Privacy & Confidentiality

Applied Occupational Therapy (AOT) is dedicated to ensuring that the personal information of its participants is collected and held securely. As an occupational therapy practice, we are committed to protecting your privacy in compliance with the Privacy Act (1988).
This policy details our methods to obtain participant information and the procedures outlining the management of this data.

What information do we hold?

AOT only collects information that is relevant to effective service delivery.

The personal information that we gather from our participants include:

• Names, date of birth, addresses, N.O.K contact details
• Medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors
• NDIS/TAC/STR number – for identification and claiming purposes
• NDIS plans
• Medicare number – where applicable

How do we obtain participation information?

• Initial contact information is gathered from clients using our practice’s Intake Form
• Additional client information can be requested by staff from relevant contacts (e.g. Support Coordinators, other therapists, Next of Kin)

Client information data management and storage

• All participant information is held securely in password protected electronic systems.
• Participant information can be stored in our practice in one of two forms – as hard copy or electronic records.
• Participant therapy materials can be stored as a hard copy at the locked practice.
• Electronic records are stored on a protective cloud management system.
  • AOT employs a Synology two disk NAS and “Box” drive in the practice’s infrastructure.
  • All files are backed up in the cloud with a 30-day deleted file recovery enabled.
  • AOT also employs use of a secure cloud based client management service, Power Diary. Power Diary provides safe, secure and backed up data management, and meets Australian Compliance for safety.
• Discharged client information is archived in our system. All hard copy information is subsequently shredded and disposed of.

Who else has access to the participant information?

• All employees of AOT will have access to this client files via the online cloud management system. There are, however, limitations put into place on the extent of content that a particular staff member will have access to. There are passwords used for different logins depending on the role of an employee.
  • Only the Principal Occupational Therapist, Bookkeeper and Office Administrator will have access to relevant files concerning a client’s financial/billing information
  • All therapists will have access to participant progress notes
• This is to ensure that the confidentiality of our clients is respected, and only relevant parties are accessing participant information.

Who can we share client information with?

• Participant information may be shared with third parties in instances where we are requesting additional services (e.g. through equipment requests, referrals to other allied-health services)
• Consent from participants is sought out prior to releasing any information to a third party.

What happens if there is a breach of data?

• A breach of data occurs when personal or confidential material information is accessed or disclosed without prior authorisation or is lost.
• Reportable Data breaches occur when three criteria are satisfied:
  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
  • this is likely to result in serious harm to one or more individuals and,
  • AOT has not been able to prevent the likely risk of serious harm with remedial action.
• If a reportable data breach should occur, an incident report must be completed, and the issue is to be escalated to the Director to assess whether the breach is reportable to the OAIC.
• The report and incident assessment should be completed, and a decision is to be made whether to report the breach, within 14 days.
• All parties affected by the breach should be notified as soon as practicable if the assessment is made to report the breach.
• If a breach is reportable, the director or relevant parties will complete a Notifiable Data Breach form found on the OAIC website – www.oaic.gov.au