Privacy Policy
LiveBig is guided by, and takes all reasonable steps, to comply with:
The Privacy Act 1988
The Privacy Amendment Act 2000
The Australian Privacy Principles (APP)
The Health Records and Information Privacy Act 2002 (NSW).
This Policy supports LiveBig’s ability to mitigate to conformance with the requirements of our clients / participants, and certifying bodies, including:
The National Standards for Disability Services (NSDS)
National Disability Insurance Scheme Practice Standards and Quality Indicators, Code of Conduct and Provider Requirements, including the Compliance Framework
ISO 9001:2015 Quality Management System Requirements
ISO 27001:2013 Information Security Management Systems.
LiveBig takes its obligations under the Privacy Act seriously and takes all reasonable steps to comply with the Act and protect the privacy of the personal information we hold. This information may be health related.
LiveBig will need to collect and record personal and/or sensitive information that is relevant to our client’s/participants current situation and support needs. This information assists to ensure the services LiveBig deliverers are based on their current goals, situation and needs.
The personal information collected, is on behalf of our contracted obligations held with our clients/participants and regulated authorities, such as the NDIS Quality and Safeguards Commission, and is subject to restrictions imposed on its disclosure, collection and use by the Privacy Act 1988 (Cth) (Privacy Act).
LiveBig are obliged, in accordance with the terms of their registration requirements and Australian legal requirements, to comply with the Privacy Act when collecting, using, and disclosing the personal information of our employees, customers, clients, participantsand related stakeholders. Personal information is collected for the provision of therapy services to:
Determine eligibility or appropriateness of services
Tailor services to clients’ / participants needs.
Evaluate and monitor outcomes, programs and services provided.
Facilitate resolution of complaints made by stakeholders.
Allow for inclusion of client / participant personal details in communications developed by LiveBig, applicable to the scope of services.
Personal information held by LiveBig (including such information provided to LiveBig by employees, contractors, clients and participants) may be disclosed to national or State/Territory-based tribunals, commissions, courts and regulatory agencies, , the Australian Health Practitioner Regulation Agency (AHPRA), health practitioners and third party service providers (including providers who may have operations being conducted oversees).
SCOPE
This Policy relates to the collection, use and disclosure of information for:
Stakeholders involved in the scope of services delivered by LiveBig.
Employees or prospective employees of LiveBig.
Contractors of LiveBig.
Customer’s and certification bodies aligned with the scope of services delivered.
PURPOSE
The purpose of this policy is to state LiveBig’s commitment to comply with relevant legislation and regulator obligations relating to Privacy and to outline the methods adopted to comply with these.
Collection of Information
Personal and confidential information shall not be collected by LiveBig for inclusion in a record unless the information is collected for a purpose that is a lawful purpose directly related to a function, or activity provided by our organisation, and when the collection of the information is necessary for, or directly, related to that purpose.
Example of Personal Information which may be collected:
Contact information (e.g. name, age, address, telephone numbers, email address)
Employment information (e.g. work history, work performance, workplace incidence, next of kin information)
Sensitive information (e.g. medical history, criminal history, religious beliefs, health information health).
Where it is reasonable and practicable to do so, personal information is collected directly from the individual. Collection may take place for several purposes, which includes information pertaining to the delivery of services or internally as part of an employee’s employment with LiveBig. Examples:
For providing therapy or assessment services in accordance with contracted agreements, a referral, and legislative requirements
When registration forms for a service are required
When a request is made for information in writing or verbally
During the recruitment and selection process and during employment with LiveBig.
Sometimes personal information may be collected from other sources:
An employer for the purpose of establishing and delivering services
A Support Coordination Service or Local Area Coordinator for the purpose of NDIS services
Another services provider to support the engagement of services that fall within the scope of services delivered by LiveBig.
A medical practitioner delivering services, or to determine an employee of LiveBig’s fitness for work.
NDIS related stakeholders (e.g. Planners) for LiveBig services.
In most cases LiveBig will require individuals receiving services to provide a signed consent form, which serves to confirm approval to collect, use or disclosure personal information (including phone recordings by a third party). Consent will usually be required in writing, however verbal consent in certain circumstances will also be accepted and documented for record keeping purposes. Verbal consent should only be accepted if written consent has already been received and we are re-affirming a stakeholder’s ongoing consent.
LiveBig strongly recommends best practice standards are maintained. Where a consent form is greater than 12 months since the signed date, a new consent form should be sought and signed. All consent forms must be saved in a secure and access-controlled location by LiveBig.
Consent must not be implied, even if it is legally acceptable to do so. LiveBig aims to uphold best practice and always seek a signed consent form for the scope of services provided. If a service is closed, the consent form ceases to provide authority to collect, use or disclose information pertaining to that individual. Where a client or participant is referred to LiveBig for services, a new consent form must be obtained if prior services were completed or ceased.If a client or participant is referred for multiple services and are provided concurrently, then only one consent form is required whilst LiveBig services are provided.
Use and Disclosure
LiveBig collects personal information to enable us to conduct business, within our scope of services including:
Determining an individual’s requirements for appropriate services
Setting up and administering services
Identifying a person and protecting that person from unauthorised access to his/her personal information
Recruitment and selection processes
To determine an employees’ and contractors’ suitability to deliver therapy, or treatment services in line with the AHPRA registration and NDIS requirements and any other employment requirements.
Personal information may be used for purposes other than for which it was collected, namely:
To prevent a serious threat to a person’s health or life
As required or authorised by law
Where reasonably necessary for the enforcement of criminal or revenue law
Where summoned, subpoenaed or where a freedom of information request is received by an authorised person or the client and complies with the Privacy Act’s Privacy Principles and our contractual obligations.
LiveBig may disclose personal information where consent has been given. Consent to the disclosure of personal information may be given explicitly, such as in writing or verbally. Disclosure of information may be provided to stakeholders involved in the scope of services, such as:
Employer
Referring agent/department
Treating practitioners
Nominated support person/s or guardian
Nominated Union delegate
A legal entity
Prospective employers
Prospective training organisations
Prospective equipment suppliers
Community providers engaged for the purpose of services.
Disclosure of Employee and Contractor Professional Details:
LiveBig provides therapy services in accordance with contracts and registrations held with various State, Territory and National regulation agencies, including, though not limited to:
National: National Disability Insurance Scheme (NDIS), NDIS Quality and Safeguards Commission
Other: Third Party Accreditation Auditors
LiveBig collects personal information related to our employees suitability and qualifications that enable the delivery of therapy, or treatment services in accordance with our professional standards, client/participant requirements, national or state/territory-based regulatory agencies, and AHPRA requirements for health practitioners.
To demonstrate our compliance with requirements set by the above regulatory agencies, and AHPRA, LiveBig is required to provide employee personal information related to professional registration details on their request, to demonstrate that our employees are appropriately qualified and registered to deliver therapy services.
LiveBig is further required to provide evidence of employee professional registration currency to third party auditors who are engaged to ensure LiveBig continues to comply with contractual and certification obligations. Third party auditors are bound by privacy obligations.
Unless it is for purposes already outlined in this Privacy Policy, LiveBig will only disclose your information as required by law or if you consent.
If you have enquiries about regulatory or other agencies accessing your professional registration details held by LiveBig, please contact the Compliance Team at [email protected].
LiveBig do not collect personal or sensitive information unless the information is reasonably necessary for, or directly related to, one or more of the functions or activities we have been requested to undertake as a part of our service delivery and operations.
LiveBig do not disclose personal information to a party outside or unrelated to the scope of services. Parties that may be eligible to personal or sensitive information can include a party contracted to LiveBig to provide administrative services or activities on our behalf, and whereby that party is bound by the same privacy rules.
LiveBig do not disclose personal or sensitive information to overseas recipients unless required to by law or if these recipients are directly related to the scope of services.
LiveBig do not disclose records of personal and sensitive client information or company intellectual property to ex-employees.
LiveBig do not disclose records that have been obtained by a third party, even if related to the scope of services provided unless summoned by a court of law. For example, LiveBig is not able to disclose independent medical and allied health assessments of documents obtained from a third party. However, clients/participants can request access to those records from the owner/creator of those records directly.
In accordance with the Health Records and Information Privacy Act 2001, if the individual chooses not to provide LiveBig with personal information pertaining to their health and authority to collect and disclose information, we may not be able to provide the full range of our services. The referring party should be notified (if the services was not self-referred) to discuss the implications on services because of consent being declined.
For any request for information that is not a direct request from the client or participant, a new authority consent form must be sighted and be signed within the last 12 months of the request.
For further guidance relating to the disclosure of information, please refer to the Records Request and Subpoena Procedure available on the Arriba Group Intranet.
CHILDREN AND YOUNG PEOPLE:
The Privacy Act 1988 (Privacy Act) protects an individual’s personal information regardless of their age. An individual under the age of 18 has the capacity to consent if they have the maturity to understand what is being proposed. This is assessed on a case-by-case basis. If LiveBig are unsure of the person’s ability to consent, then the consent from a parent or guardian might be sought.
PROVISION OF A TELEHEALTH SERVICE
Where appropriate, LiveBig services may be provided by telephone or videoconferencing. Clients/participants are responsible for setting up the technology needed so they can access telehealth services. LiveBig employee providing services can assist with this if required. LiveBig will be responsible for the cost of the call and the cost associated with the platform used to conduct telehealth services.
To access telehealth services, client’s/participants will be instructed that they require a quiet, private space; an appropriate device, i.e. smartphone, laptop, iPad, computer, with a camera, microphone, and speakers; and a reliable internet connection.
The privacy of any form of communication via the internet is potentially vulnerable and limited by the security of the technology used. To support the security of personal information, LiveBig uses MS Teams technology which is compliant with the Australian standards for online security and encryption.
LiveBig will ensure we obtain permission and approval before recording any material via telehealth or otherwise, including taking photographic images, video, or audio for the purpose of observation and assessment. Any recorded material will be kept private and confidential and will be destroyed once LiveBig has completed the assessment and formulated the relevant documentation required.
Limitations of Telehealth
A telehealth consultation may be subject to limitations such as an unstable network connection which may affect the quality of services. In addition, there may be some services for which telehealth is not appropriate or effective. LiveBig will consider and discuss with clients and participants the appropriateness of ongoing telehealth sessions.
Data Security
LiveBig will take all reasonable steps to protect the security of personal and sensitive information collected. This includes measures to protect electronic materials and materials stored and generated in hard copy.
LiveBig store sensitive and confidential information developed on our security-controlled database. This database enables LiveBig to lock access to various users, as deemed appropriate regarding the nature of information and purpose for which that information has been obtained.
LiveBig operate within a secure and encrypted network that cannot be accessed by external stakeholders. LiveBig further operates as a paperless office where possible. However, if confidential or sensitive information is in written format on paper, this information is discarded using a secure paper removal and destruction process once no longer required.
GROUP WEBSITE – Use of Cookies
What Cookies Are
LiveBig website uses cookies. Cookies are a small piece of text files that are stored in your web browser that allows LiveBig to measure and make your browsing experience more efficient. Cookies might be used for the following purposes:
To enable certain functions
To provide analytics
To store your preferences
To personalise content and Ads
To enable ad delivery and behavioural advertising.
Cookies cannot read data from your hard drive or read cookies files that may have been created from another website. Cookies expire after a certain amount of time.
Third Parties Cookies on Group Website
Third-party companies such as Analytics companies, social media and ads networks, etc. use cookies. They may use that information to build a profile of your activities on our website and other websites that you've visited.
Cookies Options and Preference Update
People can change and update their cookie consent by clicking here . If you do not want your browser to accept cookies, you can modify your browser’s settings. You can also delete cookies that have already been set from your browser’s settings. Please note that, if you do not allow cookies or delete them, some features and services might not be accessible, and some web pages might not display properly.
Surveillance-CCTV
Surveillance such as CCTV cameras will be installed in the workplace, where safety risks are deemed moderate to high. For example, in remote locations where services are provided to high-risk client groups.
The purpose of the CCTV cameras is to ensure the safety and security of all employees. As an Employer, LiveBig aims to take proactive action to ensure all employees are safe and feel safe in their working environment.
You may consult with your manager or LiveBig therapist regarding any concerns about surveillance. All cameras are visible and will not be placed in bathrooms or change rooms.
The surveillance may be conducted at any time and be subject to surveillance in accordance with the Privacy Act 1988.
Please note LiveBig reserves the right to refer to any surveillance footage during a disciplinary meeting.
Access and Correction
The individual may request access to any personal information directly relating to them that has been developed and held by LiveBig. Only information pertinent to that individual will be disclosed.
In most cases, a summary of personal information such as name, address, contact telephone numbers, reports developed by LiveBig, emails sent/received, and service delivery notes can be made available to the individual by making an application in writing to LiveBig.
If the individual is able to establish that the information is not accurate, complete, and up to date, LiveBig will take reasonable steps to correct the information so that it is accurate, complete and up to date.
Should it be deemed necessary to refuse access or correction to an individual’s information, LiveBig will provide reasons for denial of access or a refusal to correct personal information. LiveBig may refuse an individual access to personal information in a number of circumstances such as where the information may be related to existing or anticipated legal proceedings, where access to the information could result in potential harm to the individual’s physical or mental wellbeing, where denying access is required or authorised by law, or where the request for access is regarded as frivolous or vexatious.
LiveBig is required by law to retain personal information for a period of time after an individual has ceased any relationship with us. After the required time has passed, LiveBig archive case files on our secure and access-controlled network database.
For information which has been requested, a fee may be charged to cover the cost of retrieval and the supply of this information. All requests for access to personal information will be handled as quickly as possible and LiveBig shall endeavour to process any request for access within 30 days of having received the request. Some requests for access may take longer than 30 days to process depending upon the nature of the personal information being sought and should be communicated to the requesting party.
Breaches in Confidentiality
It is an offence under the Social Security (Administration) Act 1999 for a person to intentionally obtain, make a record of, disclose to any other person, or otherwise use, protected information if the person; Is not authorised by or under the Social Security Law to do so; Knows or ought to reasonably know, that the information is Protected Information. This means that LiveBig ’s personnel may commit a criminal office if they:
Search for or access Protected Information where not authorised.
Make copies of Protected Information where not authorised.
Disclose Protected Information to other staff or third parties who do not need to know that information.
Otherwise use Protected Information where not permitted.
A breach in confidentiality relates to a Notifiable Data Breach that is likely to cause serious harm to an individual or individuals impacted by that privacy breach following unauthorised access, disclosure and/or loss of personal information. Where a breach in confidentiality has been identified, the Manager will undertake the following activities within 24 hours:
Notify the impacted party/parties immediately of any threatened or actual privacy events; and
Consider and action all reasonable requests and directions from the interested parties.
Where notifiable data breaches have occurred, the Manager will assess the impact on interested parties and in negotiation with the related parties, determine if the breach constitutes a requirement to notify the Privacy Commissioner at the Office of the Australian Information Commission (OAIC). Notifying the OAIC will be completed by the Legal and Risk team.
The Group CEO, and or LiveBig CEO, will work with the Manager to consider whether we notify to the Privacy Commissioner. The outcome for notification is determined if the following 3 criteria are satisfied:
There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds.
This is likely to result in serious harm to one or more individuals, and
The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
Where LiveBig has informed the OAIC, we will cooperate and notify impacted parties of the breach in relation to the assessment and reporting of a breach to the OAIC and notification to impacted customers.
Complaints
If the individual requires additional information or has any complaints about the privacy practices of LiveBig, individuals may contact our Privacy Officers to lodge a formal complaint.
The Arriba Group Privacy Officers are Senior Managers within the Legal and Risk team, including:
Christina Abufhele: Head of Quality and Compliance
Privacy officers can be contacted in the following methods:
Phone: 1800 864 970
Email: [email protected]
Contact details for the Privacy Officer has been placed on the Arriba Group’s respective business’ websites as of March 2022.
Should the individual not be satisfied with the outcome of the internal privacy complaint process, the individual may contact the following external entities:
Office of the Australian Information Commissioner
GPO Box 5218 SYDNEY NSW 2001 | www.oaic.gov.au
Privacy Commissioner
GPO Box 5218 Sydney NSW 2001 | Privacy Hotline: 1300 363 992 | Telephone: (02) 9284 9800 | Fax: (02) 9284 9666
Unsuccessful Job Applicants
In preserving the privacy of unsuccessful candidates by destroying records, it is difficult to prove a fair process. Consequently, the practice outlined below is to be generally followed as part of the recruitment process. Applications and associated documentation will be held for a reasonable period of time after a position is filled, unless the candidate requests the information be filed in the event of other positions arising with the company. If any dispute arises, both parties will have relevant evidence to refer to. Candidates have the right to withdraw or ask for special treatment of their personal information if they do not agree with this stated practice.
Procedure
Suspected or actual privacy breach identified / reported.
IMMEDIATE RESPONSE REQUIRED
Employee to immediately notify the Manager of the specific team that a privacy breach occurred or is suspected.
Employee and Manager to immediately contact stakeholders in receipt of unauthorised information and request the unauthorised information to be deleted/destroyed. Request confirmation of the information being destroyed. This includes deleting information from a deleted email folder.
Manager or employee to notify the impacted stakeholder of the privacy breach. This might include the client and the referring parties. It is the Manager’s discretion to determine the appropriateness of whether the employee or the manager notifies the impacted party. The Manager might determine an experienced employee is competent to manage the communications, whereas a new employee on probation might not have the experience to undertake this form of communication.
DOCUMENTING THE DATA BREACH
Within 4 hrs, Manager must complete the following actions:
Complete the Notifiable Data and Privacy Breach Form available on the intranet. This will include undertaking an investigation of how the privacy breach occurred and implementation of immediate remedial actions.
Notify the Privacy Officers via the Privacy inbox and email completed Notifiable Data and Privacy Breach Form.
Notify the relevant CRM/BDM if applicable, and email completed Notifiable Data and Privacy Breach Form.
SEVERITY ESCALATION
Privacy Officers will review the Notifiable Data and Privacy Breach Form and determine the hierarchy of escalation that is required due to the severity of the data and privacy breach.
Escalation may require notification to the relevant CEO, or OAIC.
Visit our sister companies
