Throughout this document “The Group” refers to the group operations of Livebig Pty Ltd, Rehab Management (Aust) Pty Ltd, AimBig Employment Pty Ltd and Arriba Corporate, operating under the ultimate holding company Arriba Group Pty Ltd.
The Group is guided by and takes all reasonable steps to comply with the requirements of:
- The Privacy Act 1988,
- The Privacy Amendment Act 2000
- The Australian Privacy Principles (APP)
- The Health Records and Information Privacy Act 2002 (NSW)
This Policy further supports the Arriba Group’s ability to mitigate risks that might impact conformance with the requirements of our customers, and certifying bodies, including:
- Disability Employment Services Grant Agreement
- Workforce Australia Services Deed of Standing Offer
- Quality Assurance Framework
- The National Standards for Disability Services (NSDS)
- National Disability Insurance Scheme Practice Standards and Quality Indicators, Code of Conduct and Provider Requirements, including the Compliance Framework
- ISO 9001:2015 Quality Management System Requirements
- ISO 27001:2013 Information Security Management Systems
- Heads of Workers Compensation Authority Principles of Practice
The Group takes its obligations under the Privacy Act seriously and takes all reasonable steps in order to comply with the Act and protect the privacy of the personal information that we hold. Some of this information may be health related.
The Group will need to collect and record personal and/or sensitive information that is relevant to our client’s current situation and the scope of services. This information assists to ensure the services delivered are based on their current situation and needs.
The personal information collected, is on behalf of our contracted obligations held with our customers, and is subject to restrictions imposed on its disclosure, collection and use by the Privacy Act 1988 (Cth) (Privacy Act).
The Group are obliged, in accordance with the terms of their funding agreements, to comply with the Privacy Act when collecting, using, and disclosing the personal information of our employees, customers, clients and related stakeholders.
Personal information is collected for the provision of employment, disability, therapy, and occupational rehabilitation services to:
- Determine eligibility or appropriateness in services
- Tailor services to clients’ needs
- Evaluate and monitor outcomes, programs and services provided
- Facilitate resolution of complaints made by stakeholders
- Allow for inclusion of client personal details in communications developed by the Arriba Group applicable to the scope of services.
Personal information held by the Arriba Group (including such information provided to the Arriba Group by employees, contractors, clients and participants) may be disclosed to national or State/Territory-based tribunals, commissions, courts and regulatory agencies, Department of Education Skills and Employment (DESE), Exercise and Sports Science Australia (ESSA) and the Australian Health Practitioner Regulation Agency (AHPRA), health practitioners and third party services providers (including providers who may have operations being conducted oversees).
This Policy relates to the collection, use and disclosure of information for:
- Stakeholders involved in the scope of services delivered by The Group
- Employees or prospective employees of The Group
- Contractors of The Group.
- Customer’s, and certification bodies aligned with the scope of services delivered
The purpose of this policy is to state the commitment of The Group to comply with relevant legislation and customer contractual obligations relating to Privacy and to outline the methods adopted to comply with these.
Collection of Information
Personal and confidential information shall not be collected by The Group for inclusion in a record unless the information is collected for a purpose that is a lawful purpose directly related to a function or activity provided by our organisation and when the collection of the information is necessary for or directly related to that purpose.
Example of Personal Information which may be collected:
- Contact information (e.g. name, age, address, telephone numbers, email address)
- Employment information (e.g. work history, work performance, workplace incidence, next of kin information)
- Financial information (e.g., bank account details for reimbursements etc)
- Sensitive information (e.g. medical history, criminal history, religious beliefs, information about your health)
- Commonwealth government identifier (e.g. CRN, TFN, Participant ID, JSID)
Where it is reasonable and practicable to do so, personal information is collected directly from the individual. Collection may take place for a number of purposes, which includes information pertaining to the delivery of services or internally as part of an employee’s employment with The Group.
- For the purpose of providing occupational rehabilitation, therapy, and assessment and/or employment services in accordance with contracted agreements, a referral, and legislative requirements
- When registration forms for a service are required
- When a request is made for information in writing or verbally
- During the recruitment and selection process and during employment with The Group.
Sometimes personal information may be collected from other sources, e.g.:
- An employer for the purpose of establishing and delivering services
- An insurance agent for the purpose of delivering occupational rehabilitation services
- A community services provider to support the engagement of services that fall within the scope of services delivered by The Group
- A medical practitioner delivering services, or to determine an employee of The Group’s fitness for work.
- NDIS related stakeholders (e.g. Planners) for Livebig services.
In most cases the Arriba Group will require individuals receiving services to provide a signed consent form, which serves to confirm approval to collect, use or disclosure personal information (including phone recordings by a third party). Consent will usually be required in writing, however verbal consent in certain circumstances will also be accepted and documented for record keeping purposes. Verbal consent should only be accepted if written consent has already been received and we are re-affirming a stakeholder’s ongoing consent.
Consent forms for each of the group organisations can be found on their respective case management platforms, including:
- Job Ready Live (AimBig Employment)
- Case Manager (Rehab Management)
- MyLiveBig (Livebig)
The Arriba Group strongly recommends best practice standards are maintained. Where a consent form is greater than 12 months since the signed date, a new consent form must be sought and signed. All consent forms must be saved in a secure and access-controlled location by the Arriba group.
Consent must not be implied, even if it is legally acceptable to do so. The Arriba group aim to uphold best practice and always seek a signed consent form for the scope of services provided.
If a service delivery case is closed, the consent form ceases to provide authority to collect, use or disclose information pertaining to that individual, unless the client is a Disability Employment Services or Workforce Australia Services participant, whereby the consent form is valid up to 9 months post the delivery of services to enable AimBig Employment to obtain employment outcome details as required under their respective contracts.
Where a client or participant is referred to the Arriba group for services, a new consent form must be obtained if prior services were completed or ceased.
If a client or participant is referred for multiple services and are provided concurrently, then only 1 consent form is required whilst services are provided.
DES and Workforce Australia Services Specific:
For Disability Employment Services and Workforce Australia related services, personal information may be passed on to the following departments and their respective contracted service providers for the purpose of employment-related services. This includes:
- Department of Education, Skills and Employment (DESE)
- Department of Employment and Workplace Relations (DEWR)
- Department of Social Services (DSS)
- Department of Human Services
- Department of Education and Training
- Department of Home Affairs
- Department of Jobs and Small Business
- Department of the Prime Minister and Cabinet.
Personal information may also be disclosed between DES and DEWR Providers in the event a participant’s existing provider is unable to provide services and transfer to another Provider is required. Personal information may also be used by the Department of Social Services and the Department of Employment and Workplace Relations (AimBig Employment participants only) or given to other parties where the participant has agreed, or it is required by or under an Australian law or a court/tribunal.
Use and Disclosure
The Group collects personal information to enable us to conduct business, within our scope of services including:
- Determining an individual’s requirements for appropriate services
- Setting up and administering services
- Identifying a person and protecting that person from unauthorised access to his/her personal information
- Recruitment and selection processes
- To determine an employees’ and contractors’ suitability to deliver occupational rehabilitation, therapy, or treatment services in line with the AHPRA registration and NDIS requirements.
Personal information may be used for purposes other than for which it was collected, namely:
- To prevent a serious threat to a person’s health or life
- As required or authorised by law
- Where reasonably necessary for the enforcement of criminal or revenue law
- Where summoned, subpoenaed or where a freedom of information request is received by an authorised person or the client and complies with the Privacy Act’s Privacy Principles and our contractual obligations.
The Group may disclose personal information where consent has been given. Consent to the disclosure of personal information may be given explicitly, such as in writing or verbally. Disclosure of information may be provided to stakeholders involved in the scope of services, such as:
- Referring agent/department
- Treating practitioners
- Nominated support person/s
- Nominated Union delegate
- A legal entity
- Prospective employers
- Prospective training organisations
- Prospective equipment suppliers
- Community providers engaged for the purpose of services.
Disclosure of Employee and Contractor Professional Details:
Arriba Group provides occupational rehabilitation, therapy, and disability employment services in accordance with contracts and registrations held with various State, Territory and National regulation agencies, including, though not limited to:
NSW: State Insurance Regulatory Authority (SIRA)
Victoria: WorkSafe Victoria
ACT: WorkSafe ACT.
Northern Territory: NT WorkSafe.
Norfolk Island: Norfolk Island Workers Compensation Agency.
Queensland: WorkCover Queensland.
South Australia: ReturnToWork SA.
Tasmania: WorkCover Tasmania.
Western Australia: WorkCover WA
National: National Disability Insurance Scheme (NDIS)
National: Department of Employment and Workplace Relations (WFA Contract)
National: Department of Education, Skills and Employment (WFA Contract)
National: Department of Social Services (DES Contract)
Other: Motor vehicle compulsory third party authorities
Other: Third Party Accreditation Auditors
The Group collects your personal information related to your suitability and qualifications that enable you to deliver occupational rehabilitation, therapy, or treatment services in accordance with industry standards, national or State/Territory-based regulatory agencies, ESSA and AHPRA requirements for health practitioners.
To demonstrate our compliance with requirements set by the above regulatory agencies, ESSA and AHPRA, The Group is required to provide your personal information related to professional registration details on their request, to demonstrate that our staff are appropriately qualified and registered to deliver workplace rehabilitation and/or therapy services.
The Group is further required to provide evidence of your professional registration currency to third party auditors who are engaged to ensure The Group continues to comply with our contractual and certification obligations. Third party auditors are bound by privacy obligations.
If you have enquiries about regulatory or other agencies accessing your professional registration details held by the Group, please contact the Internal Audit team at [email protected].
When is disclosure not appropriate?
The Group do not collect personal or sensitive information unless the information is reasonably necessary for, or directly related to, one or more of the functions or activities we have been requested to undertake as a part of our service delivery and operations.
The Group do not disclose personal information to a party outside or unrelated to the scope of services. Parties that may be eligible to personal or sensitive information can include a party contracted to the Arriba Organisations to provide administrative services or activities on our behalf, and whereby that party is bound by the same privacy rules.
The Group do not disclose personal or sensitive information to overseas recipients unless required to by law or if these recipients are directly related to the scope of services.
The Group do not disclose records of personal and sensitive client information or company intellectual property to ex-employees.
The Group do not disclose records that have been obtained by a third party, even if related to the scope of services provided unless summoned by a court of law. For example, The Group is not able to disclose independent medical and allied health assessments of documents obtained from a third party. However, clients can request access to those records from the owner/creator of those records directly.
In accordance with the Health Records and Information Privacy Act 2001, if the individual chooses not to provide The Group with personal information pertaining to their health and authority to collect and disclose information, we may not be able to provide the full range of our services. The referring party should be notified (if the services was not self-referred) to discuss the implications on services because of consent being declined.
For any request for information that is not a direct request from the client or participant, a new authority consent form must be sighted and be signed within the last 12 months of the request.
For further guidance relating to the disclosure of information, please refer to the Records Request and Subpoena Procedure available on the Arriba Group Intranet.
CHILDREN AND YOUNG PEOPLE:
The Privacy Act 1988 (Privacy Act) protects an individual’s personal information regardless of their age. An individual under the age of 18 has the capacity to consent if they have the maturity to understand what is being proposed. This is assessed on a case-by-case basis. If The Group believe or are unsure of the person’s ability to consent, then the consent from a parent or guardian might be sought.
PROVISION OF A TELEHEALTH SERVICE
Where appropriate, The Group services may be provided by telephone or videoconferencing. Clients and customers responsible for setting up the technology needed so they can access telehealth services. The Group employee providing services can assist with this if required. The Group will be responsible for the cost of the call to the client and the cost associated with the platform used to conduct telehealth services.
To access telehealth services, client’s will be instructed that they require a quiet, private space; an appropriate device, i.e. smartphone, laptop, iPad, computer, with a camera, microphone, and speakers; and a reliable internet connection.
The privacy of any form of communication via the internet is potentially vulnerable and limited by the security of the technology used. To support the security of personal information, Rehab Management uses Lifesize Cloud technology which is compliant with the Australian standards for online security and encryption.
The Group will ensure we obtain permission and approval before recording any material via telehealth or otherwise, including taking photographic images, video, or audio for the purpose of observation and assessment. Any recorded material will be kept private and confidential and will be destroyed once The Group has completed the assessment and formulated the relevant documentation required.
Limitations of Telehealth
A telehealth consultation may be subject to limitations such as an unstable network connection which may affect the quality of services. In addition, there may be some services for which telehealth is not appropriate or effective. The Group will consider and discuss with clients and customers the appropriateness of ongoing telehealth sessions.
The Group will take all reasonable steps to protect the security of personal and sensitive information collected. This includes measures to protect electronic materials and materials stored and generated in hard copy.
The Group store sensitive and confidential information developed on our security-controlled database. This database enables The Group to lock access to various users, as deemed appropriate regarding the nature of information and purpose for which that information has been obtained.
The Group operate within a secure and encrypted network that cannot be accessed by external stakeholders. The Group further operates as a paperless office where possible. However, if confidential or sensitive information is in written format on paper, this information is discarded using a secure paper removal and destruction process once no longer required.
Where information cannot be destroyed and needs to be maintained, The Group archive documentation using a professional document management company location. Confidential and sensitive information can then be made available to individuals on request and in accordance with Privacy laws.
What Cookies Are
Cookies might be used for the following purposes:
- To enable certain functions
- To provide analytics
- To store your preferences
- To personalise content and Ads
- To enable ad delivery and behavioural advertising
Cookies cannot read data from your hard drive or read cookies files that may have been created from another website. Cookies expire after a certain amount of time.
Third Parties Cookies on Group Website
Cookies Options and Preference Update
People are able to change and update their cookie consent by clicking here . If you do not want your browser to accept cookies, you can modify your browser’s settings. You can also delete cookies that have already been set from your browser’s settings. Please note that, if you do not allow cookies or delete them, some features and services might not be accessible, and some web pages might not display properly
Surveillance such as CCTV cameras will be installed in the workplace, where safety risks are deemed moderate to high. For example, in remote locations where services are provided to high-risk client groups.
The purpose of the CCTV cameras is to ensure the safety and security of all employees. As an Employer, the Arriba Group aims to take proactive action to ensure all employees are safe and feel safe in their working environment.
You may consult with your manager regarding any concerns about surveillance. All cameras are visible and will not be placed in bathrooms or change rooms.
The surveillance may be conducted at any time and be subject to surveillance in accordance with the Privacy Act 1988.
Please note the Arriba Group reserves the right to refer to any surveillance footage during a disciplinary meeting.
Access and Correction
The individual may request access to any personal information directly relating to them that has been developed and held by The Group. Only information pertinent to that individual will be disclosed.
In most cases, a summary of personal information such as name, address, contact telephone numbers, reports developed by The Group, emails sent/received, and service delivery notes can be made available to the individual by making an application in writing to The Group.
If the individual is able to establish that the information is not accurate, complete, and up to date, The Group will take reasonable steps to correct the information so that it is accurate, complete and up to date.
For further guidance relating to the disclosure of information, please refer to the Records Request and Subpoena Procedure available on the Arriba Group Intranet.
Should it be deemed necessary to refuse access or correction to an individual’s information, The Group will provide reasons for denial of access or a refusal to correct personal information. The Group may refuse an individual access to personal information in a number of circumstances such as where the information may be related to existing or anticipated legal proceedings, where access to the information could result in potential harm to the individual’s physical or mental wellbeing, where denying access is required or authorised by law, or where the request for access is regarded as frivolous or vexatious.
The Group is required by law to retain personal information for a period of time after an individual has ceased any relationship with us. After the required time has passed, The Arriba Group archive case files on our secure and access-controlled network database.
For information which has been requested, a fee may be charged to cover the cost of retrieval and the supply of this information. All requests for access to personal information will be handled as quickly as possible and The Group shall endeavour to process any request for access within 30 days of having received the request. Some requests for access may take longer than 30 days to process depending upon the nature of the personal information being sought and should be communicated to the requesting party.
Breaches in Confidentiality
It is an offence under the Social Security (Administration) Act 1999 for a person to intentionally obtain, make a record of, disclose to any other person, or otherwise use, protected information if the person; Is not authorised by or under the Social Security Law to do so;
Knows or ought to reasonably know, that the information is Protected Information. This means that the Group’s personnel may commit a criminal office if they:
- Search for or access Protected Information where not authorised
- Make copies of Protected Information where not authorised
- Disclose Protected Information to other staff or third parties who do not need to know that information
- Otherwise use Protected Information where not permitted.
A breach in confidentiality relates to a Notifiable Data Breach that is likely to cause serious harm to an individual or individuals impacted by that privacy breach following unauthorised access, disclosure and/or loss of personal information. Where a breach in confidentiality has been identified, the Manager will undertake the following activities within 24 hours:
- Notify the impacted party/parties immediately of any threatened or actual privacy events; and
- Consider and action all reasonable requests and directions from the interested parties.
- Where notifiable data breaches have occurred, the Manager will assess the impact on interested parties and in negotiation with the related parties, determine if the breach constitutes a requirement to notify the Privacy Commissioner at the Office of the Australian Information Commission (OAIC). Notifying the OAIC will be completed by the Legal and Risk team.
The CEO and or the Group CEO will work with the Manager to consider whether we notify to the Privacy Commissioner. The outcome for notification is determined if the following 3 criteria are satisfied:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
- This is likely to result in serious harm to one or more individuals, and
- The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action
Where The Group has informed the OAIC, we will cooperate and notify impacted parties of the breach in relation to the assessment and reporting of a breach to the OAIC and notification to impacted customers.
Workforce Australia Contract Specific:
- Where a privacy breach relates to DEWR Workforce Australia Contract, the Group must notify DEWR as soon as possible after becoming aware of the breach, and within 30 days, by completing the Provider Privacy Incident Report (PPIR).
- Clients who have had their data breached or have any privacy concerns they wish to discuss further, must be advised that, following contact with the Group, they can contact DESE directly via email: [email protected].
If the individual requires additional information or has any complaints about the privacy practices of The Group, individuals may contact the Arriba Group’s Privacy Officers to lodge a formal complaint.
The Arriba Group Privacy Officers are Senior Managers within the Legal and Risk team, including:
- Christina Abufhele: Head of Internal Audits
Privacy officers can be contacted in the following methods:
Phone: 1800 864 970
Email: [email protected]
Contact details for the Privacy Officer has been placed on the Arriba group’s respective business’ websites as of March 2022.
Should the individual not be satisfied with the outcome of the internal privacy complaint process, the individual may contact the following external entities:
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
GPO Box 5218 Sydney NSW 2001 | Privacy Hotline: 1300 363 992 | Telephone: (02) 9284 9800 | Fax: (02) 9284 9666
The Complaints Resolution and Referral Service (CRRS) on 1800 880 052 is available for you to discuss any concerns you may have about your Disability Employment Services (DES) provider. Phone: 1800 880 052 (free call).
Workforce Australia Services:
The Department of Employment and Workplace Relations on 1300 566 046 or via email at [email protected] and via pre-paid post
Legal and Assurance Division
Department of Employment and Workplace Relations
Location Code: C50MA1 – LEGAL
GPO Box 9880
Canberra ACT 2601
The Group respect the individual rights of its employees and consequently manages records it keeps in relation to employees in a careful and responsible manner. The Group are required to keep personal records for seven years from the date an entry is changed or from termination of an employee's employment, depending on what happens first.
Access by an employee to his/her own personnel file is generally permitted. An employee may have access to:
- His or her time and wages records, including overtime (if applicable) and remuneration
- His or her records of leave, including leave taken and available entitlement
- His or her records of superannuation contributions; and
- Workers’ compensation records if an employee has had an accident.
Records are available via PeopleHub, and access is controlled to ensure only approved employees can view an individual’s employee records. For example, the direct Manager can view induction records, leave entitlements and personal details. Finance is able to view bank details to enable processing of remuneration and superannuation.
Access by an employee to records of other employees is generally not permitted. If an employee believes that a special case exists, and the other employees involved do not object then the manager may permit such access. The CEO will make the final decision regarding one employee having access to another employee’s personnel file.
An employee may request an interview with their employer, The Group, or a representative of the employer at any time during working hours to discuss a record which has been made or is to be made by The Group.
When a third party, e.g., a bank or real estate agent requests information about an employee, that employee will be contacted and his/her permission will be required, in writing, before any information is released.
All staff should be aware that personal information about contractors is not an ‘employee record’ and due care must be exercised in handling such information within the law.
Unsuccessful Job Applicants
In preserving the privacy of unsuccessful candidates by destroying records, it is difficult to prove a fair process. Consequently, the practice outlined below is to be generally followed as part of the recruitment process. Applications and associated documentation will be held for a reasonable period of time after a position is filled, unless the candidate requests the information be filed in the event of other positions arising with the company. If any dispute arises, both parties will have relevant evidence to refer to. Candidates have the right to withdraw or ask for special treatment of their personal information if they do not agree with this stated practice.
Suspected or actual privacy breach identified / reported
IMMEDIATE RESPONSE REQUIRED
- Employee to immediately notify the Manager of the specific team that a privacy breach occurred or is suspected.
- Employee and Manager to immediately contact stakeholders in receipt of unauthorised information and request the unauthorised information to be deleted/destroyed. Request confirmation of the information being destroyed. This includes deleting information from a deleted email folder.
- Manager or employee to notify the impacted stakeholder of the privacy breach. This might include the client and the referring parties. It is the Manager’s discretion to determine the appropriateness of whether the employee or the manager notifies the impacted party. The Manager might determine an experienced employee is competent to manage the communications, whereas a new employee on probation might not have the experience to undertake this form of communication.
DOCUMENTING THE DATA BREACH
Within 4 hrs, Manager must complete the following actions:
- Complete the Notifiable Data and Privacy Breach Form available on the intranet. This will include undertaking an investigation of how the privacy breach occurred and implementation of immediate remedial actions.
- Notify the Privacy Officers via the Privacy inbox and email completed Notifiable Data and Privacy Breach Form.
- Notify the relevant CRM/BDM if applicable, and email completed Notifiable Data and Privacy Breach Form.
- Privacy Officers will review the Notifiable Data and Privacy Breach Form and determine the hierarchy of escalation that is required due to the severity of the data and privacy breach.
- Escalation may require notification to the relevant General Manager, CEO, or OAIC.