing of personal
information provided to NACYS by clients, staff, and stakeholders.
Confidentiality applies to the relationship of confidence. Confidentiality ensures that information is
accessible only to those authorized to have access and is protected throughout its lifecycle. Confidential
information may be marked as such or deemed confidential by its nature; for example, it is information
that is not available in the public domain.
Consent means ‘expressed consent or implied consent’. The four key elements of consent are:
• The client is adequately informed before giving their consent.
• The client gives consent voluntarily
• The consent is current and specific; and
• The client has the capacity to understand and communicate their consent
Expressed Consent is given explicitly, either orally or in writing
Implied Consent arises where consent may reasonably be inferred in the circumstances from the
conduct of the client and NACYS.
Individual means any person such as a client, staff member, stakeholder, or a member of the public.
Organisational information includes publicly available, and some confidential, information about
organisations. Organisational information is not covered in the Privacy Act1988, but some organisational
information may be deemed confidential.
Personal information means information or an opinion (including information or an opinion forming part
of a database) about an individual (Office of the Federal Privacy Commissioner, 2001). It may include
information such as names, addresses, bank account details and health conditions and interventions.
The use of personal information is guided by the Federal Privacy Act 1988.
The public domain in relation to confidentiality is “common knowledge”; that is, information that can be
accessed by the general public.
Solicited and Unsolicited Personal Information is all personal information received by an APP entity
is either solicited or unsolicited personal information. Section 6(1) defines ‘solicit’ but does not define
‘unsolicited’. Therefore, personal information reviewed by an entity that does not fall within the definition
of ‘solicited’ is ‘unsolicited’ personal information.
Procedures
All staff, volunteers, student placements and Board Members are made aware of this policy during
orientation.
All staff are provided with ongoing support and information to assist them to establish and maintain
privacy and confidentiality.
The privacy of personal information is defined by legislation (Privacy Act 1988). NACYS acts in
accordance with these legal requirements at all times as underpinned by the policy outlined below.
NACYS also strives to respect the confidentiality of other sensitive information. However, in the spirit of
partnership, we share information with clients and other involved individuals and organisations (subject
to consent), where it would be in the best interest of the client, or other individual, to do so.
Collection of information
Personal information collected by NACYS is only used for purposes that are directly related to the
functions or activities of the organisation. These purposes include:
• Enquiry about programs
• Referral to programs
• Contractual and Reporting purposes
• Providing treatment and support to clients
• For actioning a referral including sharing personal information with NACYS and other appropriate
providers
• Administrative activities, including human resources management
• Sector development activities including external data collection portals
• Community development activities including case study presentations
• Compliment, Complaint and Feedback handling
• Quality Improvement and Clinical Governance requirements
When collecting health and personal information, NACYS provides information to clients regarding:
• The purpose for collecting information
• How information will be used
• Assess if an interpreter or family member is required for cultural reasons before proceeding to collect
information from Aboriginal and Torres Strait Islander clients
• To whom (if anyone) information may be transferred and under what circumstances information will be transferred
• Limits to privacy of personal information
• How a client can access or amend their information
• How a client can make a complaint about the use of their personal information
Use and disclosure
NACYS only uses personal information for the purposes for which permission was given, or for purposes
that are directly related to one of the functions or activities of the organisation. Personal information may
be provided to government agencies, other organisations, or individuals if:
• The client has consented. This consent may be evidenced by a signature or obtained verbally and documented.
• It is required or authorised by law
• It will prevent or lessen a serious and imminent threat to somebody's life or health
All clients except with respect to Aboriginal and Torres Strait Islander peoples must be assessed culturally
to ensure they understand before they are required to acknowledge these requirements on how their
personal information may be used, or disclosed, and record their consent, or any restrictions to this consent.
Further information regarding the use and disclosure of client information can be found in the “Request for Release of Client Information Policy and Procedure”.
Data quality
NACYS takes steps to ensure that the personal information it collects is accurate, up-to-date, and
complete. These steps include maintaining and updating personal information when we are advised by
individuals that the information has changed (and at other times as necessary), and checking that
information provided about an individual by another person is correct.
Data security
NACYS takes steps to protect the personal information it holds against loss, unauthorised access, use,
modification, or disclosure and against other misuse. These steps include reasonable physical, technical,
and administrative security safeguards for electronic and hard copy or paper records as identified below.
Reasonable physical safeguards include:
• Locking filing cabinets and unattended storage areas
• Physically securing the areas in which the personal information is stored
• Not storing personal information in public areas
• Positioning computer terminals and fax machines so that they cannot be seen or accessed by unauthorised people or members of the public
Reasonable technical safeguards include:
• Using passwords to restrict computer access, and requiring regular changes to passwords
• Establishing different access levels so that not all staff can view all information
• Ensuring information is transferred securely where possible or where not possible ensuring that
appropriate safeguard measures have been taken
• Installing virus protections and firewalls
Reasonable administrative safeguards include not only the existence of policies and procedures for
guidance but also training to ensure staff are competent in this area.
Access and correction
Individuals may request access to their own personal information. Access will be provided unless there
is a sound reason under the Privacy Act1988 or other relevant law to withhold access.
Other situations
in which access to information may be withheld include:
• There is a threat to the life or health of an individual
• Access to information creates an unreasonable impact on the privacy of others
• The request is clearly frivolous or vexatious or access to the information has been granted previously
• There are existing or anticipated legal dispute resolution proceedings
• Denial of access is required by legislation or law enforcement agencies
Amendments may be made to personal information to ensure it is accurate, relevant, up-to-date,
complete and not misleading, taking into account the purpose for which the information is collected and
used. If the request to amend information does not meet these criteria, NACYS may refuse the request.
If the requested changes to personal information are not made, the individual may make a statement
about the requested changes and the statement will be attached to the record.
NACYS is responsible for responding to queries and requests for access and amendment to personal
information. Refer to Request for Release of Client Information Policy and Procedure for further information.
Anonymity and identifiers
Wherever it is lawful and practicable, individuals will have the option of not identifying themselves or
requesting that NACYS does not store any of their personal information. Where delivery of services by
NACYS or its subcontractors is required then it would not be practicable to provide anonymity.
Collection use and disclosure of confidential information
Other information held by NACYS may be regarded as confidential, pertaining either to an individual or
an organisation. The most important factor to consider when determining whether information is
confidential is whether the information can be accessed by the general public.
If they are unsure whether information is sensitive or confidential to NACYS or its clients, staff and
stakeholders, staff members are to refer to the CEO and/or Clinical Manager before transferring or
providing information to an external source.
Organisational information
All employees, volunteers, student placements, Board Members and contractors agree to adhere to the NACYS’s Code of Conduct when commencing work. The Code of Conduct outlines the responsibilities to
the organisation related to the use of information obtained through their involvement with NACYS.
Stakeholder information
NACYS works with a variety of stakeholders. The organisation may collect confidential or sensitive
information about its stakeholders as part of a working relationship. Staff at NACYS will not disclose information about its stakeholders that is not already in the public domain without stakeholder consent.
The way staff members manage stakeholder information will be clearly articulated in any contractual agreements that the organisation enters into with a third party.
When Information can be Disclosed Without Consent
We will only disclose information to a third party with consent, unless:
• the disclosure is directly related to the primary purpose for collection.
• in an emergency, where release of information is necessary to aid medical treatment; or
• we are required by law to disclose the information (e.g., suspected child abuse and/or
neglect).
Breach of privacy or confidentiality
If staff are dissatisfied with the conduct of a colleague regarding privacy and confidentiality of information,
the matter should be raised with the staff member’s direct Line Manger. If this is not possible or appropriate, then delegations indicated in NACYS ‘Grievance Policy’ should be followed. Staff members
who are deemed to have breached privacy and confidentiality standards set out in this policy may be subject to disciplinary action.
If a client or stakeholder is dissatisfied with the conduct of a NACYS employee, volunteer, student placement, Board Member or contractor, a complaint should be raised in accordance with the NACYS Complaints and Feedback Policy and Procedure. Information about making a complaint will be made
available to clients, stakeholders and can be found on the NACYS Website. Additionally, a complaint can be taken over the phone or in person by any staff member.
Notifiable Data Breaches
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals
to whom the information relates. A data breach occurs when personal information held by an organisation
is lost or subjected to unauthorised access or disclosure.
Examples of a data breach include when:
• A device containing customers’ personal information is lost or stolen
• A database containing personal information is hacked
• Personal information is mistakenly provided to the wrong person.
All suspected and/or confirmed Data Breaches are required to be reported to the CEO immediately. The
CEO, in consultation with the NACYS Board of Governance, will report the Breach to The Australian
Information Commissioner (Commissioner). By responding quickly, we can substantially decrease the
impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and
reduce the potential reputational damage that can result.
Expected outcomes
NACYS provides quality services in which information is collected, stored and shared in an appropriate
manner that complies with both legislative requirements and ethical obligations.
All staff understand their privacy and confidentiality responsibilities in relation to personal information
and organisational information about NACYS, its clients, staff, and stakeholders. This understanding is demonstrated in all work practices.
All clients understand how their personal information is collected, used, and disclosed prior to commencing services with NACYS; refer to NACYS Client Consent Form.
Relevant Legislation and Guidelines
• Privacy Act 1988
• Domestic and Family Protection Act 2012
• Family Responsibilities Commission Act 2008
• Mental Health Act 2016
• Office of the Federal Privacy Commissioner (2001), Guidelines to the National Privacy
Principles. Office of the Federal Privacy Commissioner, Sydney
• Office of the Privacy Commissioner (2006), Privacy Policy, Office of the Privacy Commissioner,
Sydney
• South Australian Information Sharing Guidelines for promoting safety and wellbeing (DPC, 2013).
Last updated: 15 April 2026