Effective from August 2021

Approved by: Chief Executive Officer

At a glance

This policy outlines the information handling practices of Five Good Friends.

Scope

This policy applies to Members, Stakeholders, Helpers, Employees, Contractors, Third Party Providers and Directors.

Objective

The objective of this policy is to provide individuals a more complete understanding of the sort of information that Five Good Friends collects, holds and the way we handle that information.

Definitions

• Personal Information – as defined by the Privacy Act 1988 is information or an opinion about an individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not.
• Sensitive Information – a subset of personal information as is defined as:
  • Information or opinion (that is also personal information) about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices, or criminal record.
  • health information about an individual
  • genetic information
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification, and
  • biometric templates.

Policy Statement

Five Good Friends recognise the privilege you give us when you entrust us with your personal information.  We are committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. We use all reasonable efforts to protect the privacy of your personal information and to comply with the obligations imposed by the Privacy Act 1988 (Cth), the Australian Privacy Principles, state privacy legislation, the Aged Care Quality Standards, and the NDIS Practice Standards.

The type of information collected relates to the type of relationship you have with Five Good Friends (Member, Helper, Authorised Representative, Employee, Contractor, Third Party Provider) and the primary purpose for which this information is required (provision of services, help in the home, technology, or engagement of other services).

When we collect, use, or disclose your personal information we will seek your consent, such as signing up to become a Member, registering to become a Helper, or using our websites. The only times we may use or disclose your personal information without your consent is in an emergency, or when we are required to by law. If this happens, we will notify you unless we are prevented from doing so. We will never sell your personal information and when we send you marketing communications, we will include details of how to opt-out.

All our employees and Helpers are bound by a Code of Conduct to maintain the confidentiality of your personal information. We follow best practices to secure your personal information such as requiring our employees to use a password manager along with a second factor of authentication. We use best practices to store your personal information such as encrypting your data when it is transmitted and encrypting your data when it is stored at rest. We log access to our systems so we can verify that no unauthorised access has taken place. We store your personal information in controlled facilities located in Australia and the United States of America.

You can use our apps and websites to access your personal information and you can make a request to us to correct it. You can also make a request for us to erase your personal information and if allowed by law, we will honour your request.

You are encouraged to provide feedback about this policy or make a complaint if you become aware of a breach to this policy. We will notify you if we become aware of data breach that includes your personal information and what we have done to remediate it.

How we use and manage information

Collection

We collect personal information directly from you (or your nominated representative) when you sign up to become a Member, register to become a Helper, or register to become a Third Party Provider.  We also collect personal information about you when you use our apps or websites.

With your consent we will sometimes collect personal information about you (including sensitive information such as health information and criminal records) from third parties such as nominated representatives, Members, Helpers, health professionals (e.g. Allied Health, GP), government agencies (e.g. My Aged Care, NDIS Quality and Safeguards Commission), law enforcement agencies (e.g. state police), product suppliers, and other service providers (e.g. trades people).

Typical examples of the types of personal information that we collect:

If you are a Member:

• Full name and preferred name
• Contact details (email, telephone)
• Address
• Date of birth
• Government agency identities such as My Aged Care ID (only if you are being funded through the Commonwealth Government aged care funding)
• Billing information such as bank account or credit card details
• Sensitive information such as care plans, support plans, and other health or medical documents (only if you choose to provide this to us)
• Other sensitive information you would like us to consider when matching you to Helpers (only if you choose to provide this to us)
• Observations about you such as changes to your health from your Care Team, Helpers, nominated/authorised representatives and friends
• Metrics from devices such as Umps or Eevi (only if you choose to connect these devices to us)
• Progress notes such as documenting changes to your care products and services and outcomes of conversations with your Care Team
  

If you are an Authorised Representative, Billing Recipient or Sharer:

• Full name and preferred name
• Contact details (email, telephone)
• Address (only if we are delivering care products to you on behalf of a Member)
  

If you are a Helper:

• Full name and preferred name
• Business name
• Australian Business Number (ABN)
• Contact details (email, telephone)
• Address
• Date of birth
• Background checks such as National Police Check, NDIS Worker Screening Check, Working With Children Check, Blue Card (only if you are providing services which require these checks)
• Driver’s licence (only if you are providing community access services)
• Qualification checks such as proof of enrolment or proof of attainment (only if you are providing services which require these checks)
• Bank account details – Immunisation information (history, any exemptions and other information), only if you disclose this information to us
  

If you are a Registered Third Party Provider or Approved Contractor:

• Business name
• Australian Business Number (ABN)
• Contact details (email, telephone)
• Address
• Background checks or registry equivalent (if you will be providing services to our Members)
• Financial information such as relevant insurance policies held (if you will be providing services to our Members)
  

If you use our apps or websites:

• IP Address
• User Agent
• Cookies
• Pages/screens visited and the date and time they were visited
• Referring website addresses
  

If you read our marketing emails:

• Date and time they were read
  

We will not collect any other personal information from you or about you, unless you consent to the collection of this personal information.

Use and disclosure

We use your personal information to:

• Provide you with care management, products and services if you are a Member (or a nominated representative).
• Allow you to provide care products and services to our Members if you are a Helper or Registered Third Party Provider.
• Assist you with your queries, feedback, complaints, or troubleshooting devices you have connected to us.
• Comply with legal or regulatory obligations imposed on us.
• To improve our products and services, conduct internal audits, compile internal performance reports, and monitor our marketing campaigns.

If you are receiving products or services we disclose your personal information to Helpers and Registered Third Party Providers when you consent to receive products or services from them. We only disclose the personal information required to fulfil this product or service. All Helpers and Third Party Providers are vetted, verified, and bound to respect the privacy of your personal information.

If you are a Member receiving services, these are typical examples of the types of personal information we disclose:

Helper (care services):

• Full name, address, contact details, Help Plan (including relevant medical history)
  

Health professional (health services):

• Full name, contact details, address, date of birth, Help Plan (including relevant medical history and medical documents), progress notes
  

Product supplier (products):

• Full name, contact details, address
  

Service provider (services):

• Full name, contact details, address
  

Authorised Representative: Full name, address, contact details, Help Plan (including relevant medical history), schedule

Biling Recipient:

• Financial statements and transactions
  

Sharers:

• Full name, schedule
  

If you are a Helper providing services, these are typical examples of the types of personal information we disclose:

Member:

• Full name, contact details, background checks, immunisation information for matching with Members
  

Authorised Representative:

• Full name, contact details, background checks, immunisation information for matching with Members
  

Billing Recipient:

• Full name as it pulls out onto the monthly statement and transaction history
  

Overseas disclosure

We will not disclose your personal information to people outside of Australia unless you provide consent. An example of when we could disclose your information to someone outside of Australia is if you have a family member who resides overseas and you would like them to be nominated as a Sharer or Authorised Representative. If consent is given for disclosure and the overseas recipient handles the information in breach of the Australian Privacy Principles, Five Good Friends will not be held accountable under the Privacy Act and the person who gave consent for the disclosure will not be able to seek redress under the Privacy Act.

Additional information - disclosure

If you are a Helper we disclose your personal information to Members, their nominated representatives and other Helpers matched to the same Member as you when you consent to be matched to a Member. We only disclose your full name, contact details, the types of background checks that you have, and immunisation history to meet matching criteria. This is so the Member and the other Helpers matched to the Member can liaise directly with you about the services you are providing. Members and other Helpers are bound to respect the privacy of your personal information.

We do not use or disclose your personal information for any other purposes unless you have consented to the use or disclosure; or we believe on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to your life, health or safety, or a serious threat to public health or public safety; or the use or disclosure is otherwise required or authorised by law. We will notify you when this happens unless we are prevented from doing so.

We do not sell, rent, or lease your personal information. We may, from time to time, contact you on behalf of an external business partner about a particular offering that may be of interest to you. In those cases we never give your personal information to the business partner and we provide you with details on how to opt-out of future offerings.

Access and correction

In most cases you can gain access to your personal information held by us, including your health and medical information. You can use our apps or websites to access some of your information or you can make a request to access all of your personal information (See “Making a request”).

We will take reasonable steps to amend or correct your personal information to keep it accurate and up-to-date. You can make a request to correct your personal information (See “Making a request”)

Erasure

Five Good Friends will destroy personal information when it meets its legislative requirements.

You can make a request to have the personal information that we hold about you erased from our systems.  However, if that information is required for legislative requirements, we may not be able to meet your request.

After we have erased your personal information from our systems it may still exist in backups until they are destroyed. If you request and are granted erasure, we will no longer be able to provide you with care management, products or services, or allow you to provide care products or services to our Members.

If we receive personal information that we have not solicited and we could not have obtained the information by lawful means, we will erase the information for you. We will take reasonable efforts to notify you if we do this.

Security and storage

We secure your personal information to ensure it is protected from loss, unauthorised access, modification, or disclosure.

Your personal information is encrypted via Transport Layer Security (TLS) when it is transmitted from our servers to your app or browser and when your data is transmitted between our systems. Your personal information is encrypted via AES-256 block-level storage when it is at rest (e.g. databases, files, and backups). Your personal information is physically secured in controlled facilities that are located in Australia and the United States of America.

Our employees and contractors are bound by a Code of Conduct to maintain the confidentiality of your personal information. Our employees follow best practices such as using a password manager with a second factor of authentication (when available) to gain access to the systems they are authorised to use. We can remotely revoke an employee’s access to our systems if their devices become lost, stolen, or compromised. All the contents of our employee’s devices are encrypted and their devices require a passcode to access.

Helpers and Third Party Providers are bound by a Brokerage Agreement to maintain the confidentiality of your personal information. We can remotely revoke a Helper’s access to our systems if their device becomes lost, stolen, or compromised. Helpers configure their devices so they require a passcode to access. Third Party Providers do not use our systems.

We log the last 30 days of access to our systems by user (or IP address) so we can verify that no unauthorised access has happened.

Apps, websites and cookies

We use cookies in our apps and websites to keep you logged in after you have logged in with your credentials. We also use cookies in our websites to monitor our marketing campaigns. Some of these cookies are ours and some of these cookies are installed by third party subprocessors. Our agreements with these subprocessors ensure this information is only used to carry out functions on our behalf and the confidentiality of your personal information is maintained.

Most browsers are pre-set to accept cookies to enable full use of websites that employ them. However, if you do not wish to receive any cookies on your browser you may configure your browser to reject them or receive a warning when cookies are being used. This will mean you will not be able to log into your account. You will still be able to access information-only pages.

Emails and tracking pixels

We use tracking pixels in our marketing emails to monitor our marketing campaigns. We do not use tracking pixels in any other emails.

Most email clients are pre-set to load images. However, if you do not wish to be tracked you may configure your email client to deny images or prompt you to load images at your discretion. This will mean you may not be able to see any images we send you. You will still be able to see text content.

Making a request

You can make a request about the personal information we hold about you by completing our complaints and feedback form, or calling us on 1300 787 581.

If you are deaf or have a hearing or speech impairment, contact us through the National Relay Service:

• TTY users phone 1800 555 677, then ask for 1300 787 581
• Speak and listen users phone 1800 555 727, then ask for 1300 787 581
• Internet relay users click here (http://www.iprelay.com.au/call/index.aspx) to connect to the relay service, then ask for 1300 787 581

If you do not speak English, or English if your second language, and you need assistance to communicate with us, call 131 450 then ask for 1300 787 581.

For security reasons we will require you to provide proof of your identity and the legal authority to which you can request the information if you are not the person the information relates to (e.g. Enduring Power of Attorney, Guardianship Order, Letters of Administration).  This is necessary to ensure that personal information is provided only to the correct individual and that the privacy of others is not undermined.

We will take all reasonable steps to provide access or the information requested within 30 days of your request.  In situations where the request is complicated or requires access to a large volume of information, we will take all reasonable steps to provide access to the information requested within 45 days.

Further detail regarding how requests are handled is outlined in our Privacy Workflow.

Privacy feedback or complaints

You are encouraged to provide feedback about this policy or make a complaint if you know of a breach to this policy by completing our complaints and feedback form, or calling us on 1300 787 581. We will promptly investigate your feedback or complaint and notify you of the outcome.

If you are not satisfied with the response provided by us, you may refer your complaint directly to one of the agencies below:

Office of the Australian Information Commissioner

Mail: Office of the Australian Information Commissioner GPO Box 5218 Sydney NSW 2001

Website: http://www.oaic.gov.au/privacy/making-a-privacy-complaint

Phone: 1300 363 992

Aged Care Quality and Safety Commission

Website: https://www.agedcarequality.gov.au/making-complaint

Phone: 1800 550 552

NDIS Quality and Safeguards Commission

Website: https://www.ndiscommission.gov.au/about/complaints

Phone: 1800 035 544

Changes to this policy

From time to time, it may be necessary for us to review our Privacy Policy and the information contacted in this policy. A current version of this Policy is always available on our website.

References and Related Documents

Five Good Friends

• Home Care Agreement
• NDIS Agreement
• Helper Brokerage Agreement
• Code of Conduct
• Privacy Workflow

External

• Privacy Act 1988 (Cth)
• NDIS Practice Standards
• Aged Care Quality Standards