Information Management & Privacy Policy

Purpose

Undefeeted Podiatry is committed to protecting the privacy, confidentiality, integrity and security of all personal, health and business information collected, stored, used and disclosed by the practice.

This policy establishes the principles, responsibilities and procedures that govern the management of information throughout its lifecycle, including collection, storage, access, use, disclosure, retention and disposal.

The objectives of this policy are to:

• Protect the privacy and confidentiality of clients.
• Comply with applicable privacy, health records and medico-legal obligations.
• Ensure information is accurate, secure and accessible when required.
• Minimise the risk of information loss, misuse, unauthorised access or disclosure.
• Provide clear procedures for identifying, reporting and responding to data breaches.
• Promote a culture of accountability and responsible information management.

Scope

This policy applies to:

• Employees
• Contractors
• Students
• Volunteers
• Virtual Assistants
• Temporary staff
• Clinical staff
• Administrative staff
• Any person granted access to Undefeeted Podiatry systems or information

This policy applies to all forms of information, including:

• Electronic records
• Clinical notes
• Reports
• Emails
• SMS communications
• Digital photographs
• Paper records
• Audio recordings
• Financial records
• Business records

Related Documents

This policy should be read in conjunction with:

• Privacy Policy
• Third Party Policy
• Communication with Clients & Third Parties Policy
• Service Agreements
• Report Writing & Clinical Notes Policy
• Risk Management Policy
• Cyber Security Policy
• Incident Management Policy

Legislative & Professional Framework

Undefeeted Podiatry is committed to complying with all relevant legislation and professional obligations, including:

• Privacy Act 1988 (Cth)
• Australian Privacy Principles (APPs)
• Health Records Act 2001 (Vic)
• Notifiable Data Breaches Scheme
• NDIS Practice Standards, where applicable
• Podiatry Board of Australia requirements
• Professional indemnity insurance obligations

Where legislative requirements differ from this policy, legislative requirements take precedence.

Information Collected

Undefeeted Podiatry may collect information including:

Personal Information

• Name
• Date of birth
• Address
• Telephone numbers
• Email addresses
• Emergency contacts

Health Information

• Medical history
• Medication history
• Referral information
• Clinical assessments
• Treatment records
• Imaging and diagnostic reports
• Progress notes
• Outcome measures
• Photographs and videos where consent has been obtained

Administrative Information

• Appointment history
• Billing information
• Funding information
• Medicare details
• NDIS information
• Insurance information

Only information necessary to provide safe and effective healthcare services will be collected.

Collection & Recording of Information

All client information must be:

• Accurate
• Objective
• Relevant
• Timely
• Professionally recorded

Clinical information must be entered into the approved clinical management system as soon as practical following service delivery.

All interactions relevant to a client's care should be documented, including:

• Consultations
• Telephone calls
• Emails
• SMS messages
• Meetings
• Care coordination discussions
• Reports
• Third-party communications

Documentation must comply with the Report Writing & Clinical Notes Policy.

Storage of Information

Undefeeted Podiatry primarily stores information electronically using approved practice management software and cloud-based systems.

Information security measures include:

• Individual user accounts
• Strong password requirements
• Multi-factor authentication
• Encrypted data storage
• Secure cloud hosting
• Audit trails
• Automatic backups
• Role-based access controls

Paper-based information is minimised wherever possible.

Where paper records are created:

• Records must be scanned into the client file.
• Uploads must be verified.
• Documents must be securely destroyed using confidential shredding procedures.

Access to Information

Access to information is granted on a "minimum necessary access" basis.

Staff may only access information required to perform their duties.

The following activities are strictly prohibited:

• Accessing records without a legitimate work reason.
• Sharing login credentials.
• Accessing information for personal curiosity.
• Viewing records of family members, friends or colleagues without authorisation.
• Downloading information to personal devices without approval.

System audit logs may be reviewed where inappropriate access is suspected.

Unauthorised access may result in disciplinary action, termination of employment or referral to external authorities.

Password & Device Security

All staff must:

• Use unique passwords.
• Keep passwords confidential.
• Enable multi-factor authentication where available.
• Lock screens when unattended.
• Log out of systems when not in use.

Clinic information must not be stored on personal devices unless specifically approved.

All laptops, tablets and mobile devices used for clinic business must be password protected.

Lost or stolen devices must be reported immediately to the Clinic Director.

Working Remotely

Staff working remotely must:

• Use secure internet connections.
• Protect screens from public view.
• Prevent unauthorised persons from viewing information.
• Store information securely.
• Avoid printing client records unless approved.

Client confidentiality obligations remain unchanged when working remotely.

Use & Disclosure of Information

Information will only be used or disclosed:

• For the purpose for which it was collected.
• With client consent.
• Where required by law.
• Where necessary to prevent serious risk of harm.
• In accordance with mandatory reporting requirements.

Information may be shared with:

• General Practitioners
• Specialists
• Allied Health Practitioners
• Support Coordinators
• Plan Managers
• Insurers
• Funding bodies

Appropriate consent must be obtained unless disclosure is otherwise authorised by law.

Client Access to Information

Clients may request access to their personal information.

Requests should be submitted in writing where possible.

Access will be provided in accordance with applicable legislation and professional obligations.

Reasonable administration fees may apply where extensive record retrieval or copying is required.

Information Retention & Disposal

Records must be retained in accordance with legislative and professional requirements.

When information is no longer required:

• Paper records must be shredded.
• Electronic information must be securely deleted.
• Storage devices must be securely wiped or destroyed.

Information must never be disposed of through ordinary waste streams.

Data Breach Management

Definition

A data breach occurs when information is:

• Lost
• Stolen
• Accessed without authorisation
• Disclosed without authorisation
• Modified without authorisation
• Destroyed unintentionally

Examples include:

• Sending an email to the wrong recipient.
• Sharing information without consent.
• Lost laptops or mobile devices.
• Incorrect SMS communications.
• Cybersecurity incidents.
• Inappropriate staff access to records.

Data Breach Response Procedure

Step 1 – Contain

Any employee who becomes aware of a potential data breach must:

• Take immediate action to limit further exposure.
• Secure affected information.
• Notify the Clinic Director immediately and no later than one hour after becoming aware of the incident.

Actions may include:

• Recalling emails.
• Removing access permissions.
• Resetting passwords.
• Recovering documents.
• Isolating affected systems.

Step 2 – Assess

The Clinic Director will assess:

• What information was involved.
• Who was affected.
• The cause of the breach.
• The likelihood of harm.
• Whether remedial action has reduced the risk.

Risk ratings may include:

• Low
• Moderate
• High
• Critical

Step 3 – Notify

Where required by law or where significant harm may result, affected individuals will be notified.

Notifications should include:

• What occurred.
• Information involved.
• Potential risks.
• Actions taken by the clinic.
• Recommended actions for affected individuals.
• Contact details for further information.

External authorities may also be notified where required.

Step 4 – Review

Following resolution of the incident, a review will be undertaken to identify:

• Root causes.
• System weaknesses.
• Required corrective actions.
• Training opportunities.
• Policy improvements.

Step 5 – Document

All breaches and near misses must be documented.

Documentation must include:

• Incident details.
• Actions taken.
• Notifications completed.
• Outcomes.
• Corrective actions.

The completed Data Breach Report must be submitted to the Clinic Director and recorded within the Risk Register.

Training & Compliance

All team members must:

• Complete privacy and information management training during onboarding.
• Participate in ongoing education as required.
• Comply with all privacy and security policies.

Failure to comply with this policy may result in disciplinary action.

Continuous Improvement

Undefeeted Podiatry is committed to continuously improving information security, privacy protection and record management practices.

This policy will be reviewed at least annually or sooner following:

• Legislative changes.
• Significant incidents.
• System changes.
• Audit findings.